kris
/
pqcrypto
miroir de https://github.com/henrydcase/pqc.git
1
1
Bifurcation 0
Code Tickets 1 Versions 2 Wiki Activité
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.
916 Révisions
9 Branches
121 MiB
 
 
 
Aborescence: 8a372ad2e8
Branches Tags
${ item.name }
Créer la branche ${ searchTerm }
de '8a372ad2e8'
${ noResults }
pqcrypto/crypto_sign/sphincs-sha256-192f-simple/avx2/fors.c

241 lignes
12 KiB
Brut Annotations Historique 

  1. #include <stdint.h>

  2. #include <stdlib.h>

  3. #include <string.h>

  4. 

  5. #include "address.h"

  6. #include "fors.h"

  7. #include "hash.h"

  8. #include "hashx8.h"

  9. #include "thash.h"

  10. #include "thashx8.h"

  11. #include "utils.h"

  12. #include "utilsx8.h"

  13. 

  14. static void fors_gen_skx8(unsigned char *sk0,

  15.                           unsigned char *sk1,

  16.                           unsigned char *sk2,

  17.                           unsigned char *sk3,

  18.                           unsigned char *sk4,

  19.                           unsigned char *sk5,

  20.                           unsigned char *sk6,

  21.                           unsigned char *sk7, const unsigned char *sk_seed,

  22.                           uint32_t fors_leaf_addrx8[8 * 8]) {

  23.     PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_prf_addrx8(sk0, sk1, sk2, sk3, sk4, sk5, sk6, sk7,

  24.             sk_seed, fors_leaf_addrx8);

  25. }

  26. 

  27. static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk,

  28.                             const unsigned char *pub_seed,

  29.                             uint32_t fors_leaf_addr[8],

  30.                             const hash_state *state_seeded) {

  31.     PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_thash_1(leaf, sk, pub_seed, fors_leaf_addr, state_seeded);

  32. }

  33. 

  34. static void fors_sk_to_leafx8(unsigned char *leaf0,

  35.                               unsigned char *leaf1,

  36.                               unsigned char *leaf2,

  37.                               unsigned char *leaf3,

  38.                               unsigned char *leaf4,

  39.                               unsigned char *leaf5,

  40.                               unsigned char *leaf6,

  41.                               unsigned char *leaf7,

  42.                               const unsigned char *sk0,

  43.                               const unsigned char *sk1,

  44.                               const unsigned char *sk2,

  45.                               const unsigned char *sk3,

  46.                               const unsigned char *sk4,

  47.                               const unsigned char *sk5,

  48.                               const unsigned char *sk6,

  49.                               const unsigned char *sk7,

  50.                               const unsigned char *pub_seed,

  51.                               uint32_t fors_leaf_addrx8[8 * 8],

  52.                               const hash_state *state_seeded) {

  53.     PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_thashx8_1(leaf0, leaf1, leaf2, leaf3, leaf4, leaf5, leaf6, leaf7,

  54.             sk0, sk1, sk2, sk3, sk4, sk5, sk6, sk7,

  55.             pub_seed, fors_leaf_addrx8, state_seeded);

  56. }

  57. 

  58. static void fors_gen_leafx8(unsigned char *leaf0,

  59.                             unsigned char *leaf1,

  60.                             unsigned char *leaf2,

  61.                             unsigned char *leaf3,

  62.                             unsigned char *leaf4,

  63.                             unsigned char *leaf5,

  64.                             unsigned char *leaf6,

  65.                             unsigned char *leaf7,

  66.                             const unsigned char *sk_seed,

  67.                             const unsigned char *pub_seed,

  68.                             uint32_t addr_idx0,

  69.                             uint32_t addr_idx1,

  70.                             uint32_t addr_idx2,

  71.                             uint32_t addr_idx3,

  72.                             uint32_t addr_idx4,

  73.                             uint32_t addr_idx5,

  74.                             uint32_t addr_idx6,

  75.                             uint32_t addr_idx7,

  76.                             const uint32_t fors_tree_addr[8],

  77.                             const hash_state *state_seeded) {

  78.     uint32_t fors_leaf_addrx8[8 * 8] = {0};

  79.     unsigned int j;

  80. 

  81.     /* Only copy the parts that must be kept in fors_leaf_addrx8. */

  82.     for (j = 0; j < 8; j++) {

  83.         PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_copy_keypair_addr(fors_leaf_addrx8 + j * 8, fors_tree_addr);

  84.         PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_set_type(fors_leaf_addrx8 + j * 8, PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_ADDR_TYPE_FORSTREE);

  85.     }

  86. 

  87.     PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_set_tree_index(fors_leaf_addrx8 + 0 * 8, addr_idx0);

  88.     PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_set_tree_index(fors_leaf_addrx8 + 1 * 8, addr_idx1);

  89.     PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_set_tree_index(fors_leaf_addrx8 + 2 * 8, addr_idx2);

  90.     PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_set_tree_index(fors_leaf_addrx8 + 3 * 8, addr_idx3);

  91.     PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_set_tree_index(fors_leaf_addrx8 + 4 * 8, addr_idx4);

  92.     PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_set_tree_index(fors_leaf_addrx8 + 5 * 8, addr_idx5);

  93.     PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_set_tree_index(fors_leaf_addrx8 + 6 * 8, addr_idx6);

  94.     PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_set_tree_index(fors_leaf_addrx8 + 7 * 8, addr_idx7);

  95. 

  96.     fors_gen_skx8(leaf0, leaf1, leaf2, leaf3, leaf4, leaf5, leaf6, leaf7,

  97.                   sk_seed, fors_leaf_addrx8);

  98.     fors_sk_to_leafx8(leaf0, leaf1, leaf2, leaf3, leaf4, leaf5, leaf6, leaf7,

  99.                       leaf0, leaf1, leaf2, leaf3, leaf4, leaf5, leaf6, leaf7,

  100.                       pub_seed, fors_leaf_addrx8, state_seeded);

  101. }

  102. 

  103. /**

  104.  * Interprets m as PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_FORS_HEIGHT-bit unsigned integers.

  105.  * Assumes m contains at least PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_FORS_HEIGHT * PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_FORS_TREES bits.

  106.  * Assumes indices has space for PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_FORS_TREES integers.

  107.  */

  108. static void message_to_indices(uint32_t *indices, const unsigned char *m) {

  109.     unsigned int i, j;

  110.     unsigned int offset = 0;

  111. 

  112.     for (i = 0; i < PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_FORS_TREES; i++) {

  113.         indices[i] = 0;

  114.         for (j = 0; j < PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_FORS_HEIGHT; j++) {

  115.             indices[i] ^= (((uint32_t)m[offset >> 3] >> (offset & 0x7)) & 0x1) << j;

  116.             offset++;

  117.         }

  118.     }

  119. }

  120. 

  121. /**

  122.  * Signs a message m, deriving the secret key from sk_seed and the FTS address.

  123.  * Assumes m contains at least PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_FORS_HEIGHT * PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_FORS_TREES bits.

  124.  */

  125. void PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_fors_sign(

  126.     unsigned char *sig, unsigned char *pk,

  127.     const unsigned char *m,

  128.     const unsigned char *sk_seed, const unsigned char *pub_seed,

  129.     const uint32_t fors_addr[8],

  130.     const hash_state *state_seeded) {

  131.     /* Round up to multiple of 8 to prevent out-of-bounds for x8 parallelism */

  132.     uint32_t indices[(PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_FORS_TREES + 7) & ~7] = {0};

  133.     unsigned char roots[((PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_FORS_TREES + 7) & ~7) * PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_N];

  134.     /* Sign to a buffer, since we may not have a nice multiple of 8 and would

  135.        otherwise overrun the signature. */

  136.     unsigned char sigbufx8[8 * PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_N * (1 + PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_FORS_HEIGHT)];

  137.     uint32_t fors_tree_addrx8[8 * 8] = {0};

  138.     uint32_t fors_pk_addr[8] = {0};

  139.     uint32_t idx_offset[8] = {0};

  140.     unsigned int i, j;

  141. 

  142.     for (j = 0; j < 8; j++) {

  143.         PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_copy_keypair_addr(fors_tree_addrx8 + j * 8, fors_addr);

  144.         PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_set_type(fors_tree_addrx8 + j * 8, PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_ADDR_TYPE_FORSTREE);

  145.     }

  146. 

  147.     PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_copy_keypair_addr(fors_pk_addr, fors_addr);

  148.     PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_set_type(fors_pk_addr, PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_ADDR_TYPE_FORSPK);

  149. 

  150.     message_to_indices(indices, m);

  151. 

  152.     for (i = 0; i < ((PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_FORS_TREES + 7) & ~0x7); i += 8) {

  153.         for (j = 0; j < 8; j++) {

  154.             if (i + j < PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_FORS_TREES) {

  155.                 idx_offset[j] = (i + j) * (1 << PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_FORS_HEIGHT);

  156. 

  157.                 PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_set_tree_height(fors_tree_addrx8 + j * 8, 0);

  158.                 PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_set_tree_index(fors_tree_addrx8 + j * 8,

  159.                         indices[i + j] + idx_offset[j]);

  160.             }

  161.         }

  162. 

  163.         /* Include the secret key part that produces the selected leaf nodes. */

  164.         fors_gen_skx8(sigbufx8 + 0 * PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_N,

  165.                       sigbufx8 + 1 * PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_N,

  166.                       sigbufx8 + 2 * PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_N,

  167.                       sigbufx8 + 3 * PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_N,

  168.                       sigbufx8 + 4 * PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_N,

  169.                       sigbufx8 + 5 * PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_N,

  170.                       sigbufx8 + 6 * PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_N,

  171.                       sigbufx8 + 7 * PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_N,

  172.                       sk_seed, fors_tree_addrx8);

  173. 

  174.         PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_treehashx8_FORS_HEIGHT(

  175.             roots + i * PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_N, sigbufx8 + 8 * PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_N, sk_seed, pub_seed,

  176.             &indices[i], idx_offset, fors_gen_leafx8, fors_tree_addrx8,

  177.             state_seeded);

  178. 

  179.         for (j = 0; j < 8; j++) {

  180.             if (i + j < PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_FORS_TREES) {

  181.                 memcpy(sig, sigbufx8 + j * PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_N, PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_N);

  182.                 memcpy(sig + PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_N,

  183.                        sigbufx8 + 8 * PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_N + j * PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_N * PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_FORS_HEIGHT,

  184.                        PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_N * PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_FORS_HEIGHT);

  185.                 sig += PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_N * (1 + PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_FORS_HEIGHT);

  186.             }

  187.         }

  188.     }

  189. 

  190.     /* Hash horizontally across all tree roots to derive the public key. */

  191.     PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, state_seeded);

  192. }

  193. 

  194. /**

  195.  * Derives the FORS public key from a signature.

  196.  * This can be used for verification by comparing to a known public key, or to

  197.  * subsequently verify a signature on the derived public key. The latter is the

  198.  * typical use-case when used as an FTS below an OTS in a hypertree.

  199.  * Assumes m contains at least PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_FORS_HEIGHT * PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_FORS_TREES bits.

  200.  */

  201. void PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_fors_pk_from_sig(unsigned char *pk,

  202.         const unsigned char *sig, const unsigned char *m,

  203.         const unsigned char *pub_seed,

  204.         const uint32_t fors_addr[8],

  205.         const hash_state *state_seeded) {

  206.     uint32_t indices[PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_FORS_TREES];

  207.     unsigned char roots[PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_FORS_TREES * PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_N];

  208.     unsigned char leaf[PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_N];

  209.     uint32_t fors_tree_addr[8] = {0};

  210.     uint32_t fors_pk_addr[8] = {0};

  211.     uint32_t idx_offset;

  212.     unsigned int i;

  213. 

  214.     PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_copy_keypair_addr(fors_tree_addr, fors_addr);

  215.     PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_copy_keypair_addr(fors_pk_addr, fors_addr);

  216. 

  217.     PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_set_type(fors_tree_addr, PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_ADDR_TYPE_FORSTREE);

  218.     PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_set_type(fors_pk_addr, PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_ADDR_TYPE_FORSPK);

  219. 

  220.     message_to_indices(indices, m);

  221. 

  222.     for (i = 0; i < PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_FORS_TREES; i++) {

  223.         idx_offset = i * (1 << PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_FORS_HEIGHT);

  224. 

  225.         PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_set_tree_height(fors_tree_addr, 0);

  226.         PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_set_tree_index(fors_tree_addr, indices[i] + idx_offset);

  227. 

  228.         /* Derive the leaf from the included secret key part. */

  229.         fors_sk_to_leaf(leaf, sig, pub_seed, fors_tree_addr, state_seeded);

  230.         sig += PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_N;

  231. 

  232.         /* Derive the corresponding root node of this tree. */

  233.         PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_compute_root(roots + i * PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_N, leaf, indices[i], idx_offset,

  234.                 sig, PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_FORS_HEIGHT, pub_seed, fors_tree_addr, state_seeded);

  235.         sig += PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_N * PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_FORS_HEIGHT;

  236.     }

  237. 

  238.     /* Hash horizontally across all tree roots to derive the public key. */

  239.     PQCLEAN_SPHINCSSHA256192FSIMPLE_AVX2_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, state_seeded);

  240. }