kris
/
pqcrypto
ミラー元 https://github.com/henrydcase/pqc.git
1
1
フォーク 0
コード 課題 1 リリース 2 Wiki アクティビティ
選択できるのは25トピックまでです。 トピックは、先頭が英数字で、英数字とダッシュ('-')を使用した35文字以内のものにしてください。
776 コミット
9 ブランチ
121 MiB
 
 
 
ツリー: e3db88d7e4
ブランチ タグ
${ item.name }
ブランチ ${ searchTerm } を作成
'e3db88d7e4' から
${ noResults }
pqcrypto/crypto_sign/sphincs-haraka-256f-robust/clean/sign.c

354 行
12 KiB
Raw Blame 履歴 

  1. #include <stddef.h>

  2. #include <stdint.h>

  3. #include <string.h>

  4. 

  5. #include "address.h"

  6. #include "api.h"

  7. #include "fors.h"

  8. #include "hash.h"

  9. #include "hash_state.h"

  10. #include "params.h"

  11. #include "randombytes.h"

  12. #include "thash.h"

  13. #include "utils.h"

  14. #include "wots.h"

  15. 

  16. /**

  17.  * Computes the leaf at a given address. First generates the WOTS key pair,

  18.  * then computes leaf by hashing horizontally.

  19.  */

  20. static void wots_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed,

  21.                           const unsigned char *pub_seed,

  22.                           uint32_t addr_idx, const uint32_t tree_addr[8],

  23.                           const hash_state *hash_state_seeded) {

  24.     unsigned char pk[SPX_WOTS_BYTES];

  25.     uint32_t wots_addr[8] = {0};

  26.     uint32_t wots_pk_addr[8] = {0};

  27. 

  28.     PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_type(

  29.         wots_addr, SPX_ADDR_TYPE_WOTS);

  30.     PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_type(

  31.         wots_pk_addr, SPX_ADDR_TYPE_WOTSPK);

  32. 

  33.     PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_copy_subtree_addr(

  34.         wots_addr, tree_addr);

  35.     PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_keypair_addr(

  36.         wots_addr, addr_idx);

  37.     PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_wots_gen_pk(

  38.         pk, sk_seed, pub_seed, wots_addr, hash_state_seeded);

  39. 

  40.     PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_copy_keypair_addr(

  41.         wots_pk_addr, wots_addr);

  42.     PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_thash_WOTS_LEN(

  43.         leaf, pk, pub_seed, wots_pk_addr, hash_state_seeded);

  44. }

  45. 

  46. /*

  47.  * Returns the length of a secret key, in bytes

  48.  */

  49. size_t PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign_secretkeybytes(void) {

  50.     return PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_CRYPTO_SECRETKEYBYTES;

  51. }

  52. 

  53. /*

  54.  * Returns the length of a public key, in bytes

  55.  */

  56. size_t PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign_publickeybytes(void) {

  57.     return PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_CRYPTO_PUBLICKEYBYTES;

  58. }

  59. 

  60. /*

  61.  * Returns the length of a signature, in bytes

  62.  */

  63. size_t PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign_bytes(void) {

  64.     return PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_CRYPTO_BYTES;

  65. }

  66. 

  67. /*

  68.  * Returns the length of the seed required to generate a key pair, in bytes

  69.  */

  70. size_t PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign_seedbytes(void) {

  71.     return PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_CRYPTO_SEEDBYTES;

  72. }

  73. 

  74. /*

  75.  * Generates an SPX key pair given a seed of length

  76.  * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]

  77.  * Format pk: [PUB_SEED || root]

  78.  */

  79. int PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign_seed_keypair(

  80.     uint8_t *pk, uint8_t *sk, const uint8_t *seed) {

  81.     /* We do not need the auth path in key generation, but it simplifies the

  82.        code to have just one treehash routine that computes both root and path

  83.        in one function. */

  84.     unsigned char auth_path[SPX_TREE_HEIGHT * SPX_N];

  85.     uint32_t top_tree_addr[8] = {0};

  86.     hash_state hash_state_seeded;

  87. 

  88.     PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_layer_addr(

  89.         top_tree_addr, SPX_D - 1);

  90.     PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_type(

  91.         top_tree_addr, SPX_ADDR_TYPE_HASHTREE);

  92. 

  93.     /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */

  94.     memcpy(sk, seed, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_CRYPTO_SEEDBYTES);

  95. 

  96.     memcpy(pk, sk + 2 * SPX_N, SPX_N);

  97. 

  98.     /* This hook allows the hash function instantiation to do whatever

  99.        preparation or computation it needs, based on the public seed. */

  100.     PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_initialize_hash_function(&hash_state_seeded, pk, sk);

  101. 

  102.     /* Compute root node of the top-most subtree. */

  103.     PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_treehash_TREE_HEIGHT(

  104.         sk + 3 * SPX_N, auth_path, sk, sk + 2 * SPX_N, 0, 0,

  105.         wots_gen_leaf, top_tree_addr, &hash_state_seeded);

  106. 

  107.     memcpy(pk + SPX_N, sk + 3 * SPX_N, SPX_N);

  108. 

  109.     return 0;

  110. }

  111. 

  112. /*

  113.  * Generates an SPX key pair.

  114.  * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root]

  115.  * Format pk: [PUB_SEED || root]

  116.  */

  117. int PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign_keypair(

  118.     uint8_t *pk, uint8_t *sk) {

  119.     unsigned char seed[PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_CRYPTO_SEEDBYTES];

  120.     randombytes(seed, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_CRYPTO_SEEDBYTES);

  121.     PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign_seed_keypair(

  122.         pk, sk, seed);

  123. 

  124.     return 0;

  125. }

  126. 

  127. /**

  128.  * Returns an array containing a detached signature.

  129.  */

  130. int PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign_signature(

  131.     uint8_t *sig, size_t *siglen,

  132.     const uint8_t *m, size_t mlen, const uint8_t *sk) {

  133.     const unsigned char *sk_seed = sk;

  134.     const unsigned char *sk_prf = sk + SPX_N;

  135.     const unsigned char *pk = sk + 2 * SPX_N;

  136.     const unsigned char *pub_seed = pk;

  137. 

  138.     unsigned char optrand[SPX_N];

  139.     unsigned char mhash[SPX_FORS_MSG_BYTES];

  140.     unsigned char root[SPX_N];

  141.     uint32_t i;

  142.     uint64_t tree;

  143.     uint32_t idx_leaf;

  144.     uint32_t wots_addr[8] = {0};

  145.     uint32_t tree_addr[8] = {0};

  146. 

  147.     hash_state hash_state_seeded;

  148. 

  149.     /* This hook allows the hash function instantiation to do whatever

  150.        preparation or computation it needs, based on the public seed. */

  151.     PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_initialize_hash_function(

  152.         &hash_state_seeded,

  153.         pub_seed, sk_seed);

  154. 

  155.     PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_type(

  156.         wots_addr, SPX_ADDR_TYPE_WOTS);

  157.     PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_type(

  158.         tree_addr, SPX_ADDR_TYPE_HASHTREE);

  159. 

  160.     /* Optionally, signing can be made non-deterministic using optrand.

  161.        This can help counter side-channel attacks that would benefit from

  162.        getting a large number of traces when the signer uses the same nodes. */

  163.     randombytes(optrand, SPX_N);

  164.     /* Compute the digest randomization value. */

  165.     PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_gen_message_random(

  166.         sig, sk_prf, optrand, m, mlen, &hash_state_seeded);

  167. 

  168.     /* Derive the message digest and leaf index from R, PK and M. */

  169.     PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_hash_message(

  170.         mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded);

  171.     sig += SPX_N;

  172. 

  173.     PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_tree_addr(wots_addr, tree);

  174.     PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_keypair_addr(

  175.         wots_addr, idx_leaf);

  176. 

  177.     /* Sign the message hash using FORS. */

  178.     PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_fors_sign(

  179.         sig, root, mhash, sk_seed, pub_seed, wots_addr, &hash_state_seeded);

  180.     sig += SPX_FORS_BYTES;

  181. 

  182.     for (i = 0; i < SPX_D; i++) {

  183.         PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_layer_addr(tree_addr, i);

  184.         PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_tree_addr(tree_addr, tree);

  185. 

  186.         PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_copy_subtree_addr(

  187.             wots_addr, tree_addr);

  188.         PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_keypair_addr(

  189.             wots_addr, idx_leaf);

  190. 

  191.         /* Compute a WOTS signature. */

  192.         PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_wots_sign(

  193.             sig, root, sk_seed, pub_seed, wots_addr, &hash_state_seeded);

  194.         sig += SPX_WOTS_BYTES;

  195. 

  196.         /* Compute the authentication path for the used WOTS leaf. */

  197.         PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_treehash_TREE_HEIGHT(

  198.             root, sig, sk_seed, pub_seed, idx_leaf, 0,

  199.             wots_gen_leaf, tree_addr, &hash_state_seeded);

  200.         sig += SPX_TREE_HEIGHT * SPX_N;

  201. 

  202.         /* Update the indices for the next layer. */

  203.         idx_leaf = (tree & ((1 << SPX_TREE_HEIGHT) - 1));

  204.         tree = tree >> SPX_TREE_HEIGHT;

  205.     }

  206. 

  207.     *siglen = SPX_BYTES;

  208. 

  209.     return 0;

  210. }

  211. 

  212. /**

  213.  * Verifies a detached signature and message under a given public key.

  214.  */

  215. int PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign_verify(

  216.     const uint8_t *sig, size_t siglen,

  217.     const uint8_t *m, size_t mlen, const uint8_t *pk) {

  218.     const unsigned char *pub_seed = pk;

  219.     const unsigned char *pub_root = pk + SPX_N;

  220.     unsigned char mhash[SPX_FORS_MSG_BYTES];

  221.     unsigned char wots_pk[SPX_WOTS_BYTES];

  222.     unsigned char root[SPX_N];

  223.     unsigned char leaf[SPX_N];

  224.     unsigned int i;

  225.     uint64_t tree;

  226.     uint32_t idx_leaf;

  227.     uint32_t wots_addr[8] = {0};

  228.     uint32_t tree_addr[8] = {0};

  229.     uint32_t wots_pk_addr[8] = {0};

  230. 

  231.     hash_state hash_state_seeded;

  232. 

  233.     if (siglen != SPX_BYTES) {

  234.         return -1;

  235.     }

  236. 

  237.     /* This hook allows the hash function instantiation to do whatever

  238.        preparation or computation it needs, based on the public seed. */

  239.     PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_initialize_hash_function(

  240.         &hash_state_seeded,

  241.         pub_seed, NULL);

  242. 

  243.     PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_type(

  244.         wots_addr, SPX_ADDR_TYPE_WOTS);

  245.     PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_type(

  246.         tree_addr, SPX_ADDR_TYPE_HASHTREE);

  247.     PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_type(

  248.         wots_pk_addr, SPX_ADDR_TYPE_WOTSPK);

  249. 

  250.     /* Derive the message digest and leaf index from R || PK || M. */

  251.     /* The additional SPX_N is a result of the hash domain separator. */

  252.     PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_hash_message(

  253.         mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded);

  254.     sig += SPX_N;

  255. 

  256.     /* Layer correctly defaults to 0, so no need to set_layer_addr */

  257.     PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_tree_addr(wots_addr, tree);

  258.     PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_keypair_addr(

  259.         wots_addr, idx_leaf);

  260. 

  261.     PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_fors_pk_from_sig(

  262.         root, sig, mhash, pub_seed, wots_addr, &hash_state_seeded);

  263.     sig += SPX_FORS_BYTES;

  264. 

  265.     /* For each subtree.. */

  266.     for (i = 0; i < SPX_D; i++) {

  267.         PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_layer_addr(tree_addr, i);

  268.         PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_tree_addr(tree_addr, tree);

  269. 

  270.         PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_copy_subtree_addr(

  271.             wots_addr, tree_addr);

  272.         PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_keypair_addr(

  273.             wots_addr, idx_leaf);

  274. 

  275.         PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_copy_keypair_addr(

  276.             wots_pk_addr, wots_addr);

  277. 

  278.         /* The WOTS public key is only correct if the signature was correct. */

  279.         /* Initially, root is the FORS pk, but on subsequent iterations it is

  280.            the root of the subtree below the currently processed subtree. */

  281.         PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_wots_pk_from_sig(

  282.             wots_pk, sig, root, pub_seed, wots_addr, &hash_state_seeded);

  283.         sig += SPX_WOTS_BYTES;

  284. 

  285.         /* Compute the leaf node using the WOTS public key. */

  286.         PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_thash_WOTS_LEN(

  287.             leaf, wots_pk, pub_seed, wots_pk_addr, &hash_state_seeded);

  288. 

  289.         /* Compute the root node of this subtree. */

  290.         PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_compute_root(

  291.             root, leaf, idx_leaf, 0, sig, SPX_TREE_HEIGHT,

  292.             pub_seed, tree_addr, &hash_state_seeded);

  293.         sig += SPX_TREE_HEIGHT * SPX_N;

  294. 

  295.         /* Update the indices for the next layer. */

  296.         idx_leaf = (tree & ((1 << SPX_TREE_HEIGHT) - 1));

  297.         tree = tree >> SPX_TREE_HEIGHT;

  298.     }

  299. 

  300.     /* Check if the root node equals the root node in the public key. */

  301.     if (memcmp(root, pub_root, SPX_N) != 0) {

  302.         return -1;

  303.     }

  304. 

  305.     return 0;

  306. }

  307. 

  308. 

  309. /**

  310.  * Returns an array containing the signature followed by the message.

  311.  */

  312. int PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign(

  313.     uint8_t *sm, size_t *smlen,

  314.     const uint8_t *m, size_t mlen, const uint8_t *sk) {

  315.     size_t siglen;

  316. 

  317.     PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign_signature(

  318.         sm, &siglen, m, mlen, sk);

  319. 

  320.     memmove(sm + SPX_BYTES, m, mlen);

  321.     *smlen = siglen + mlen;

  322. 

  323.     return 0;

  324. }

  325. 

  326. /**

  327.  * Verifies a given signature-message pair under a given public key.

  328.  */

  329. int PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign_open(

  330.     uint8_t *m, size_t *mlen,

  331.     const uint8_t *sm, size_t smlen, const uint8_t *pk) {

  332.     /* The API caller does not necessarily know what size a signature should be

  333.        but SPHINCS+ signatures are always exactly SPX_BYTES. */

  334.     if (smlen < SPX_BYTES) {

  335.         memset(m, 0, smlen);

  336.         *mlen = 0;

  337.         return -1;

  338.     }

  339. 

  340.     *mlen = smlen - SPX_BYTES;

  341. 

  342.     if (PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign_verify(

  343.                 sm, SPX_BYTES, sm + SPX_BYTES, *mlen, pk)) {

  344.         memset(m, 0, smlen);

  345.         *mlen = 0;

  346.         return -1;

  347.     }

  348. 

  349.     /* If verification was successful, move the message to the right place. */

  350.     memmove(m, sm + SPX_BYTES, *mlen);

  351. 

  352.     return 0;

  353. }