2019-04-16 14:15:03 +01:00
|
|
|
#include <stdint.h>
|
|
|
|
|
#include <string.h>
|
|
|
|
|
|
|
|
|
|
#include "address.h"
|
|
|
|
|
#include "hash.h"
|
|
|
|
|
#include "params.h"
|
|
|
|
|
#include "utils.h"
|
|
|
|
|
|
|
|
|
|
#include "sha2.h"
|
|
|
|
|
#include "sha256.h"
|
|
|
|
|
|
|
|
|
|
/* For SHA256, there is no immediate reason to initialize at the start,
|
|
|
|
|
so this function is an empty operation. */
|
|
|
|
|
void PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_initialize_hash_function(
|
2019-07-17 07:37:14 +01:00
|
|
|
hash_state *hash_state_seeded,
|
2019-04-16 14:15:03 +01:00
|
|
|
const unsigned char *pub_seed, const unsigned char *sk_seed) {
|
2019-07-17 07:37:14 +01:00
|
|
|
PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_seed_state(hash_state_seeded, pub_seed);
|
2019-04-16 14:15:03 +01:00
|
|
|
(void)sk_seed; /* Suppress an 'unused parameter' warning. */
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Computes PRF(key, addr), given a secret key of SPX_N bytes and an address
|
|
|
|
|
*/
|
|
|
|
|
void PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_prf_addr(
|
2019-06-21 13:34:36 +01:00
|
|
|
unsigned char *out, const unsigned char *key, const uint32_t addr[8],
|
2019-07-17 07:37:14 +01:00
|
|
|
const hash_state *hash_state_seeded) {
|
2019-04-16 14:15:03 +01:00
|
|
|
unsigned char buf[SPX_N + SPX_SHA256_ADDR_BYTES];
|
|
|
|
|
unsigned char outbuf[SPX_SHA256_OUTPUT_BYTES];
|
|
|
|
|
|
|
|
|
|
memcpy(buf, key, SPX_N);
|
|
|
|
|
PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_compress_address(buf + SPX_N, addr);
|
|
|
|
|
|
|
|
|
|
sha256(outbuf, buf, SPX_N + SPX_SHA256_ADDR_BYTES);
|
|
|
|
|
memcpy(out, outbuf, SPX_N);
|
2019-06-21 13:34:36 +01:00
|
|
|
|
2019-07-17 07:37:14 +01:00
|
|
|
(void)hash_state_seeded; /* Prevent unused parameter warning. */
|
2019-04-16 14:15:03 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Computes the message-dependent randomness R, using a secret seed as a key
|
|
|
|
|
* for HMAC, and an optional randomization value prefixed to the message.
|
|
|
|
|
* This requires m to have at least SPX_SHA256_BLOCK_BYTES + SPX_N space
|
|
|
|
|
* available in front of the pointer, i.e. before the message to use for the
|
|
|
|
|
* prefix. This is necessary to prevent having to move the message around (and
|
|
|
|
|
* allocate memory for it).
|
|
|
|
|
*/
|
|
|
|
|
void PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_gen_message_random(
|
|
|
|
|
unsigned char *R,
|
|
|
|
|
const unsigned char *sk_prf, const unsigned char *optrand,
|
2019-07-17 07:37:14 +01:00
|
|
|
const unsigned char *m, size_t mlen, const hash_state *hash_state_seeded) {
|
2019-04-16 14:15:03 +01:00
|
|
|
unsigned char buf[SPX_SHA256_BLOCK_BYTES + SPX_SHA256_OUTPUT_BYTES];
|
2019-05-20 08:39:06 +01:00
|
|
|
sha256ctx state;
|
2019-04-16 14:15:03 +01:00
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
/* This implements HMAC-SHA256 */
|
|
|
|
|
for (i = 0; i < SPX_N; i++) {
|
|
|
|
|
buf[i] = 0x36 ^ sk_prf[i];
|
|
|
|
|
}
|
|
|
|
|
memset(buf + SPX_N, 0x36, SPX_SHA256_BLOCK_BYTES - SPX_N);
|
|
|
|
|
|
2019-05-20 08:39:06 +01:00
|
|
|
sha256_inc_init(&state);
|
|
|
|
|
sha256_inc_blocks(&state, buf, 1);
|
2019-04-16 14:15:03 +01:00
|
|
|
|
|
|
|
|
memcpy(buf, optrand, SPX_N);
|
|
|
|
|
|
|
|
|
|
/* If optrand + message cannot fill up an entire block */
|
|
|
|
|
if (SPX_N + mlen < SPX_SHA256_BLOCK_BYTES) {
|
|
|
|
|
memcpy(buf + SPX_N, m, mlen);
|
2019-05-20 08:39:06 +01:00
|
|
|
sha256_inc_finalize(buf + SPX_SHA256_BLOCK_BYTES, &state,
|
2019-04-16 14:15:03 +01:00
|
|
|
buf, mlen + SPX_N);
|
|
|
|
|
}
|
|
|
|
|
/* Otherwise first fill a block, so that finalize only uses the message */
|
|
|
|
|
else {
|
|
|
|
|
memcpy(buf + SPX_N, m, SPX_SHA256_BLOCK_BYTES - SPX_N);
|
2019-05-20 08:39:06 +01:00
|
|
|
sha256_inc_blocks(&state, buf, 1);
|
2019-04-16 14:15:03 +01:00
|
|
|
|
|
|
|
|
m += SPX_SHA256_BLOCK_BYTES - SPX_N;
|
|
|
|
|
mlen -= SPX_SHA256_BLOCK_BYTES - SPX_N;
|
2019-05-20 08:39:06 +01:00
|
|
|
sha256_inc_finalize(buf + SPX_SHA256_BLOCK_BYTES, &state, m, mlen);
|
2019-04-16 14:15:03 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < SPX_N; i++) {
|
|
|
|
|
buf[i] = 0x5c ^ sk_prf[i];
|
|
|
|
|
}
|
|
|
|
|
memset(buf + SPX_N, 0x5c, SPX_SHA256_BLOCK_BYTES - SPX_N);
|
|
|
|
|
|
|
|
|
|
sha256(buf, buf, SPX_SHA256_BLOCK_BYTES + SPX_SHA256_OUTPUT_BYTES);
|
|
|
|
|
memcpy(R, buf, SPX_N);
|
2019-06-21 13:34:36 +01:00
|
|
|
|
2019-07-17 07:37:14 +01:00
|
|
|
(void)hash_state_seeded; /* Prevent unused parameter warning. */
|
2019-04-16 14:15:03 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Computes the message hash using R, the public key, and the message.
|
|
|
|
|
* Outputs the message digest and the index of the leaf. The index is split in
|
|
|
|
|
* the tree index and the leaf index, for convenient copying to an address.
|
|
|
|
|
*/
|
|
|
|
|
void PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_hash_message(
|
|
|
|
|
unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx,
|
|
|
|
|
const unsigned char *R, const unsigned char *pk,
|
2019-06-21 13:34:36 +01:00
|
|
|
const unsigned char *m, size_t mlen,
|
2019-07-17 07:37:14 +01:00
|
|
|
const hash_state *hash_state_seeded) {
|
2019-04-16 14:15:03 +01:00
|
|
|
#define SPX_TREE_BITS (SPX_TREE_HEIGHT * (SPX_D - 1))
|
|
|
|
|
#define SPX_TREE_BYTES ((SPX_TREE_BITS + 7) / 8)
|
|
|
|
|
#define SPX_LEAF_BITS SPX_TREE_HEIGHT
|
|
|
|
|
#define SPX_LEAF_BYTES ((SPX_LEAF_BITS + 7) / 8)
|
|
|
|
|
#define SPX_DGST_BYTES (SPX_FORS_MSG_BYTES + SPX_TREE_BYTES + SPX_LEAF_BYTES)
|
|
|
|
|
|
2019-04-24 11:57:51 +01:00
|
|
|
unsigned char seed[SPX_SHA256_OUTPUT_BYTES + 4];
|
2019-04-16 14:15:03 +01:00
|
|
|
|
|
|
|
|
/* Round to nearest multiple of SPX_SHA256_BLOCK_BYTES */
|
|
|
|
|
#define SPX_INBLOCKS (((SPX_N + SPX_PK_BYTES + SPX_SHA256_BLOCK_BYTES - 1) & \
|
|
|
|
|
-SPX_SHA256_BLOCK_BYTES) / SPX_SHA256_BLOCK_BYTES)
|
|
|
|
|
unsigned char inbuf[SPX_INBLOCKS * SPX_SHA256_BLOCK_BYTES];
|
|
|
|
|
|
|
|
|
|
unsigned char buf[SPX_DGST_BYTES];
|
|
|
|
|
unsigned char *bufp = buf;
|
2019-05-20 08:39:06 +01:00
|
|
|
sha256ctx state;
|
2019-04-16 14:15:03 +01:00
|
|
|
|
2019-05-20 08:39:06 +01:00
|
|
|
sha256_inc_init(&state);
|
2019-04-16 14:15:03 +01:00
|
|
|
|
|
|
|
|
memcpy(inbuf, R, SPX_N);
|
|
|
|
|
memcpy(inbuf + SPX_N, pk, SPX_PK_BYTES);
|
|
|
|
|
|
|
|
|
|
/* If R + pk + message cannot fill up an entire block */
|
|
|
|
|
if (SPX_N + SPX_PK_BYTES + mlen < SPX_INBLOCKS * SPX_SHA256_BLOCK_BYTES) {
|
|
|
|
|
memcpy(inbuf + SPX_N + SPX_PK_BYTES, m, mlen);
|
2019-05-20 08:39:06 +01:00
|
|
|
sha256_inc_finalize(seed, &state, inbuf, SPX_N + SPX_PK_BYTES + mlen);
|
2019-04-16 14:15:03 +01:00
|
|
|
}
|
|
|
|
|
/* Otherwise first fill a block, so that finalize only uses the message */
|
|
|
|
|
else {
|
|
|
|
|
memcpy(inbuf + SPX_N + SPX_PK_BYTES, m,
|
|
|
|
|
SPX_INBLOCKS * SPX_SHA256_BLOCK_BYTES - SPX_N - SPX_PK_BYTES);
|
2019-05-20 08:39:06 +01:00
|
|
|
sha256_inc_blocks(&state, inbuf, SPX_INBLOCKS);
|
2019-04-16 14:15:03 +01:00
|
|
|
|
|
|
|
|
m += SPX_INBLOCKS * SPX_SHA256_BLOCK_BYTES - SPX_N - SPX_PK_BYTES;
|
|
|
|
|
mlen -= SPX_INBLOCKS * SPX_SHA256_BLOCK_BYTES - SPX_N - SPX_PK_BYTES;
|
2019-05-20 08:39:06 +01:00
|
|
|
sha256_inc_finalize(seed, &state, m, mlen);
|
2019-04-16 14:15:03 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* By doing this in two steps, we prevent hashing the message twice;
|
|
|
|
|
otherwise each iteration in MGF1 would hash the message again. */
|
|
|
|
|
PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_mgf1(bufp, SPX_DGST_BYTES, seed, SPX_SHA256_OUTPUT_BYTES);
|
|
|
|
|
|
|
|
|
|
memcpy(digest, bufp, SPX_FORS_MSG_BYTES);
|
|
|
|
|
bufp += SPX_FORS_MSG_BYTES;
|
|
|
|
|
|
|
|
|
|
*tree = PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_bytes_to_ull(bufp, SPX_TREE_BYTES);
|
|
|
|
|
*tree &= (~(uint64_t)0) >> (64 - SPX_TREE_BITS);
|
|
|
|
|
bufp += SPX_TREE_BYTES;
|
|
|
|
|
|
|
|
|
|
*leaf_idx = (uint32_t)PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_bytes_to_ull(
|
|
|
|
|
bufp, SPX_LEAF_BYTES);
|
|
|
|
|
*leaf_idx &= (~(uint32_t)0) >> (32 - SPX_LEAF_BITS);
|
2019-06-21 13:34:36 +01:00
|
|
|
|
2019-07-17 07:37:14 +01:00
|
|
|
(void)hash_state_seeded; /* Prevent unused parameter warning. */
|
2019-04-16 14:15:03 +01:00
|
|
|
}
|
