1
1
mirror of https://github.com/henrydcase/pqc.git synced 2024-11-26 17:31:38 +00:00

Implement detached MQDSS signatures

This commit is contained in:
Joost Rijneveld 2019-04-30 10:53:58 +02:00
parent db6f71086f
commit 2e304246c4
No known key found for this signature in database
GPG Key ID: A4FE39CF49CBC553
3 changed files with 103 additions and 101 deletions

View File

@ -4,7 +4,7 @@ claimed-nist-level: 1
length-public-key: 46
length-secret-key: 16
length-signature: 20854
testvectors-sha256: a14cb8e4f149493fc5979e465e09ce943e8d669186ff5c7c3d11239fa869def6
testvectors-sha256: 3350a80ccf4316b32ef13060fca8880d6802b7e61150fd36f021d1c52d8edb98
principal-submitter: Simona Samardjiska
auxiliary-submitters:
- Ming-Shing Chen

View File

@ -95,7 +95,7 @@ void PQCLEAN_MQDSS48_CLEAN_gf31_nunpack(gf31 *out, const unsigned char *in, unsi
unsigned int d = 0;
for (i = n; i > 0; i--) {
out[i-1] = (in[j] >> d) & 31;
out[i-1] = (gf31)((in[j] >> d) & 31);
d += 5;
if (d > 8) {
d -= 8;

View File

@ -1,6 +1,6 @@
#include <assert.h>
#include <stdint.h>
#include <stddef.h>
#include <stdint.h>
#include <string.h>
#include "api.h"
@ -70,7 +70,6 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
return 0;
}
/**
* Returns an array containing a detached signature.
*/
@ -78,39 +77,6 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_signature(
uint8_t *sig, size_t *siglen,
const uint8_t *m, size_t mlen, const uint8_t *sk) {
(void)sig;
(void)siglen;
(void)m;
(void)mlen;
(void)sk;
return 0;
}
/**
* Verifies a detached signature and message under a given public key.
*/
int PQCLEAN_MQDSS48_CLEAN_crypto_sign_verify(
const uint8_t *sig, size_t siglen,
const uint8_t *m, size_t mlen, const uint8_t *pk) {
(void)sig;
(void)siglen;
(void)m;
(void)mlen;
(void)pk;
return 0;
}
/**
* Returns an array containing the signature followed by the message.
*/
int PQCLEAN_MQDSS48_CLEAN_crypto_sign(
uint8_t *sm, size_t *smlen,
const uint8_t *m, size_t mlen, const uint8_t *sk) {
signed char F[F_LEN];
unsigned char skbuf[SEED_BYTES * 4];
gf31 pk_gf31[M];
@ -146,15 +112,17 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign(
int alpha_count = 0;
unsigned char b;
int i, j;
uint64_t s_inc[26];
shake256(skbuf, SEED_BYTES * 4, sk, SEED_BYTES);
PQCLEAN_MQDSS48_CLEAN_gf31_nrand_schar(F, F_LEN, skbuf, SEED_BYTES);
assert(SIG_LEN > SEED_BYTES);
memcpy(sm + SIG_LEN - SEED_BYTES, sk, SEED_BYTES);
memcpy(sm + SIG_LEN, m, mlen);
H(sm, sm + SIG_LEN - SEED_BYTES, mlen + SEED_BYTES); // Compute R.
shake256_inc_init(s_inc);
shake256_inc_absorb(s_inc, sk, SEED_BYTES);
shake256_inc_absorb(s_inc, m, mlen);
shake256_inc_finalize(s_inc);
shake256_inc_squeeze(sig, HASH_BYTES, s_inc); // Compute R.
memcpy(pk, skbuf, SEED_BYTES);
PQCLEAN_MQDSS48_CLEAN_gf31_nrand(sk_gf31, N, skbuf + SEED_BYTES, SEED_BYTES);
@ -162,11 +130,14 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign(
PQCLEAN_MQDSS48_CLEAN_vgf31_unique(pk_gf31, pk_gf31);
PQCLEAN_MQDSS48_CLEAN_gf31_npack(pk + SEED_BYTES, pk_gf31, M);
memcpy(sm + SIG_LEN - HASH_BYTES - PK_BYTES, pk, PK_BYTES);
memcpy(sm + SIG_LEN - HASH_BYTES, sm, HASH_BYTES);
H(D, sm + SIG_LEN - HASH_BYTES - PK_BYTES, mlen + PK_BYTES + HASH_BYTES);
shake256_inc_init(s_inc);
shake256_inc_absorb(s_inc, pk, PK_BYTES);
shake256_inc_absorb(s_inc, sig, HASH_BYTES);
shake256_inc_absorb(s_inc, m, mlen);
shake256_inc_finalize(s_inc);
shake256_inc_squeeze(D, HASH_BYTES, s_inc);
sm += HASH_BYTES; // Compensate for prefixed R.
sig += HASH_BYTES; // Compensate for prefixed R.
memcpy(rnd_seed, skbuf + 2*SEED_BYTES, SEED_BYTES);
memcpy(rnd_seed + SEED_BYTES, D, HASH_BYTES);
@ -203,8 +174,8 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign(
memcpy(h0, shakeblock, HASH_BYTES);
memcpy(sm, sigma0, HASH_BYTES);
sm += HASH_BYTES; // Compensate for sigma_0.
memcpy(sig, sigma0, HASH_BYTES);
sig += HASH_BYTES; // Compensate for sigma_0.
for (i = 0; i < ROUNDS; i++) {
do {
@ -228,42 +199,41 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign(
PQCLEAN_MQDSS48_CLEAN_gf31_npack(t1packed, t1, N * ROUNDS);
PQCLEAN_MQDSS48_CLEAN_gf31_npack(e1packed, e1, M * ROUNDS);
memcpy(sm, t1packed, NPACKED_BYTES * ROUNDS);
sm += NPACKED_BYTES * ROUNDS;
memcpy(sm, e1packed, MPACKED_BYTES * ROUNDS);
sm += MPACKED_BYTES * ROUNDS;
memcpy(sig, t1packed, NPACKED_BYTES * ROUNDS);
sig += NPACKED_BYTES * ROUNDS;
memcpy(sig, e1packed, MPACKED_BYTES * ROUNDS);
sig += MPACKED_BYTES * ROUNDS;
shake256(h1, ((ROUNDS + 7) & ~7) >> 3, D_sigma0_h0_sigma1, 3*HASH_BYTES + ROUNDS*(NPACKED_BYTES + MPACKED_BYTES));
for (i = 0; i < ROUNDS; i++) {
b = (h1[(i >> 3)] >> (i & 7)) & 1;
if (b == 0) {
PQCLEAN_MQDSS48_CLEAN_gf31_npack(sm, r0+i*N, N);
PQCLEAN_MQDSS48_CLEAN_gf31_npack(sig, r0+i*N, N);
} else if (b == 1) {
PQCLEAN_MQDSS48_CLEAN_gf31_npack(sm, r1+i*N, N);
PQCLEAN_MQDSS48_CLEAN_gf31_npack(sig, r1+i*N, N);
}
memcpy(sm + NPACKED_BYTES, c + HASH_BYTES * (2*i + (1 - b)), HASH_BYTES);
memcpy(sm + NPACKED_BYTES + HASH_BYTES, rho + (i + b * ROUNDS) * HASH_BYTES, HASH_BYTES);
sm += NPACKED_BYTES + 2*HASH_BYTES;
memcpy(sig + NPACKED_BYTES, c + HASH_BYTES * (2*i + (1 - b)), HASH_BYTES);
memcpy(sig + NPACKED_BYTES + HASH_BYTES, rho + (i + b * ROUNDS) * HASH_BYTES, HASH_BYTES);
sig += NPACKED_BYTES + 2*HASH_BYTES;
}
*smlen = SIG_LEN + mlen;
*siglen = SIG_LEN;
return 0;
}
/**
* Verifies a given signature-message pair under a given public key.
* Verifies a detached signature and message under a given public key.
*/
int PQCLEAN_MQDSS48_CLEAN_crypto_sign_open(
uint8_t *m, size_t *mlen,
const uint8_t *sm, size_t smlen, const uint8_t *pk)
{
int PQCLEAN_MQDSS48_CLEAN_crypto_sign_verify(
const uint8_t *sig, size_t siglen,
const uint8_t *m, size_t mlen, const uint8_t *pk) {
gf31 r[N];
gf31 t[N];
gf31 e[M];
signed char F[F_LEN];
gf31 pk_gf31[M];
unsigned char sig[SIG_LEN];
unsigned char *sigptr = sig;
// Concatenated for convenient hashing.
unsigned char D_sigma0_h0_sigma1[HASH_BYTES * 3 + ROUNDS * (NPACKED_BYTES + MPACKED_BYTES)];
unsigned char *D = D_sigma0_h0_sigma1;
@ -285,47 +255,38 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_open(
gf31 alpha;
int alpha_count = 0;
unsigned char b;
uint64_t s_inc[26];
/* The API caller does not necessarily know what size a signature should be
but MQDSS signatures are always exactly SIG_LEN. */
if (smlen < SIG_LEN) {
memset(m, 0, smlen);
*mlen = 0;
return 1;
if (siglen != SIG_LEN) {
return -1;
}
*mlen = smlen - SIG_LEN;
shake256_inc_init(s_inc);
shake256_inc_absorb(s_inc, pk, PK_BYTES);
shake256_inc_absorb(s_inc, sig, HASH_BYTES);
shake256_inc_absorb(s_inc, m, mlen);
shake256_inc_finalize(s_inc);
shake256_inc_squeeze(D, HASH_BYTES, s_inc);
/* Create a copy of the signature so that m = sm is not an issue */
memcpy(sig, sm, SIG_LEN);
/* Put the message all the way at the end of the m buffer, so that we can
* prepend the required other inputs for the hash function. */
memcpy(m + SIG_LEN, sm + SIG_LEN, *mlen);
memcpy(m + SIG_LEN - PK_BYTES - HASH_BYTES, pk, PK_BYTES); // Copy pk to m.
memcpy(m + SIG_LEN - HASH_BYTES, sigptr, HASH_BYTES); // Copy R to m.
H(D, m + SIG_LEN - PK_BYTES - HASH_BYTES, *mlen + PK_BYTES + HASH_BYTES);
sigptr += HASH_BYTES;
sig += HASH_BYTES;
PQCLEAN_MQDSS48_CLEAN_gf31_nrand_schar(F, F_LEN, pk, SEED_BYTES);
pk += SEED_BYTES;
PQCLEAN_MQDSS48_CLEAN_gf31_nunpack(pk_gf31, pk, M);
memcpy(sigma0, sigptr, HASH_BYTES);
memcpy(sigma0, sig, HASH_BYTES);
shake256_absorb(shakestate, D_sigma0_h0_sigma1, 2 * HASH_BYTES);
shake256_squeezeblocks(shakeblock, 1, shakestate);
memcpy(h0, shakeblock, HASH_BYTES);
sigptr += HASH_BYTES;
sig += HASH_BYTES;
memcpy(t1packed, sigptr, ROUNDS * NPACKED_BYTES);
sigptr += ROUNDS*NPACKED_BYTES;
memcpy(e1packed, sigptr, ROUNDS * MPACKED_BYTES);
sigptr += ROUNDS*MPACKED_BYTES;
memcpy(t1packed, sig, ROUNDS * NPACKED_BYTES);
sig += ROUNDS*NPACKED_BYTES;
memcpy(e1packed, sig, ROUNDS * MPACKED_BYTES);
sig += ROUNDS*MPACKED_BYTES;
shake256(h1, ((ROUNDS + 7) & ~7) >> 3, D_sigma0_h0_sigma1, 3*HASH_BYTES + ROUNDS*(NPACKED_BYTES + MPACKED_BYTES));
@ -340,7 +301,7 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_open(
} while (alpha == 31);
b = (h1[(i >> 3)] >> (i & 7)) & 1;
PQCLEAN_MQDSS48_CLEAN_gf31_nunpack(r, sigptr, N);
PQCLEAN_MQDSS48_CLEAN_gf31_nunpack(r, sig, N);
PQCLEAN_MQDSS48_CLEAN_gf31_nunpack(t, t1packed + NPACKED_BYTES*i, N);
PQCLEAN_MQDSS48_CLEAN_gf31_nunpack(e, e1packed + MPACKED_BYTES*i, M);
@ -356,7 +317,7 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_open(
PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(y, y);
PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf0, x, N);
PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf1, y, M);
com_0(c + HASH_BYTES*(2*i + 0), sigptr + HASH_BYTES + NPACKED_BYTES, sigptr, packbuf0, packbuf1);
com_0(c + HASH_BYTES*(2*i + 0), sig + HASH_BYTES + NPACKED_BYTES, sig, packbuf0, packbuf1);
} else {
PQCLEAN_MQDSS48_CLEAN_MQ(y, r, F);
PQCLEAN_MQDSS48_CLEAN_G(z, t, r, F);
@ -365,21 +326,62 @@ int PQCLEAN_MQDSS48_CLEAN_crypto_sign_open(
}
PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(y, y);
PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf0, y, M);
com_1(c + HASH_BYTES*(2*i + 1), sigptr + HASH_BYTES + NPACKED_BYTES, sigptr, packbuf0);
com_1(c + HASH_BYTES*(2*i + 1), sig + HASH_BYTES + NPACKED_BYTES, sig, packbuf0);
}
memcpy(c + HASH_BYTES*(2*i + (1 - b)), sigptr + NPACKED_BYTES, HASH_BYTES);
sigptr += NPACKED_BYTES + 2*HASH_BYTES;
memcpy(c + HASH_BYTES*(2*i + (1 - b)), sig + NPACKED_BYTES, HASH_BYTES);
sig += NPACKED_BYTES + 2*HASH_BYTES;
}
H(c, c, HASH_BYTES * ROUNDS * 2);
if (memcmp(c, sigma0, HASH_BYTES)) {
memset(m, 0, smlen);
*mlen = 0;
return 1;
if (memcmp(c, sigma0, HASH_BYTES) != 0) {
return -1;
}
/* If verification was successful, move the message to the right place. */
memmove(m, m + SIG_LEN, *mlen);
return 0;
}
/**
* Returns an array containing the signature followed by the message.
*/
int PQCLEAN_MQDSS48_CLEAN_crypto_sign(
uint8_t *sm, size_t *smlen,
const uint8_t *m, size_t mlen, const uint8_t *sk) {
size_t siglen;
PQCLEAN_MQDSS48_CLEAN_crypto_sign_signature(
sm, &siglen, m, mlen, sk);
memmove(sm + SIG_LEN, m, mlen);
*smlen = siglen + mlen;
return 0;
}
/**
* Verifies a given signature-message pair under a given public key.
*/
int PQCLEAN_MQDSS48_CLEAN_crypto_sign_open(
uint8_t *m, size_t *mlen,
const uint8_t *sm, size_t smlen, const uint8_t *pk) {
/* The API caller does not necessarily know what size a signature should be
but MQDSS signatures are always exactly SIG_LEN. */
if (smlen < SIG_LEN) {
memset(m, 0, smlen);
*mlen = 0;
return -1;
}
*mlen = smlen - SIG_LEN;
if (PQCLEAN_MQDSS48_CLEAN_crypto_sign_verify(
sm, SIG_LEN, sm + SIG_LEN, *mlen, pk)) {
memset(m, 0, smlen);
*mlen = 0;
return -1;
}
/* If verification was successful, move the message to the right place. */
memmove(m, sm + SIG_LEN, *mlen);
return 0;
}