xmss-KAT-generator/hash.c

/*
hash.c version 20160722
Andreas Hülsing
Joost Rijneveld
Public domain.
*/

#include "hash_address.h"
#include "xmss_commons.h"
#include "params.h"
#include "hash.h"
#include "fips202.h"

#include <stdint.h>
#include <string.h>
#include <openssl/sha.h>

unsigned char* addr_to_byte(unsigned char *bytes, const uint32_t addr[8])
{
#if IS_LITTLE_ENDIAN==1
    int i;
    for (i = 0; i < 8; i++) {
        to_byte(bytes + i*4, addr[i], 4);
    }
#else
    memcpy(bytes, addr, 32);
#endif
    return bytes;
}

static int core_hash(unsigned char *out, const unsigned int type,
                     const unsigned char *key, unsigned int keylen,
                     const unsigned char *in, unsigned long long inlen, int n)
{
    unsigned long long i = 0;
    unsigned char buf[inlen + n + keylen];

    /* Input is of the form (toByte(X, 32) || KEY || M). */

    to_byte(buf, type, n);

    for (i=0; i < keylen; i++) {
        buf[i+n] = key[i];
    }

    for (i=0; i < inlen; i++) {
        buf[keylen + n + i] = in[i];
    }

    if (n == 32 && XMSS_FUNC == XMSS_SHA2) {
        SHA256(buf, inlen + keylen + n, out);
    }
    else if (n == 32 && XMSS_FUNC == XMSS_SHAKE) {
        shake128(out, 32, buf, inlen + keylen + n);
    }
    else if (n == 64 && XMSS_FUNC == XMSS_SHA2) {
        SHA512(buf, inlen + keylen + n, out);
    }
    else if (n == 64 && XMSS_FUNC == XMSS_SHAKE) {
        shake256(out, 64, buf, inlen + keylen + n);
    }
    else {
        return 1;
    }
    return 0;
}

int prf(unsigned char *out, const unsigned char *in,
        const unsigned char *key, unsigned int keylen)
{
    return core_hash(out, 3, key, keylen, in, 32, keylen);
}

int h_msg(unsigned char *out,
          const unsigned char *in, unsigned long long inlen,
          const unsigned char *key, const unsigned int keylen)
{
    return core_hash(out, 2, key, keylen, in, inlen, XMSS_N);
}

/**
 * We assume the left half is in in[0]...in[n-1]
 */
int hash_h(unsigned char *out, const unsigned char *in,
           const unsigned char *pub_seed, uint32_t addr[8])
{
    unsigned char buf[2*XMSS_N];
    unsigned char key[XMSS_N];
    unsigned char bitmask[2*XMSS_N];
    unsigned char byte_addr[32];
    unsigned int i;

    set_key_and_mask(addr, 0);
    addr_to_byte(byte_addr, addr);
    prf(key, byte_addr, pub_seed, XMSS_N);
    // Use MSB order
    set_key_and_mask(addr, 1);
    addr_to_byte(byte_addr, addr);
    prf(bitmask, byte_addr, pub_seed, XMSS_N);
    set_key_and_mask(addr, 2);
    addr_to_byte(byte_addr, addr);
    prf(bitmask+XMSS_N, byte_addr, pub_seed, XMSS_N);
    for (i = 0; i < 2*XMSS_N; i++) {
        buf[i] = in[i] ^ bitmask[i];
    }
    return core_hash(out, 1, key, XMSS_N, buf, 2*XMSS_N, XMSS_N);
}

int hash_f(unsigned char *out, const unsigned char *in,
           const unsigned char *pub_seed, uint32_t addr[8])
{
    unsigned char buf[XMSS_N];
    unsigned char key[XMSS_N];
    unsigned char bitmask[XMSS_N];
    unsigned char byte_addr[32];
    unsigned int i;

    set_key_and_mask(addr, 0);
    addr_to_byte(byte_addr, addr);
    prf(key, byte_addr, pub_seed, XMSS_N);

    set_key_and_mask(addr, 1);
    addr_to_byte(byte_addr, addr);
    prf(bitmask, byte_addr, pub_seed, XMSS_N);

    for (i = 0; i < XMSS_N; i++) {
        buf[i] = in[i] ^ bitmask[i];
    }
    return core_hash(out, 0, key, XMSS_N, buf, XMSS_N, XMSS_N);
}
added copyright notes for publishing. Removed unused file. 2015-08-11 11:23:30 +01:00			`/*`
v06 2016-09-22 15:31:41 +01:00			`hash.c version 20160722`
added copyright notes for publishing. Removed unused file. 2015-08-11 11:23:30 +01:00			`Andreas Hülsing`
SWITCH from v01 to v03 Versions are incompatible due to different address formats and differing message compression! 2016-02-16 15:31:18 +00:00			`Joost Rijneveld`
added copyright notes for publishing. Removed unused file. 2015-08-11 11:23:30 +01:00			`Public domain.`
			`*/`

SWITCH from v01 to v03 Versions are incompatible due to different address formats and differing message compression! 2016-02-16 15:31:18 +00:00			`#include "hash_address.h"`
upgraded to draft-06 2016-07-11 10:15:16 +01:00			`#include "xmss_commons.h"`
Add SHAKE128 and SHAKE256 This also performs numerous consistency fixes 2017-06-02 16:29:14 +01:00			`#include "params.h"`
handle that most machines are little endian but addresses here are big endian... 2016-07-12 15:19:42 +01:00			`#include "hash.h"`
Add SHAKE128 and SHAKE256 This also performs numerous consistency fixes 2017-06-02 16:29:14 +01:00			`#include "fips202.h"`
Initial commit 2015-08-11 11:08:27 +01:00
Add SHAKE128 and SHAKE256 This also performs numerous consistency fixes 2017-06-02 16:29:14 +01:00			`#include <stdint.h>`
Make codestyle more consistent, fix -Wextra warns 2016-02-02 13:06:43 +00:00			`#include <string.h>`
Initial commit 2015-08-11 11:08:27 +01:00			`#include <openssl/sha.h>`

Add SHAKE128 and SHAKE256 This also performs numerous consistency fixes 2017-06-02 16:29:14 +01:00			`unsigned char* addr_to_byte(unsigned char *bytes, const uint32_t addr[8])`
			`{`
			`#if IS_LITTLE_ENDIAN==1`
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`int i;`
			`for (i = 0; i < 8; i++) {`
			`to_byte(bytes + i*4, addr[i], 4);`
			`}`
handle that most machines are little endian but addresses here are big endian... 2016-07-12 15:19:42 +01:00			`#else`
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`memcpy(bytes, addr, 32);`
Add SHAKE128 and SHAKE256 This also performs numerous consistency fixes 2017-06-02 16:29:14 +01:00			`#endif`
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`return bytes;`
handle that most machines are little endian but addresses here are big endian... 2016-07-12 15:19:42 +01:00			`}`
Initial commit 2015-08-11 11:08:27 +01:00
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`static int core_hash(unsigned char *out, const unsigned int type,`
			`const unsigned char *key, unsigned int keylen,`
			`const unsigned char *in, unsigned long long inlen, int n)`
Add SHAKE128 and SHAKE256 This also performs numerous consistency fixes 2017-06-02 16:29:14 +01:00			`{`
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`unsigned long long i = 0;`
			`unsigned char buf[inlen + n + keylen];`

			`/* Input is of the form (toByte(X, 32) \|\| KEY \|\| M). */`

			`to_byte(buf, type, n);`

			`for (i=0; i < keylen; i++) {`
			`buf[i+n] = key[i];`
			`}`

			`for (i=0; i < inlen; i++) {`
			`buf[keylen + n + i] = in[i];`
			`}`

			`if (n == 32 && XMSS_FUNC == XMSS_SHA2) {`
			`SHA256(buf, inlen + keylen + n, out);`
			`}`
			`else if (n == 32 && XMSS_FUNC == XMSS_SHAKE) {`
			`shake128(out, 32, buf, inlen + keylen + n);`
			`}`
			`else if (n == 64 && XMSS_FUNC == XMSS_SHA2) {`
			`SHA512(buf, inlen + keylen + n, out);`
			`}`
			`else if (n == 64 && XMSS_FUNC == XMSS_SHAKE) {`
			`shake256(out, 64, buf, inlen + keylen + n);`
			`}`
			`else {`
			`return 1;`
			`}`
			`return 0;`
Initial commit 2015-08-11 11:08:27 +01:00			`}`

Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`int prf(unsigned char out, const unsigned char in,`
			`const unsigned char *key, unsigned int keylen)`
Add SHAKE128 and SHAKE256 This also performs numerous consistency fixes 2017-06-02 16:29:14 +01:00			`{`
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`return core_hash(out, 3, key, keylen, in, 32, keylen);`
upgraded to draft-06 2016-07-11 10:15:16 +01:00			`}`

Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`int h_msg(unsigned char *out,`
			`const unsigned char *in, unsigned long long inlen,`
			`const unsigned char *key, const unsigned int keylen)`
upgraded to draft-06 2016-07-11 10:15:16 +01:00			`{`
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`return core_hash(out, 2, key, keylen, in, inlen, XMSS_N);`
upgraded to draft-06 2016-07-11 10:15:16 +01:00			`}`

Initial commit 2015-08-11 11:08:27 +01:00			`/**`
			`* We assume the left half is in in[0]...in[n-1]`
			`*/`
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`int hash_h(unsigned char out, const unsigned char in,`
			`const unsigned char *pub_seed, uint32_t addr[8])`
Initial commit 2015-08-11 11:08:27 +01:00			`{`
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`unsigned char buf[2*XMSS_N];`
			`unsigned char key[XMSS_N];`
			`unsigned char bitmask[2*XMSS_N];`
			`unsigned char byte_addr[32];`
			`unsigned int i;`

			`set_key_and_mask(addr, 0);`
			`addr_to_byte(byte_addr, addr);`
			`prf(key, byte_addr, pub_seed, XMSS_N);`
			`// Use MSB order`
			`set_key_and_mask(addr, 1);`
			`addr_to_byte(byte_addr, addr);`
			`prf(bitmask, byte_addr, pub_seed, XMSS_N);`
			`set_key_and_mask(addr, 2);`
			`addr_to_byte(byte_addr, addr);`
			`prf(bitmask+XMSS_N, byte_addr, pub_seed, XMSS_N);`
			`for (i = 0; i < 2*XMSS_N; i++) {`
			`buf[i] = in[i] ^ bitmask[i];`
			`}`
			`return core_hash(out, 1, key, XMSS_N, buf, 2*XMSS_N, XMSS_N);`
Initial commit 2015-08-11 11:08:27 +01:00			`}`

Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`int hash_f(unsigned char out, const unsigned char in,`
			`const unsigned char *pub_seed, uint32_t addr[8])`
Make codestyle more consistent, fix -Wextra warns 2016-02-02 13:06:43 +00:00			`{`
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`unsigned char buf[XMSS_N];`
			`unsigned char key[XMSS_N];`
			`unsigned char bitmask[XMSS_N];`
			`unsigned char byte_addr[32];`
			`unsigned int i;`

			`set_key_and_mask(addr, 0);`
			`addr_to_byte(byte_addr, addr);`
			`prf(key, byte_addr, pub_seed, XMSS_N);`

			`set_key_and_mask(addr, 1);`
			`addr_to_byte(byte_addr, addr);`
			`prf(bitmask, byte_addr, pub_seed, XMSS_N);`

			`for (i = 0; i < XMSS_N; i++) {`
			`buf[i] = in[i] ^ bitmask[i];`
			`}`
			`return core_hash(out, 0, key, XMSS_N, buf, XMSS_N, XMSS_N);`
Initial commit 2015-08-11 11:08:27 +01:00			`}`