kris
/
xmss-KAT-generator
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
95 Commits
1 Branch
488 KiB
Tree: 384b228c58
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '384b228c58'
${ noResults }
xmss-KAT-generator/hash.c

hash.c 5.0 KiB
Raw Normal View History

Support messages that exceed the stack size Previous code allocated an array on the stack of mlen bytes, but it should be possible to also sign heap-space messages. By relying on the fact that sm and m fit the message + signature, we move the message so that 4*n bytes of prefix can be added.
7 years ago
SWITCH from v01 to v03 Versions are incompatible due to different address formats and differing message compression!
8 years ago
upgraded to draft-06
8 years ago
Add SHAKE128 and SHAKE256 This also performs numerous consistency fixes
7 years ago
handle that most machines are little endian but addresses here are big endian...
8 years ago
Add SHAKE128 and SHAKE256 This also performs numerous consistency fixes
7 years ago
Initial commit
9 years ago
Perform various reformatting / renaming
7 years ago
Add SHAKE128 and SHAKE256 This also performs numerous consistency fixes
7 years ago
Refactor for more consistent style and readability
7 years ago
Reorder ull_to_bytes parameters to group output
7 years ago
Refactor for more consistent style and readability
7 years ago
handle that most machines are little endian but addresses here are big endian...
8 years ago
Initial commit
9 years ago
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 years ago
Refactor for more consistent style and readability
7 years ago
Add SHAKE128 and SHAKE256 This also performs numerous consistency fixes
7 years ago
Refactor for more consistent style and readability
7 years ago
Perform various reformatting / renaming
7 years ago
Support messages that exceed the stack size Previous code allocated an array on the stack of mlen bytes, but it should be possible to also sign heap-space messages. By relying on the fact that sm and m fit the message + signature, we move the message so that 4*n bytes of prefix can be added.
7 years ago
Reorder ull_to_bytes parameters to group output
7 years ago
Support messages that exceed the stack size Previous code allocated an array on the stack of mlen bytes, but it should be possible to also sign heap-space messages. By relying on the fact that sm and m fit the message + signature, we move the message so that 4*n bytes of prefix can be added.
7 years ago
Refactor for more consistent style and readability
7 years ago
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 years ago
Refactor for more consistent style and readability
7 years ago
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 years ago
Refactor for more consistent style and readability
7 years ago
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 years ago
Refactor for more consistent style and readability
7 years ago
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 years ago
Refactor for more consistent style and readability
7 years ago
Initial commit
9 years ago
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 years ago
Refactor for more consistent style and readability
7 years ago
Add SHAKE128 and SHAKE256 This also performs numerous consistency fixes
7 years ago
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 years ago
upgraded to draft-06
8 years ago
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 years ago
Refactor for more consistent style and readability
7 years ago
upgraded to draft-06
8 years ago
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 years ago
upgraded to draft-06
8 years ago
Support messages that exceed the stack size Previous code allocated an array on the stack of mlen bytes, but it should be possible to also sign heap-space messages. By relying on the fact that sm and m fit the message + signature, we move the message so that 4*n bytes of prefix can be added.
7 years ago
Initial commit
9 years ago
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 years ago
Refactor for more consistent style and readability
7 years ago
Initial commit
9 years ago
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 years ago
Perform various reformatting / renaming
7 years ago
Refactor for more consistent style and readability
7 years ago
Perform various reformatting / renaming
7 years ago
Refactor for more consistent style and readability
7 years ago
Perform various reformatting / renaming
7 years ago
Refactor for more consistent style and readability
7 years ago
Perform various reformatting / renaming
7 years ago
Refactor for more consistent style and readability
7 years ago
Perform various reformatting / renaming
7 years ago
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 years ago
Refactor for more consistent style and readability
7 years ago
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 years ago
Initial commit
9 years ago
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 years ago
Refactor for more consistent style and readability
7 years ago
Make codestyle more consistent, fix -Wextra warns
8 years ago
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 years ago
Perform various reformatting / renaming
7 years ago
Refactor for more consistent style and readability
7 years ago
Perform various reformatting / renaming
7 years ago
Refactor for more consistent style and readability
7 years ago
Perform various reformatting / renaming
7 years ago
Refactor for more consistent style and readability
7 years ago
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 years ago
Refactor for more consistent style and readability
7 years ago
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 years ago
Initial commit
9 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158 
  1. #include <stdint.h>

  2. #include <string.h>

  3. #include <openssl/sha.h>

  4. 

  5. #include "hash_address.h"

  6. #include "xmss_commons.h"

  7. #include "params.h"

  8. #include "hash.h"

  9. #include "fips202.h"

  10. 

  11. void addr_to_bytes(unsigned char *bytes, const uint32_t addr[8])

  12. {

  13.     int i;

  14.     for (i = 0; i < 8; i++) {

  15.         ull_to_bytes(bytes + i*4, 4, addr[i]);

  16.     }

  17. }

  18. 

  19. static int core_hash(const xmss_params *params,

  20.                      unsigned char *out, const unsigned int type,

  21.                      const unsigned char *key, unsigned int keylen,

  22.                      const unsigned char *in, unsigned long long inlen, int n)

  23. {

  24.     unsigned char buf[inlen + n + keylen];

  25. 

  26.     /* We arrange the input into the hash function to be of the form:

  27.      *  toByte(X, 32) || KEY || M */

  28.     ull_to_bytes(buf, n, type);

  29.     memcpy(buf + n, key, keylen);

  30.     memcpy(buf + keylen + n, in, inlen);

  31. 

  32.     if (n == 32 && params->func == XMSS_SHA2) {

  33.         SHA256(buf, inlen + keylen + n, out);

  34.     }

  35.     else if (n == 32 && params->func == XMSS_SHAKE) {

  36.         shake128(out, 32, buf, inlen + keylen + n);

  37.     }

  38.     else if (n == 64 && params->func == XMSS_SHA2) {

  39.         SHA512(buf, inlen + keylen + n, out);

  40.     }

  41.     else if (n == 64 && params->func == XMSS_SHAKE) {

  42.         shake256(out, 64, buf, inlen + keylen + n);

  43.     }

  44.     else {

  45.         return 1;

  46.     }

  47.     return 0;

  48. }

  49. 

  50. int prf(const xmss_params *params,

  51.         unsigned char *out, const unsigned char *in,

  52.         const unsigned char *key, unsigned int keylen)

  53. {

  54.     return core_hash(params, out, 3, key, keylen, in, 32, keylen);

  55. }

  56. 

  57. int h_msg(const xmss_params *params,

  58.           unsigned char *out,

  59.           const unsigned char *in, unsigned long long inlen,

  60.           const unsigned char *key, const unsigned int keylen)

  61. {

  62.     return core_hash(params, out, 2, key, keylen, in, inlen, params->n);

  63. }

  64. 

  65. /*

  66.  * Computes the message hash using R, the public root, the index of the leaf

  67.  * node, and the message. Notably, it requires m_with_prefix to have 4*n bytes

  68.  * of space before the message, to use for the prefix. This is necessary to

  69.  * prevent having to move the message around (and thus allocate memory for it).

  70.  */

  71. int hash_message(const xmss_params *params, unsigned char *out,

  72.                  const unsigned char *R, const unsigned char *root,

  73.                  unsigned long long idx,

  74.                  unsigned char *m_with_prefix, unsigned long long mlen)

  75. {

  76.     /* We're creating a hash using input of the form:

  77.        toByte(X, 32) || R || root || index || M */

  78.     ull_to_bytes(m_with_prefix, params->n, 2);

  79.     memcpy(m_with_prefix + params->n, R, params->n);

  80.     memcpy(m_with_prefix + 2 * params->n, root, params->n);

  81.     ull_to_bytes(m_with_prefix + 3 * params->n, params->n, idx);

  82. 

  83.     /* Since the message can be bigger than the stack, this cannot use the

  84.      * core_hash function. */

  85.     if (params->n == 32 && params->func == XMSS_SHA2) {

  86.         SHA256(m_with_prefix, mlen + 4*params->n, out);

  87.     }

  88.     else if (params->n == 32 && params->func == XMSS_SHAKE) {

  89.         shake128(out, 32, m_with_prefix, mlen + 4*params->n);

  90.     }

  91.     else if (params->n == 64 && params->func == XMSS_SHA2) {

  92.         SHA512(m_with_prefix, mlen + 4*params->n, out);

  93.     }

  94.     else if (params->n == 64 && params->func == XMSS_SHAKE) {

  95.         shake256(out, 64, m_with_prefix, mlen + 4*params->n);

  96.     }

  97.     else {

  98.         return 1;

  99.     }

  100.     return 0;

  101. }

  102. 

  103. /**

  104.  * We assume the left half is in in[0]...in[n-1]

  105.  */

  106. int hash_h(const xmss_params *params,

  107.            unsigned char *out, const unsigned char *in,

  108.            const unsigned char *pub_seed, uint32_t addr[8])

  109. {

  110.     unsigned char buf[2*params->n];

  111.     unsigned char key[params->n];

  112.     unsigned char bitmask[2*params->n];

  113.     unsigned char addr_as_bytes[32];

  114.     unsigned int i;

  115. 

  116.     /* Generate the n-byte key. */

  117.     set_key_and_mask(addr, 0);

  118.     addr_to_bytes(addr_as_bytes, addr);

  119.     prf(params, key, addr_as_bytes, pub_seed, params->n);

  120. 

  121.     /* Generate the 2n-byte mask. */

  122.     set_key_and_mask(addr, 1);

  123.     addr_to_bytes(addr_as_bytes, addr);

  124.     prf(params, bitmask, addr_as_bytes, pub_seed, params->n);

  125. 

  126.     set_key_and_mask(addr, 2);

  127.     addr_to_bytes(addr_as_bytes, addr);

  128.     prf(params, bitmask + params->n, addr_as_bytes, pub_seed, params->n);

  129. 

  130.     for (i = 0; i < 2*params->n; i++) {

  131.         buf[i] = in[i] ^ bitmask[i];

  132.     }

  133.     return core_hash(params, out, 1, key, params->n, buf, 2*params->n, params->n);

  134. }

  135. 

  136. int hash_f(const xmss_params *params,

  137.            unsigned char *out, const unsigned char *in,

  138.            const unsigned char *pub_seed, uint32_t addr[8])

  139. {

  140.     unsigned char buf[params->n];

  141.     unsigned char key[params->n];

  142.     unsigned char bitmask[params->n];

  143.     unsigned char addr_as_bytes[32];

  144.     unsigned int i;

  145. 

  146.     set_key_and_mask(addr, 0);

  147.     addr_to_bytes(addr_as_bytes, addr);

  148.     prf(params, key, addr_as_bytes, pub_seed, params->n);

  149. 

  150.     set_key_and_mask(addr, 1);

  151.     addr_to_bytes(addr_as_bytes, addr);

  152.     prf(params, bitmask, addr_as_bytes, pub_seed, params->n);

  153. 

  154.     for (i = 0; i < params->n; i++) {

  155.         buf[i] = in[i] ^ bitmask[i];

  156.     }

  157.     return core_hash(params, out, 0, key, params->n, buf, params->n, params->n);

  158. }