2019-06-22 17:17:07 +01:00
|
|
|
/// @file rainbow.c
|
|
|
|
|
/// @brief The standard implementations for functions in rainbow.h
|
|
|
|
|
///
|
|
|
|
|
|
|
|
|
|
#include "rainbow.h"
|
2019-07-24 09:15:48 +01:00
|
|
|
#include "blas.h"
|
2019-06-22 17:17:07 +01:00
|
|
|
#include "rainbow_blas.h"
|
|
|
|
|
#include "rainbow_config.h"
|
|
|
|
|
#include "rainbow_keypair.h"
|
|
|
|
|
#include "utils_hash.h"
|
|
|
|
|
#include "utils_prng.h"
|
|
|
|
|
#include <stdint.h>
|
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
#include <string.h>
|
|
|
|
|
|
2019-07-24 09:15:48 +01:00
|
|
|
#define MAX_ATTEMPT_FRMAT 128
|
|
|
|
|
#define _MAX_O ((_O1 > _O2) ? _O1 : _O2)
|
|
|
|
|
#define _MAX_O_BYTE ((_O1_BYTE > _O2_BYTE) ? _O1_BYTE : _O2_BYTE)
|
2019-06-22 17:17:07 +01:00
|
|
|
|
2019-07-24 09:15:48 +01:00
|
|
|
int PQCLEAN_RAINBOWIIICCYCLICCOMPRESSED_CLEAN_rainbow_sign(uint8_t *signature, const sk_t *sk, const uint8_t *_digest) {
|
2019-06-22 17:17:07 +01:00
|
|
|
uint8_t mat_l1[_O1 * _O1_BYTE];
|
|
|
|
|
uint8_t mat_l2[_O2 * _O2_BYTE];
|
|
|
|
|
uint8_t mat_buffer[2 * _MAX_O * _MAX_O_BYTE];
|
|
|
|
|
|
|
|
|
|
// setup PRNG
|
|
|
|
|
prng_t prng_sign;
|
|
|
|
|
uint8_t prng_preseed[LEN_SKSEED + _HASH_LEN];
|
2019-07-24 09:15:48 +01:00
|
|
|
memcpy(prng_preseed, sk->sk_seed, LEN_SKSEED);
|
|
|
|
|
memcpy(prng_preseed + LEN_SKSEED, _digest, _HASH_LEN); // prng_preseed = sk_seed || digest
|
2019-06-22 17:17:07 +01:00
|
|
|
uint8_t prng_seed[_HASH_LEN];
|
2019-07-24 09:15:48 +01:00
|
|
|
PQCLEAN_RAINBOWIIICCYCLICCOMPRESSED_CLEAN_hash_msg(prng_seed, _HASH_LEN, prng_preseed, _HASH_LEN + LEN_SKSEED);
|
|
|
|
|
PQCLEAN_RAINBOWIIICCYCLICCOMPRESSED_CLEAN_prng_set(&prng_sign, prng_seed, _HASH_LEN); // seed = H( sk_seed || digest )
|
2019-07-24 09:41:42 +01:00
|
|
|
for (unsigned int i = 0; i < LEN_SKSEED + _HASH_LEN; i++) {
|
2019-07-24 09:15:48 +01:00
|
|
|
prng_preseed[i] ^= prng_preseed[i]; // clean
|
2019-06-22 17:17:07 +01:00
|
|
|
}
|
2019-07-24 09:41:42 +01:00
|
|
|
for (unsigned int i = 0; i < _HASH_LEN; i++) {
|
2019-07-24 09:15:48 +01:00
|
|
|
prng_seed[i] ^= prng_seed[i]; // clean
|
2019-06-22 17:17:07 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// roll vinegars.
|
|
|
|
|
uint8_t vinegar[_V1_BYTE];
|
2019-07-24 09:41:42 +01:00
|
|
|
unsigned int n_attempt = 0;
|
|
|
|
|
unsigned int l1_succ = 0;
|
2019-07-24 09:15:48 +01:00
|
|
|
while (!l1_succ) {
|
|
|
|
|
if (MAX_ATTEMPT_FRMAT <= n_attempt) {
|
2019-06-22 17:17:07 +01:00
|
|
|
break;
|
|
|
|
|
}
|
2019-07-24 09:15:48 +01:00
|
|
|
PQCLEAN_RAINBOWIIICCYCLICCOMPRESSED_CLEAN_prng_gen(&prng_sign, vinegar, _V1_BYTE); // generating vinegars
|
|
|
|
|
gfmat_prod(mat_l1, sk->l1_F2, _O1 * _O1_BYTE, _V1, vinegar); // generating the linear equations for layer 1
|
|
|
|
|
l1_succ = gfmat_inv(mat_l1, mat_l1, _O1, mat_buffer); // check if the linear equation solvable
|
|
|
|
|
n_attempt++;
|
2019-06-22 17:17:07 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Given the vinegars, pre-compute variables needed for layer 2
|
|
|
|
|
uint8_t r_l1_F1[_O1_BYTE] = {0};
|
|
|
|
|
uint8_t r_l2_F1[_O2_BYTE] = {0};
|
2019-07-24 09:15:48 +01:00
|
|
|
batch_quad_trimat_eval(r_l1_F1, sk->l1_F1, vinegar, _V1, _O1_BYTE);
|
|
|
|
|
batch_quad_trimat_eval(r_l2_F1, sk->l2_F1, vinegar, _V1, _O2_BYTE);
|
|
|
|
|
uint8_t mat_l2_F3[_O2 * _O2_BYTE];
|
2019-06-22 17:17:07 +01:00
|
|
|
uint8_t mat_l2_F2[_O1 * _O2_BYTE];
|
2019-07-24 09:15:48 +01:00
|
|
|
gfmat_prod(mat_l2_F3, sk->l2_F3, _O2 * _O2_BYTE, _V1, vinegar);
|
|
|
|
|
gfmat_prod(mat_l2_F2, sk->l2_F2, _O1 * _O2_BYTE, _V1, vinegar);
|
2019-06-22 17:17:07 +01:00
|
|
|
|
|
|
|
|
// Some local variables.
|
|
|
|
|
uint8_t _z[_PUB_M_BYTE];
|
|
|
|
|
uint8_t y[_PUB_M_BYTE];
|
|
|
|
|
uint8_t *x_v1 = vinegar;
|
|
|
|
|
uint8_t x_o1[_O1_BYTE];
|
|
|
|
|
uint8_t x_o2[_O1_BYTE];
|
|
|
|
|
|
|
|
|
|
uint8_t digest_salt[_HASH_LEN + _SALT_BYTE];
|
2019-07-24 09:15:48 +01:00
|
|
|
memcpy(digest_salt, _digest, _HASH_LEN);
|
2019-06-22 17:17:07 +01:00
|
|
|
uint8_t *salt = digest_salt + _HASH_LEN;
|
|
|
|
|
|
2019-07-24 09:15:48 +01:00
|
|
|
uint8_t temp_o[_MAX_O_BYTE + 32] = {0};
|
2019-07-24 09:41:42 +01:00
|
|
|
unsigned int succ = 0;
|
2019-07-24 09:15:48 +01:00
|
|
|
while (!succ) {
|
|
|
|
|
if (MAX_ATTEMPT_FRMAT <= n_attempt) {
|
2019-06-22 17:17:07 +01:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
// The computation: H(digest||salt) --> z --S--> y --C-map--> x --T--> w
|
|
|
|
|
|
2019-07-24 09:15:48 +01:00
|
|
|
PQCLEAN_RAINBOWIIICCYCLICCOMPRESSED_CLEAN_prng_gen(&prng_sign, salt, _SALT_BYTE); // roll the salt
|
|
|
|
|
PQCLEAN_RAINBOWIIICCYCLICCOMPRESSED_CLEAN_hash_msg(_z, _PUB_M_BYTE, digest_salt, _HASH_LEN + _SALT_BYTE); // H(digest||salt)
|
2019-06-22 17:17:07 +01:00
|
|
|
|
|
|
|
|
// y = S^-1 * z
|
2019-07-24 09:15:48 +01:00
|
|
|
memcpy(y, _z, _PUB_M_BYTE); // identity part of S
|
2019-06-22 17:17:07 +01:00
|
|
|
gfmat_prod(temp_o, sk->s1, _O1_BYTE, _O2, _z + _O1_BYTE);
|
|
|
|
|
gf256v_add(y, temp_o, _O1_BYTE);
|
|
|
|
|
|
|
|
|
|
// Central Map:
|
|
|
|
|
// layer 1: calculate x_o1
|
2019-07-24 09:15:48 +01:00
|
|
|
memcpy(temp_o, r_l1_F1, _O1_BYTE);
|
|
|
|
|
gf256v_add(temp_o, y, _O1_BYTE);
|
|
|
|
|
gfmat_prod(x_o1, mat_l1, _O1_BYTE, _O1, temp_o);
|
2019-06-22 17:17:07 +01:00
|
|
|
|
|
|
|
|
// layer 2: calculate x_o2
|
2019-07-24 09:15:48 +01:00
|
|
|
PQCLEAN_RAINBOWIIICCYCLICCOMPRESSED_CLEAN_gf256v_set_zero(temp_o, _O2_BYTE);
|
|
|
|
|
gfmat_prod(temp_o, mat_l2_F2, _O2_BYTE, _O1, x_o1); // F2
|
|
|
|
|
batch_quad_trimat_eval(mat_l2, sk->l2_F5, x_o1, _O1, _O2_BYTE); // F5
|
|
|
|
|
gf256v_add(temp_o, mat_l2, _O2_BYTE);
|
|
|
|
|
gf256v_add(temp_o, r_l2_F1, _O2_BYTE); // F1
|
|
|
|
|
gf256v_add(temp_o, y + _O1_BYTE, _O2_BYTE);
|
2019-06-22 17:17:07 +01:00
|
|
|
|
|
|
|
|
// generate the linear equations of the 2nd layer
|
2019-07-24 09:15:48 +01:00
|
|
|
gfmat_prod(mat_l2, sk->l2_F6, _O2 * _O2_BYTE, _O1, x_o1); // F6
|
|
|
|
|
gf256v_add(mat_l2, mat_l2_F3, _O2 * _O2_BYTE); // F3
|
|
|
|
|
succ = gfmat_inv(mat_l2, mat_l2, _O2, mat_buffer);
|
|
|
|
|
gfmat_prod(x_o2, mat_l2, _O2_BYTE, _O2, temp_o); // solve l2 eqs
|
2019-06-22 17:17:07 +01:00
|
|
|
|
2019-07-24 09:15:48 +01:00
|
|
|
n_attempt++;
|
2019-06-22 17:17:07 +01:00
|
|
|
};
|
|
|
|
|
// w = T^-1 * y
|
|
|
|
|
uint8_t w[_PUB_N_BYTE];
|
|
|
|
|
// identity part of T.
|
2019-07-24 09:15:48 +01:00
|
|
|
memcpy(w, x_v1, _V1_BYTE);
|
|
|
|
|
memcpy(w + _V1_BYTE, x_o1, _O1_BYTE);
|
|
|
|
|
memcpy(w + _V2_BYTE, x_o2, _O2_BYTE);
|
2019-06-22 17:17:07 +01:00
|
|
|
// Computing the t1 part.
|
2019-07-24 09:15:48 +01:00
|
|
|
gfmat_prod(y, sk->t1, _V1_BYTE, _O1, x_o1);
|
|
|
|
|
gf256v_add(w, y, _V1_BYTE);
|
2019-06-22 17:17:07 +01:00
|
|
|
// Computing the t4 part.
|
2019-07-24 09:15:48 +01:00
|
|
|
gfmat_prod(y, sk->t4, _V1_BYTE, _O2, x_o2);
|
|
|
|
|
gf256v_add(w, y, _V1_BYTE);
|
2019-06-22 17:17:07 +01:00
|
|
|
// Computing the t3 part.
|
2019-07-24 09:15:48 +01:00
|
|
|
gfmat_prod(y, sk->t3, _O1_BYTE, _O2, x_o2);
|
|
|
|
|
gf256v_add(w + _V1_BYTE, y, _O1_BYTE);
|
2019-06-22 17:17:07 +01:00
|
|
|
|
2019-07-24 09:15:48 +01:00
|
|
|
memset(signature, 0, _SIGNATURE_BYTE); // set the output 0
|
2019-06-22 17:17:07 +01:00
|
|
|
// clean
|
2019-07-24 09:15:48 +01:00
|
|
|
memset(&prng_sign, 0, sizeof(prng_t));
|
|
|
|
|
memset(vinegar, 0, _V1_BYTE);
|
|
|
|
|
memset(r_l1_F1, 0, _O1_BYTE);
|
|
|
|
|
memset(r_l2_F1, 0, _O2_BYTE);
|
|
|
|
|
memset(_z, 0, _PUB_M_BYTE);
|
|
|
|
|
memset(y, 0, _PUB_M_BYTE);
|
|
|
|
|
memset(x_o1, 0, _O1_BYTE);
|
|
|
|
|
memset(x_o2, 0, _O2_BYTE);
|
|
|
|
|
memset(temp_o, 0, sizeof(temp_o));
|
2019-06-22 17:17:07 +01:00
|
|
|
|
|
|
|
|
// return: copy w and salt to the signature.
|
2019-07-24 09:15:48 +01:00
|
|
|
if (MAX_ATTEMPT_FRMAT <= n_attempt) {
|
2019-06-22 17:17:07 +01:00
|
|
|
return -1;
|
|
|
|
|
}
|
2019-07-24 09:15:48 +01:00
|
|
|
gf256v_add(signature, w, _PUB_N_BYTE);
|
|
|
|
|
gf256v_add(signature + _PUB_N_BYTE, salt, _SALT_BYTE);
|
2019-06-22 17:17:07 +01:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2019-07-24 09:15:48 +01:00
|
|
|
int PQCLEAN_RAINBOWIIICCYCLICCOMPRESSED_CLEAN_rainbow_verify(const uint8_t *digest, const uint8_t *signature, const pk_t *pk) {
|
2019-06-22 17:17:07 +01:00
|
|
|
unsigned char digest_ck[_PUB_M_BYTE];
|
|
|
|
|
// public_map( digest_ck , pk , signature ); Evaluating the quadratic public polynomials.
|
2019-07-24 09:15:48 +01:00
|
|
|
batch_quad_trimat_eval(digest_ck, pk->pk, signature, _PUB_N, _PUB_M_BYTE);
|
2019-06-22 17:17:07 +01:00
|
|
|
|
|
|
|
|
unsigned char correct[_PUB_M_BYTE];
|
|
|
|
|
unsigned char digest_salt[_HASH_LEN + _SALT_BYTE];
|
2019-07-24 09:15:48 +01:00
|
|
|
memcpy(digest_salt, digest, _HASH_LEN);
|
|
|
|
|
memcpy(digest_salt + _HASH_LEN, signature + _PUB_N_BYTE, _SALT_BYTE);
|
|
|
|
|
PQCLEAN_RAINBOWIIICCYCLICCOMPRESSED_CLEAN_hash_msg(correct, _PUB_M_BYTE, digest_salt, _HASH_LEN + _SALT_BYTE); // H( digest || salt )
|
2019-06-22 17:17:07 +01:00
|
|
|
|
|
|
|
|
// check consistancy.
|
|
|
|
|
unsigned char cc = 0;
|
2019-07-24 09:41:42 +01:00
|
|
|
for (unsigned int i = 0; i < _PUB_M_BYTE; i++) {
|
2019-06-22 17:17:07 +01:00
|
|
|
cc |= (digest_ck[i] ^ correct[i]);
|
|
|
|
|
}
|
|
|
|
|
return (0 == cc) ? 0 : -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/////////////// cyclic version ///////////////////////////
|
2019-07-24 09:15:48 +01:00
|
|
|
int PQCLEAN_RAINBOWIIICCYCLICCOMPRESSED_CLEAN_rainbow_sign_cyclic(uint8_t *signature, const csk_t *csk, const uint8_t *digest) {
|
2019-06-22 17:17:07 +01:00
|
|
|
unsigned char sk[sizeof(sk_t) + 32];
|
2019-07-24 09:15:48 +01:00
|
|
|
PQCLEAN_RAINBOWIIICCYCLICCOMPRESSED_CLEAN_generate_secretkey_cyclic((sk_t *)sk, csk->pk_seed, csk->sk_seed); // generating classic secret key.
|
|
|
|
|
return PQCLEAN_RAINBOWIIICCYCLICCOMPRESSED_CLEAN_rainbow_sign(signature, (sk_t *)sk, digest);
|
2019-06-22 17:17:07 +01:00
|
|
|
}
|
|
|
|
|
|
2019-07-24 09:15:48 +01:00
|
|
|
int PQCLEAN_RAINBOWIIICCYCLICCOMPRESSED_CLEAN_rainbow_verify_cyclic(const uint8_t *digest, const uint8_t *signature, const cpk_t *_pk) {
|
|
|
|
|
unsigned char pk[sizeof(pk_t) + 32];
|
|
|
|
|
PQCLEAN_RAINBOWIIICCYCLICCOMPRESSED_CLEAN_cpk_to_pk((pk_t *)pk, _pk); // generating classic public key.
|
|
|
|
|
return PQCLEAN_RAINBOWIIICCYCLICCOMPRESSED_CLEAN_rainbow_verify(digest, signature, (pk_t *)pk);
|
2019-06-22 17:17:07 +01:00
|
|
|
}
|
