Implement detached MQDSS signatures
Esse commit está contido em:
pai
db6f71086f
commit
2e304246c4
@ -4,7 +4,7 @@ claimed-nist-level: 1
|
||||
length-public-key: 46
|
||||
length-secret-key: 16
|
||||
length-signature: 20854
|
||||
testvectors-sha256: a14cb8e4f149493fc5979e465e09ce943e8d669186ff5c7c3d11239fa869def6
|
||||
testvectors-sha256: 3350a80ccf4316b32ef13060fca8880d6802b7e61150fd36f021d1c52d8edb98
|
||||
principal-submitter: Simona Samardjiska
|
||||
auxiliary-submitters:
|
||||
- Ming-Shing Chen
|
||||
|
@ -95,7 +95,7 @@ void PQCLEAN_MQDSS48_CLEAN_gf31_nunpack(gf31 *out, const unsigned char *in, unsi
|
||||
unsigned int d = 0;
|
||||
|
||||
for (i = n; i > 0; i--) {
|
||||
out[i-1] = (in[j] >> d) & 31;
|
||||
out[i-1] = (gf31)((in[j] >> d) & 31);
|
||||
d += 5;
|
||||
if (d > 8) {
|
||||
d -= 8;
|
||||
|
@ -1,6 +1,6 @@
|
||||
#include <assert.h>
|
||||
#include <stdint.h>
|
||||
#include <stddef.h>
|
||||
#include <stdint.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "api.h"
|
||||
@ -70,7 +70,6 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Returns an array containing a detached signature.
|
||||
*/
|
||||
@ -78,39 +77,6 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_signature(
|
||||
uint8_t *sig, size_t *siglen,
|
||||
const uint8_t *m, size_t mlen, const uint8_t *sk) {
|
||||
|
||||
(void)sig;
|
||||
(void)siglen;
|
||||
(void)m;
|
||||
(void)mlen;
|
||||
(void)sk;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* Verifies a detached signature and message under a given public key.
|
||||
*/
|
||||
int PQCLEAN_MQDSS48_CLEAN_crypto_sign_verify(
|
||||
const uint8_t *sig, size_t siglen,
|
||||
const uint8_t *m, size_t mlen, const uint8_t *pk) {
|
||||
|
||||
(void)sig;
|
||||
(void)siglen;
|
||||
(void)m;
|
||||
(void)mlen;
|
||||
(void)pk;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Returns an array containing the signature followed by the message.
|
||||
*/
|
||||
int PQCLEAN_MQDSS48_CLEAN_crypto_sign(
|
||||
uint8_t *sm, size_t *smlen,
|
||||
const uint8_t *m, size_t mlen, const uint8_t *sk) {
|
||||
|
||||
signed char F[F_LEN];
|
||||
unsigned char skbuf[SEED_BYTES * 4];
|
||||
gf31 pk_gf31[M];
|
||||
@ -146,15 +112,17 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign(
|
||||
int alpha_count = 0;
|
||||
unsigned char b;
|
||||
int i, j;
|
||||
uint64_t s_inc[26];
|
||||
|
||||
shake256(skbuf, SEED_BYTES * 4, sk, SEED_BYTES);
|
||||
|
||||
PQCLEAN_MQDSS48_CLEAN_gf31_nrand_schar(F, F_LEN, skbuf, SEED_BYTES);
|
||||
|
||||
assert(SIG_LEN > SEED_BYTES);
|
||||
memcpy(sm + SIG_LEN - SEED_BYTES, sk, SEED_BYTES);
|
||||
memcpy(sm + SIG_LEN, m, mlen);
|
||||
H(sm, sm + SIG_LEN - SEED_BYTES, mlen + SEED_BYTES); // Compute R.
|
||||
shake256_inc_init(s_inc);
|
||||
shake256_inc_absorb(s_inc, sk, SEED_BYTES);
|
||||
shake256_inc_absorb(s_inc, m, mlen);
|
||||
shake256_inc_finalize(s_inc);
|
||||
shake256_inc_squeeze(sig, HASH_BYTES, s_inc); // Compute R.
|
||||
|
||||
memcpy(pk, skbuf, SEED_BYTES);
|
||||
PQCLEAN_MQDSS48_CLEAN_gf31_nrand(sk_gf31, N, skbuf + SEED_BYTES, SEED_BYTES);
|
||||
@ -162,11 +130,14 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign(
|
||||
PQCLEAN_MQDSS48_CLEAN_vgf31_unique(pk_gf31, pk_gf31);
|
||||
PQCLEAN_MQDSS48_CLEAN_gf31_npack(pk + SEED_BYTES, pk_gf31, M);
|
||||
|
||||
memcpy(sm + SIG_LEN - HASH_BYTES - PK_BYTES, pk, PK_BYTES);
|
||||
memcpy(sm + SIG_LEN - HASH_BYTES, sm, HASH_BYTES);
|
||||
H(D, sm + SIG_LEN - HASH_BYTES - PK_BYTES, mlen + PK_BYTES + HASH_BYTES);
|
||||
shake256_inc_init(s_inc);
|
||||
shake256_inc_absorb(s_inc, pk, PK_BYTES);
|
||||
shake256_inc_absorb(s_inc, sig, HASH_BYTES);
|
||||
shake256_inc_absorb(s_inc, m, mlen);
|
||||
shake256_inc_finalize(s_inc);
|
||||
shake256_inc_squeeze(D, HASH_BYTES, s_inc);
|
||||
|
||||
sm += HASH_BYTES; // Compensate for prefixed R.
|
||||
sig += HASH_BYTES; // Compensate for prefixed R.
|
||||
|
||||
memcpy(rnd_seed, skbuf + 2*SEED_BYTES, SEED_BYTES);
|
||||
memcpy(rnd_seed + SEED_BYTES, D, HASH_BYTES);
|
||||
@ -203,8 +174,8 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign(
|
||||
|
||||
memcpy(h0, shakeblock, HASH_BYTES);
|
||||
|
||||
memcpy(sm, sigma0, HASH_BYTES);
|
||||
sm += HASH_BYTES; // Compensate for sigma_0.
|
||||
memcpy(sig, sigma0, HASH_BYTES);
|
||||
sig += HASH_BYTES; // Compensate for sigma_0.
|
||||
|
||||
for (i = 0; i < ROUNDS; i++) {
|
||||
do {
|
||||
@ -228,42 +199,41 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign(
|
||||
PQCLEAN_MQDSS48_CLEAN_gf31_npack(t1packed, t1, N * ROUNDS);
|
||||
PQCLEAN_MQDSS48_CLEAN_gf31_npack(e1packed, e1, M * ROUNDS);
|
||||
|
||||
memcpy(sm, t1packed, NPACKED_BYTES * ROUNDS);
|
||||
sm += NPACKED_BYTES * ROUNDS;
|
||||
memcpy(sm, e1packed, MPACKED_BYTES * ROUNDS);
|
||||
sm += MPACKED_BYTES * ROUNDS;
|
||||
memcpy(sig, t1packed, NPACKED_BYTES * ROUNDS);
|
||||
sig += NPACKED_BYTES * ROUNDS;
|
||||
memcpy(sig, e1packed, MPACKED_BYTES * ROUNDS);
|
||||
sig += MPACKED_BYTES * ROUNDS;
|
||||
|
||||
shake256(h1, ((ROUNDS + 7) & ~7) >> 3, D_sigma0_h0_sigma1, 3*HASH_BYTES + ROUNDS*(NPACKED_BYTES + MPACKED_BYTES));
|
||||
|
||||
for (i = 0; i < ROUNDS; i++) {
|
||||
b = (h1[(i >> 3)] >> (i & 7)) & 1;
|
||||
if (b == 0) {
|
||||
PQCLEAN_MQDSS48_CLEAN_gf31_npack(sm, r0+i*N, N);
|
||||
PQCLEAN_MQDSS48_CLEAN_gf31_npack(sig, r0+i*N, N);
|
||||
} else if (b == 1) {
|
||||
PQCLEAN_MQDSS48_CLEAN_gf31_npack(sm, r1+i*N, N);
|
||||
PQCLEAN_MQDSS48_CLEAN_gf31_npack(sig, r1+i*N, N);
|
||||
}
|
||||
memcpy(sm + NPACKED_BYTES, c + HASH_BYTES * (2*i + (1 - b)), HASH_BYTES);
|
||||
memcpy(sm + NPACKED_BYTES + HASH_BYTES, rho + (i + b * ROUNDS) * HASH_BYTES, HASH_BYTES);
|
||||
sm += NPACKED_BYTES + 2*HASH_BYTES;
|
||||
memcpy(sig + NPACKED_BYTES, c + HASH_BYTES * (2*i + (1 - b)), HASH_BYTES);
|
||||
memcpy(sig + NPACKED_BYTES + HASH_BYTES, rho + (i + b * ROUNDS) * HASH_BYTES, HASH_BYTES);
|
||||
sig += NPACKED_BYTES + 2*HASH_BYTES;
|
||||
}
|
||||
*smlen = SIG_LEN + mlen;
|
||||
|
||||
*siglen = SIG_LEN;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* Verifies a given signature-message pair under a given public key.
|
||||
* Verifies a detached signature and message under a given public key.
|
||||
*/
|
||||
int PQCLEAN_MQDSS48_CLEAN_crypto_sign_open(
|
||||
uint8_t *m, size_t *mlen,
|
||||
const uint8_t *sm, size_t smlen, const uint8_t *pk)
|
||||
{
|
||||
int PQCLEAN_MQDSS48_CLEAN_crypto_sign_verify(
|
||||
const uint8_t *sig, size_t siglen,
|
||||
const uint8_t *m, size_t mlen, const uint8_t *pk) {
|
||||
|
||||
gf31 r[N];
|
||||
gf31 t[N];
|
||||
gf31 e[M];
|
||||
signed char F[F_LEN];
|
||||
gf31 pk_gf31[M];
|
||||
unsigned char sig[SIG_LEN];
|
||||
unsigned char *sigptr = sig;
|
||||
// Concatenated for convenient hashing.
|
||||
unsigned char D_sigma0_h0_sigma1[HASH_BYTES * 3 + ROUNDS * (NPACKED_BYTES + MPACKED_BYTES)];
|
||||
unsigned char *D = D_sigma0_h0_sigma1;
|
||||
@ -285,47 +255,38 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_open(
|
||||
gf31 alpha;
|
||||
int alpha_count = 0;
|
||||
unsigned char b;
|
||||
uint64_t s_inc[26];
|
||||
|
||||
/* The API caller does not necessarily know what size a signature should be
|
||||
but MQDSS signatures are always exactly SIG_LEN. */
|
||||
if (smlen < SIG_LEN) {
|
||||
memset(m, 0, smlen);
|
||||
*mlen = 0;
|
||||
return 1;
|
||||
if (siglen != SIG_LEN) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
*mlen = smlen - SIG_LEN;
|
||||
shake256_inc_init(s_inc);
|
||||
shake256_inc_absorb(s_inc, pk, PK_BYTES);
|
||||
shake256_inc_absorb(s_inc, sig, HASH_BYTES);
|
||||
shake256_inc_absorb(s_inc, m, mlen);
|
||||
shake256_inc_finalize(s_inc);
|
||||
shake256_inc_squeeze(D, HASH_BYTES, s_inc);
|
||||
|
||||
/* Create a copy of the signature so that m = sm is not an issue */
|
||||
memcpy(sig, sm, SIG_LEN);
|
||||
|
||||
/* Put the message all the way at the end of the m buffer, so that we can
|
||||
* prepend the required other inputs for the hash function. */
|
||||
memcpy(m + SIG_LEN, sm + SIG_LEN, *mlen);
|
||||
|
||||
memcpy(m + SIG_LEN - PK_BYTES - HASH_BYTES, pk, PK_BYTES); // Copy pk to m.
|
||||
memcpy(m + SIG_LEN - HASH_BYTES, sigptr, HASH_BYTES); // Copy R to m.
|
||||
H(D, m + SIG_LEN - PK_BYTES - HASH_BYTES, *mlen + PK_BYTES + HASH_BYTES);
|
||||
|
||||
sigptr += HASH_BYTES;
|
||||
sig += HASH_BYTES;
|
||||
|
||||
PQCLEAN_MQDSS48_CLEAN_gf31_nrand_schar(F, F_LEN, pk, SEED_BYTES);
|
||||
pk += SEED_BYTES;
|
||||
PQCLEAN_MQDSS48_CLEAN_gf31_nunpack(pk_gf31, pk, M);
|
||||
|
||||
memcpy(sigma0, sigptr, HASH_BYTES);
|
||||
memcpy(sigma0, sig, HASH_BYTES);
|
||||
|
||||
shake256_absorb(shakestate, D_sigma0_h0_sigma1, 2 * HASH_BYTES);
|
||||
shake256_squeezeblocks(shakeblock, 1, shakestate);
|
||||
|
||||
memcpy(h0, shakeblock, HASH_BYTES);
|
||||
|
||||
sigptr += HASH_BYTES;
|
||||
sig += HASH_BYTES;
|
||||
|
||||
memcpy(t1packed, sigptr, ROUNDS * NPACKED_BYTES);
|
||||
sigptr += ROUNDS*NPACKED_BYTES;
|
||||
memcpy(e1packed, sigptr, ROUNDS * MPACKED_BYTES);
|
||||
sigptr += ROUNDS*MPACKED_BYTES;
|
||||
memcpy(t1packed, sig, ROUNDS * NPACKED_BYTES);
|
||||
sig += ROUNDS*NPACKED_BYTES;
|
||||
memcpy(e1packed, sig, ROUNDS * MPACKED_BYTES);
|
||||
sig += ROUNDS*MPACKED_BYTES;
|
||||
|
||||
shake256(h1, ((ROUNDS + 7) & ~7) >> 3, D_sigma0_h0_sigma1, 3*HASH_BYTES + ROUNDS*(NPACKED_BYTES + MPACKED_BYTES));
|
||||
|
||||
@ -340,7 +301,7 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_open(
|
||||
} while (alpha == 31);
|
||||
b = (h1[(i >> 3)] >> (i & 7)) & 1;
|
||||
|
||||
PQCLEAN_MQDSS48_CLEAN_gf31_nunpack(r, sigptr, N);
|
||||
PQCLEAN_MQDSS48_CLEAN_gf31_nunpack(r, sig, N);
|
||||
PQCLEAN_MQDSS48_CLEAN_gf31_nunpack(t, t1packed + NPACKED_BYTES*i, N);
|
||||
PQCLEAN_MQDSS48_CLEAN_gf31_nunpack(e, e1packed + MPACKED_BYTES*i, M);
|
||||
|
||||
@ -356,7 +317,7 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_open(
|
||||
PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(y, y);
|
||||
PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf0, x, N);
|
||||
PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf1, y, M);
|
||||
com_0(c + HASH_BYTES*(2*i + 0), sigptr + HASH_BYTES + NPACKED_BYTES, sigptr, packbuf0, packbuf1);
|
||||
com_0(c + HASH_BYTES*(2*i + 0), sig + HASH_BYTES + NPACKED_BYTES, sig, packbuf0, packbuf1);
|
||||
} else {
|
||||
PQCLEAN_MQDSS48_CLEAN_MQ(y, r, F);
|
||||
PQCLEAN_MQDSS48_CLEAN_G(z, t, r, F);
|
||||
@ -365,21 +326,62 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_open(
|
||||
}
|
||||
PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(y, y);
|
||||
PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf0, y, M);
|
||||
com_1(c + HASH_BYTES*(2*i + 1), sigptr + HASH_BYTES + NPACKED_BYTES, sigptr, packbuf0);
|
||||
com_1(c + HASH_BYTES*(2*i + 1), sig + HASH_BYTES + NPACKED_BYTES, sig, packbuf0);
|
||||
}
|
||||
memcpy(c + HASH_BYTES*(2*i + (1 - b)), sigptr + NPACKED_BYTES, HASH_BYTES);
|
||||
sigptr += NPACKED_BYTES + 2*HASH_BYTES;
|
||||
memcpy(c + HASH_BYTES*(2*i + (1 - b)), sig + NPACKED_BYTES, HASH_BYTES);
|
||||
sig += NPACKED_BYTES + 2*HASH_BYTES;
|
||||
}
|
||||
|
||||
H(c, c, HASH_BYTES * ROUNDS * 2);
|
||||
if (memcmp(c, sigma0, HASH_BYTES)) {
|
||||
memset(m, 0, smlen);
|
||||
*mlen = 0;
|
||||
return 1;
|
||||
if (memcmp(c, sigma0, HASH_BYTES) != 0) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* If verification was successful, move the message to the right place. */
|
||||
memmove(m, m + SIG_LEN, *mlen);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns an array containing the signature followed by the message.
|
||||
*/
|
||||
int PQCLEAN_MQDSS48_CLEAN_crypto_sign(
|
||||
uint8_t *sm, size_t *smlen,
|
||||
const uint8_t *m, size_t mlen, const uint8_t *sk) {
|
||||
size_t siglen;
|
||||
|
||||
PQCLEAN_MQDSS48_CLEAN_crypto_sign_signature(
|
||||
sm, &siglen, m, mlen, sk);
|
||||
|
||||
memmove(sm + SIG_LEN, m, mlen);
|
||||
*smlen = siglen + mlen;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* Verifies a given signature-message pair under a given public key.
|
||||
*/
|
||||
int PQCLEAN_MQDSS48_CLEAN_crypto_sign_open(
|
||||
uint8_t *m, size_t *mlen,
|
||||
const uint8_t *sm, size_t smlen, const uint8_t *pk) {
|
||||
/* The API caller does not necessarily know what size a signature should be
|
||||
but MQDSS signatures are always exactly SIG_LEN. */
|
||||
if (smlen < SIG_LEN) {
|
||||
memset(m, 0, smlen);
|
||||
*mlen = 0;
|
||||
return -1;
|
||||
}
|
||||
|
||||
*mlen = smlen - SIG_LEN;
|
||||
|
||||
if (PQCLEAN_MQDSS48_CLEAN_crypto_sign_verify(
|
||||
sm, SIG_LEN, sm + SIG_LEN, *mlen, pk)) {
|
||||
memset(m, 0, smlen);
|
||||
*mlen = 0;
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* If verification was successful, move the message to the right place. */
|
||||
memmove(m, sm + SIG_LEN, *mlen);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
Carregando…
Referência em uma nova issue
Block a user