kris
/
pqcrypto
镜像自地址 https://github.com/henrydcase/pqc.git
1
1
派生 0
代码 工单 1 版本发布 2 百科 动态
您最多选择25个主题 主题必须以字母或数字开头,可以包含连字符 (-),并且长度不得超过35个字符
464 提交
9 分支
132 MiB
 
 
 
目录树: 3d09ea3ad5
分支列表 标签列表
${ item.name }
创建分支 ${ searchTerm }
从 '3d09ea3ad5'
${ noResults }
pqcrypto/crypto_sign/sphincs-sha256-128f-robust/clean/fors.c

165 行
5.9 KiB
原始文件 Blame 文件历史 

  1. #include <stdint.h>

  2. #include <stdlib.h>

  3. #include <string.h>

  4. 

  5. #include "address.h"

  6. #include "fors.h"

  7. #include "hash.h"

  8. #include "thash.h"

  9. #include "utils.h"

  10. 

  11. static void fors_gen_sk(unsigned char *sk, const unsigned char *sk_seed,

  12.                         uint32_t fors_leaf_addr[8]) {

  13.     PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_prf_addr(

  14.         sk, sk_seed, fors_leaf_addr);

  15. }

  16. 

  17. static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk,

  18.                             const unsigned char *pub_seed,

  19.                             uint32_t fors_leaf_addr[8]) {

  20.     PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_thash_1(

  21.         leaf, sk, pub_seed, fors_leaf_addr);

  22. }

  23. 

  24. static void fors_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed,

  25.                           const unsigned char *pub_seed,

  26.                           uint32_t addr_idx, const uint32_t fors_tree_addr[8]) {

  27.     uint32_t fors_leaf_addr[8] = {0};

  28. 

  29.     /* Only copy the parts that must be kept in fors_leaf_addr. */

  30.     PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_copy_keypair_addr(

  31.         fors_leaf_addr, fors_tree_addr);

  32.     PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_set_type(

  33.         fors_leaf_addr, SPX_ADDR_TYPE_FORSTREE);

  34.     PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_set_tree_index(

  35.         fors_leaf_addr, addr_idx);

  36. 

  37.     fors_gen_sk(leaf, sk_seed, fors_leaf_addr);

  38.     fors_sk_to_leaf(leaf, leaf, pub_seed, fors_leaf_addr);

  39. }

  40. 

  41. /**

  42.  * Interprets m as SPX_FORS_HEIGHT-bit unsigned integers.

  43.  * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits.

  44.  * Assumes indices has space for SPX_FORS_TREES integers.

  45.  */

  46. static void message_to_indices(uint32_t *indices, const unsigned char *m) {

  47.     unsigned int i, j;

  48.     unsigned int offset = 0;

  49. 

  50.     for (i = 0; i < SPX_FORS_TREES; i++) {

  51.         indices[i] = 0;

  52.         for (j = 0; j < SPX_FORS_HEIGHT; j++) {

  53.             indices[i] ^= (((uint32_t)m[offset >> 3] >> (offset & 0x7)) & 0x1) << j;

  54.             offset++;

  55.         }

  56.     }

  57. }

  58. 

  59. /**

  60.  * Signs a message m, deriving the secret key from sk_seed and the FTS address.

  61.  * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits.

  62.  */

  63. void PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_fors_sign(

  64.     unsigned char *sig, unsigned char *pk,

  65.     const unsigned char *m,

  66.     const unsigned char *sk_seed, const unsigned char *pub_seed,

  67.     const uint32_t fors_addr[8]) {

  68.     uint32_t indices[SPX_FORS_TREES];

  69.     unsigned char roots[SPX_FORS_TREES * SPX_N];

  70.     uint32_t fors_tree_addr[8] = {0};

  71.     uint32_t fors_pk_addr[8] = {0};

  72.     uint32_t idx_offset;

  73.     unsigned int i;

  74. 

  75.     PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_copy_keypair_addr(

  76.         fors_tree_addr, fors_addr);

  77.     PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_copy_keypair_addr(

  78.         fors_pk_addr, fors_addr);

  79. 

  80.     PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_set_type(

  81.         fors_tree_addr, SPX_ADDR_TYPE_FORSTREE);

  82.     PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_set_type(

  83.         fors_pk_addr, SPX_ADDR_TYPE_FORSPK);

  84. 

  85.     message_to_indices(indices, m);

  86. 

  87.     for (i = 0; i < SPX_FORS_TREES; i++) {

  88.         idx_offset = i * (1 << SPX_FORS_HEIGHT);

  89. 

  90.         PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_set_tree_height(

  91.             fors_tree_addr, 0);

  92.         PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_set_tree_index(

  93.             fors_tree_addr, indices[i] + idx_offset);

  94. 

  95.         /* Include the secret key part that produces the selected leaf node. */

  96.         fors_gen_sk(sig, sk_seed, fors_tree_addr);

  97.         sig += SPX_N;

  98. 

  99.         /* Compute the authentication path for this leaf node. */

  100.         PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_treehash_FORS_HEIGHT(

  101.             roots + i * SPX_N, sig, sk_seed, pub_seed,

  102.             indices[i], idx_offset, fors_gen_leaf, fors_tree_addr);

  103.         sig += SPX_N * SPX_FORS_HEIGHT;

  104.     }

  105. 

  106.     /* Hash horizontally across all tree roots to derive the public key. */

  107.     PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_thash_FORS_TREES(

  108.         pk, roots, pub_seed, fors_pk_addr);

  109. }

  110. 

  111. /**

  112.  * Derives the FORS public key from a signature.

  113.  * This can be used for verification by comparing to a known public key, or to

  114.  * subsequently verify a signature on the derived public key. The latter is the

  115.  * typical use-case when used as an FTS below an OTS in a hypertree.

  116.  * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits.

  117.  */

  118. void PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_fors_pk_from_sig(

  119.     unsigned char *pk,

  120.     const unsigned char *sig, const unsigned char *m,

  121.     const unsigned char *pub_seed, const uint32_t fors_addr[8]) {

  122.     uint32_t indices[SPX_FORS_TREES];

  123.     unsigned char roots[SPX_FORS_TREES * SPX_N];

  124.     unsigned char leaf[SPX_N];

  125.     uint32_t fors_tree_addr[8] = {0};

  126.     uint32_t fors_pk_addr[8] = {0};

  127.     uint32_t idx_offset;

  128.     unsigned int i;

  129. 

  130.     PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_copy_keypair_addr(

  131.         fors_tree_addr, fors_addr);

  132.     PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_copy_keypair_addr(

  133.         fors_pk_addr, fors_addr);

  134. 

  135.     PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_set_type(

  136.         fors_tree_addr, SPX_ADDR_TYPE_FORSTREE);

  137.     PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_set_type(

  138.         fors_pk_addr, SPX_ADDR_TYPE_FORSPK);

  139. 

  140.     message_to_indices(indices, m);

  141. 

  142.     for (i = 0; i < SPX_FORS_TREES; i++) {

  143.         idx_offset = i * (1 << SPX_FORS_HEIGHT);

  144. 

  145.         PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_set_tree_height(

  146.             fors_tree_addr, 0);

  147.         PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_set_tree_index(

  148.             fors_tree_addr, indices[i] + idx_offset);

  149. 

  150.         /* Derive the leaf from the included secret key part. */

  151.         fors_sk_to_leaf(leaf, sig, pub_seed, fors_tree_addr);

  152.         sig += SPX_N;

  153. 

  154.         /* Derive the corresponding root node of this tree. */

  155.         PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_compute_root(

  156.             roots + i * SPX_N, leaf, indices[i], idx_offset, sig,

  157.             SPX_FORS_HEIGHT, pub_seed, fors_tree_addr);

  158.         sig += SPX_N * SPX_FORS_HEIGHT;

  159.     }

  160. 

  161.     /* Hash horizontally across all tree roots to derive the public key. */

  162.     PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_thash_FORS_TREES(

  163.         pk, roots, pub_seed, fors_pk_addr);

  164. }