kris
/
xmss-KAT-generator
1
0
Креирај огранак 0
Код Дискусије 0 Захтеви за спајање 0 Издања 0 Вики Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
89 Комити
1 Грана
488 KiB
Дрво: 5ce8fc402b
Гране Ознаке
${ item.name }
Create branch ${ searchTerm }
from '5ce8fc402b'
${ noResults }
xmss-KAT-generator/xmss_core.c

xmss_core.c 8.1 KiB
Датотека Normal View Историја

Initial commit
пре 9 година
SWITCH from v01 to v03 Versions are incompatible due to different address formats and differing message compression!
пре 8 година
Refactor to use compile-time parameter sets This starts a cleanup / refactor, but there is still some low-hanging fruit.
пре 7 година
Refactor for more consistent style and readability
пре 7 година
Initial commit
пре 9 година
Clean up signing functions As a result, performs various refactors that also impact the verification function, since cleaner signing functions exposed more overlap.
пре 7 година
Initial commit
пре 9 година
Combine auth path and keygen root functions This greatly reduces the memory comsumption of the auth path computation, since it now also uses treehash. It prevents duplicate code by re-using the treehash function. A downside is that it does also pick out the authentication path during key generation (while it is not used), but this cost is negligible.
пре 7 година
Initial commit
пре 9 година
Clean up key generation
пре 7 година
Combine auth path and keygen root functions This greatly reduces the memory comsumption of the auth path computation, since it now also uses treehash. It prevents duplicate code by re-using the treehash function. A downside is that it does also pick out the authentication path during key generation (while it is not used), but this cost is negligible.
пре 7 година
Clean up key generation
пре 7 година
Combine auth path and keygen root functions This greatly reduces the memory comsumption of the auth path computation, since it now also uses treehash. It prevents duplicate code by re-using the treehash function. A downside is that it does also pick out the authentication path during key generation (while it is not used), but this cost is negligible.
пре 7 година
Clean up key generation
пре 7 година
Abstract address types into macro constants
пре 7 година
Refactor for more consistent style and readability
пре 7 година
Clean up key generation
пре 7 година
Refactor for more consistent style and readability
пре 7 година
Clean up key generation
пре 7 година
Combine auth path and keygen root functions This greatly reduces the memory comsumption of the auth path computation, since it now also uses treehash. It prevents duplicate code by re-using the treehash function. A downside is that it does also pick out the authentication path during key generation (while it is not used), but this cost is negligible.
пре 7 година
Clean up key generation
пре 7 година
Combine auth path and keygen root functions This greatly reduces the memory comsumption of the auth path computation, since it now also uses treehash. It prevents duplicate code by re-using the treehash function. A downside is that it does also pick out the authentication path during key generation (while it is not used), but this cost is negligible.
пре 7 година
Clean up key generation
пре 7 година
Combine auth path and keygen root functions This greatly reduces the memory comsumption of the auth path computation, since it now also uses treehash. It prevents duplicate code by re-using the treehash function. A downside is that it does also pick out the authentication path during key generation (while it is not used), but this cost is negligible.
пре 7 година
Clean up key generation
пре 7 година
Combine auth path and keygen root functions This greatly reduces the memory comsumption of the auth path computation, since it now also uses treehash. It prevents duplicate code by re-using the treehash function. A downside is that it does also pick out the authentication path during key generation (while it is not used), but this cost is negligible.
пре 7 година
Clean up key generation
пре 7 година
Combine auth path and keygen root functions This greatly reduces the memory comsumption of the auth path computation, since it now also uses treehash. It prevents duplicate code by re-using the treehash function. A downside is that it does also pick out the authentication path during key generation (while it is not used), but this cost is negligible.
пре 7 година
Make codestyle more consistent, fix -Wextra warns
пре 8 година
Combine auth path and keygen root functions This greatly reduces the memory comsumption of the auth path computation, since it now also uses treehash. It prevents duplicate code by re-using the treehash function. A downside is that it does also pick out the authentication path during key generation (while it is not used), but this cost is negligible.
пре 7 година
Refactor for more consistent style and readability
пре 7 година
Combine auth path and keygen root functions This greatly reduces the memory comsumption of the auth path computation, since it now also uses treehash. It prevents duplicate code by re-using the treehash function. A downside is that it does also pick out the authentication path during key generation (while it is not used), but this cost is negligible.
пре 7 година
Initial commit
пре 9 година
Clean up key generation
пре 7 година
Initial commit
пре 9 година
Clean up key generation
пре 7 година
Initial commit
пре 9 година
Deduplicate XMSS/XMSSMT key generation
пре 7 година
Initial commit
пре 9 година
Clean up signing functions As a result, performs various refactors that also impact the verification function, since cleaner signing functions exposed more overlap.
пре 7 година
Initial commit
пре 9 година
Clean up signing functions As a result, performs various refactors that also impact the verification function, since cleaner signing functions exposed more overlap.
пре 7 година
Initial commit
пре 9 година
Make XMSS sign/open functions instances of XMSSMT This removes a lot of code duplication.
пре 7 година
Initial commit
пре 9 година
finished xmssmt
пре 9 година
Clean up key generation
пре 7 година
finished xmssmt
пре 9 година
Clean up signing functions As a result, performs various refactors that also impact the verification function, since cleaner signing functions exposed more overlap.
пре 7 година
finished xmssmt
пре 9 година
Combine auth path and keygen root functions This greatly reduces the memory comsumption of the auth path computation, since it now also uses treehash. It prevents duplicate code by re-using the treehash function. A downside is that it does also pick out the authentication path during key generation (while it is not used), but this cost is negligible.
пре 7 година
Clean up key generation
пре 7 година
Rename parameters for readability and consistency
пре 7 година
Clean up key generation
пре 7 година
Combine auth path and keygen root functions This greatly reduces the memory comsumption of the auth path computation, since it now also uses treehash. It prevents duplicate code by re-using the treehash function. A downside is that it does also pick out the authentication path during key generation (while it is not used), but this cost is negligible.
пре 7 година
Clean up key generation
пре 7 година
Refactor for more consistent style and readability
пре 7 година
finished xmssmt
пре 9 година
Clean up signing functions As a result, performs various refactors that also impact the verification function, since cleaner signing functions exposed more overlap.
пре 7 година
finished xmssmt
пре 9 година
Clean up signing functions As a result, performs various refactors that also impact the verification function, since cleaner signing functions exposed more overlap.
пре 7 година
finished xmssmt
пре 9 година
Rename parameters for readability and consistency
пре 7 година
Clean up signing functions As a result, performs various refactors that also impact the verification function, since cleaner signing functions exposed more overlap.
пре 7 година
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
пре 7 година
Clean up signing functions As a result, performs various refactors that also impact the verification function, since cleaner signing functions exposed more overlap.
пре 7 година
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
пре 7 година
Clean up signing functions As a result, performs various refactors that also impact the verification function, since cleaner signing functions exposed more overlap.
пре 7 година
Refactor for more consistent style and readability
пре 7 година
Clean up signing functions As a result, performs various refactors that also impact the verification function, since cleaner signing functions exposed more overlap.
пре 7 година
Refactor for more consistent style and readability
пре 7 година
Clean up signing functions As a result, performs various refactors that also impact the verification function, since cleaner signing functions exposed more overlap.
пре 7 година
Abstract address types into macro constants
пре 7 година
Refactor for more consistent style and readability
пре 7 година
Clean up signing functions As a result, performs various refactors that also impact the verification function, since cleaner signing functions exposed more overlap.
пре 7 година
Rename parameters for readability and consistency
пре 7 година
Make codestyle more consistent, fix -Wextra warns
пре 8 година
Clean up signing functions As a result, performs various refactors that also impact the verification function, since cleaner signing functions exposed more overlap.
пре 7 година
Rename parameters for readability and consistency
пре 7 година
Make codestyle more consistent, fix -Wextra warns
пре 8 година
Clean up signing functions As a result, performs various refactors that also impact the verification function, since cleaner signing functions exposed more overlap.
пре 7 година
Reorder ull_to_bytes parameters to group output
пре 7 година
Clean up signing functions As a result, performs various refactors that also impact the verification function, since cleaner signing functions exposed more overlap.
пре 7 година
Refactor for more consistent style and readability
пре 7 година
Clean up signing functions As a result, performs various refactors that also impact the verification function, since cleaner signing functions exposed more overlap.
пре 7 година
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
пре 7 година
Refactor for more consistent style and readability
пре 7 година
Abstract address types into macro constants
пре 7 година
Make codestyle more consistent, fix -Wextra warns
пре 8 година
Clean up signing functions As a result, performs various refactors that also impact the verification function, since cleaner signing functions exposed more overlap.
пре 7 година
finished xmssmt
пре 9 година
Clean up signing functions As a result, performs various refactors that also impact the verification function, since cleaner signing functions exposed more overlap.
пре 7 година
Refactor for more consistent style and readability
пре 7 година
Clean up signing functions As a result, performs various refactors that also impact the verification function, since cleaner signing functions exposed more overlap.
пре 7 година
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
пре 7 година
Refactor for more consistent style and readability
пре 7 година
Clean up signing functions As a result, performs various refactors that also impact the verification function, since cleaner signing functions exposed more overlap.
пре 7 година
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
пре 7 година
Rename parameters for readability and consistency
пре 7 година
Refactor for more consistent style and readability
пре 7 година
Clean up signing functions As a result, performs various refactors that also impact the verification function, since cleaner signing functions exposed more overlap.
пре 7 година
Combine auth path and keygen root functions This greatly reduces the memory comsumption of the auth path computation, since it now also uses treehash. It prevents duplicate code by re-using the treehash function. A downside is that it does also pick out the authentication path during key generation (while it is not used), but this cost is negligible.
пре 7 година
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
пре 7 година
Refactor for more consistent style and readability
пре 7 година
Rename parameters for readability and consistency
пре 7 година
finished xmssmt
пре 9 година
Refactor for more consistent style and readability
пре 7 година
finished xmssmt
пре 9 година
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219 
  1. #include <stdlib.h>

  2. #include <string.h>

  3. #include <stdint.h>

  4. 

  5. #include "hash.h"

  6. #include "hash_address.h"

  7. #include "params.h"

  8. #include "randombytes.h"

  9. #include "wots.h"

  10. #include "xmss_commons.h"

  11. #include "xmss_core.h"

  12. 

  13. /**

  14.  * For a given leaf index, computes the authentication path and the resulting

  15.  * root node using Merkle's TreeHash algorithm.

  16.  * Expects the layer and tree parts of subtree_addr to be set.

  17.  */

  18. static void treehash(const xmss_params *params,

  19.                      unsigned char *root, unsigned char *auth_path,

  20.                      const unsigned char *sk_seed,

  21.                      const unsigned char *pub_seed,

  22.                      uint32_t leaf_idx, const uint32_t subtree_addr[8])

  23. {

  24.     unsigned char stack[(params->tree_height+1)*params->n];

  25.     unsigned int heights[params->tree_height+1];

  26.     unsigned int offset = 0;

  27. 

  28.     /* The subtree has at most 2^20 leafs, so uint32_t suffices. */

  29.     uint32_t idx;

  30.     uint32_t tree_idx;

  31. 

  32.     /* We need all three types of addresses in parallel. */

  33.     uint32_t ots_addr[8] = {0};

  34.     uint32_t ltree_addr[8] = {0};

  35.     uint32_t node_addr[8] = {0};

  36. 

  37.     /* Select the required subtree. */

  38.     copy_subtree_addr(ots_addr, subtree_addr);

  39.     copy_subtree_addr(ltree_addr, subtree_addr);

  40.     copy_subtree_addr(node_addr, subtree_addr);

  41. 

  42.     set_type(ots_addr, XMSS_ADDR_TYPE_OTS);

  43.     set_type(ltree_addr, XMSS_ADDR_TYPE_LTREE);

  44.     set_type(node_addr, XMSS_ADDR_TYPE_HASHTREE);

  45. 

  46.     for (idx = 0; idx < (uint32_t)(1 << params->tree_height); idx++) {

  47.         /* Add the next leaf node to the stack. */

  48.         set_ltree_addr(ltree_addr, idx);

  49.         set_ots_addr(ots_addr, idx);

  50.         gen_leaf_wots(params, stack + offset*params->n,

  51.                       sk_seed, pub_seed, ltree_addr, ots_addr);

  52.         offset++;

  53.         heights[offset - 1] = 0;

  54. 

  55.         /* If this is a node we need for the auth path.. */

  56.         if ((leaf_idx ^ 0x1) == idx) {

  57.             memcpy(auth_path, stack + (offset - 1)*params->n, params->n);

  58.         }

  59. 

  60.         /* While the top-most nodes are of equal height.. */

  61.         while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) {

  62.             /* Compute index of the new node, in the next layer. */

  63.             tree_idx = (idx >> (heights[offset - 1] + 1));

  64. 

  65.             /* Hash the top-most nodes from the stack together. */

  66.             /* Note that tree height is the 'lower' layer, even though we use

  67.                the index of the new node on the 'higher' layer. This follows

  68.                from the fact that we address the hash function calls. */

  69.             set_tree_height(node_addr, heights[offset - 1]);

  70.             set_tree_index(node_addr, tree_idx);

  71.             hash_h(params, stack + (offset-2)*params->n,

  72.                            stack + (offset-2)*params->n, pub_seed, node_addr);

  73.             offset--;

  74.             /* Note that the top-most node is now one layer higher. */

  75.             heights[offset - 1]++;

  76. 

  77.             /* If this is a node we need for the auth path.. */

  78.             if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) {

  79.                 memcpy(auth_path + heights[offset - 1]*params->n,

  80.                        stack + (offset - 1)*params->n, params->n);

  81.             }

  82.         }

  83.     }

  84.     memcpy(root, stack, params->n);

  85. }

  86. 

  87. /*

  88.  * Generates a XMSS key pair for a given parameter set.

  89.  * Format sk: [(32bit) index || SK_SEED || SK_PRF || PUB_SEED || root]

  90.  * Format pk: [root || PUB_SEED], omitting algorithm OID.

  91.  */

  92. int xmss_core_keypair(const xmss_params *params,

  93.                       unsigned char *pk, unsigned char *sk)

  94. {

  95.     /* The key generation procedure of XMSS and XMSSMT is exactly the same.

  96.        The only important detail is that the right subtree must be selected;

  97.        this requires us to correctly set the d=1 parameter for XMSS. */

  98.     return xmssmt_core_keypair(params, pk, sk);

  99. }

  100. 

  101. /**

  102.  * Signs a message. Returns an array containing the signature followed by the

  103.  * message and an updated secret key.

  104.  */

  105. int xmss_core_sign(const xmss_params *params,

  106.                    unsigned char *sk,

  107.                    unsigned char *sm, unsigned long long *smlen,

  108.                    const unsigned char *m, unsigned long long mlen)

  109. {

  110.     /* XMSS signatures are fundamentally an instance of XMSSMT signatures.

  111.        For d=1, as is the case with XMSS, some of the calls in the XMSSMT

  112.        routine become vacuous (i.e. the loop only iterates once, and address

  113.        management can be simplified a bit).*/

  114.     return xmssmt_core_sign(params, sk, sm, smlen, m, mlen);

  115. }

  116. 

  117. /*

  118.  * Generates a XMSSMT key pair for a given parameter set.

  119.  * Format sk: [(ceil(h/8) bit) index || SK_SEED || SK_PRF || PUB_SEED]

  120.  * Format pk: [root || PUB_SEED] omitting algorithm OID.

  121.  */

  122. int xmssmt_core_keypair(const xmss_params *params,

  123.                         unsigned char *pk, unsigned char *sk)

  124. {

  125.     /* We do not need the auth path in key generation, but it simplifies the

  126.        code to have just one treehash routine that computes both root and path

  127.        in one function. */

  128.     unsigned char auth_path[params->tree_height * params->n];

  129.     uint32_t top_tree_addr[8] = {0};

  130.     set_layer_addr(top_tree_addr, params->d - 1);

  131. 

  132.     /* Initialize index to 0. */

  133.     memset(sk, 0, params->index_bytes);

  134.     sk += params->index_bytes;

  135. 

  136.     /* Initialize SK_SEED, SK_PRF and PUB_SEED. */

  137.     randombytes(sk, 3 * params->n);

  138.     memcpy(pk + params->n, sk + 2*params->n, params->n);

  139. 

  140.     /* Compute root node of the top-most subtree. */

  141.     treehash(params, pk, auth_path, sk, pk + params->n, 0, top_tree_addr);

  142.     memcpy(sk + 3*params->n, pk, params->n);

  143. 

  144.     return 0;

  145. }

  146. 

  147. /**

  148.  * Signs a message. Returns an array containing the signature followed by the

  149.  * message and an updated secret key.

  150.  */

  151. int xmssmt_core_sign(const xmss_params *params,

  152.                      unsigned char *sk,

  153.                      unsigned char *sm, unsigned long long *smlen,

  154.                      const unsigned char *m, unsigned long long mlen)

  155. {

  156.     const unsigned char *sk_seed = sk + params->index_bytes;

  157.     const unsigned char *sk_prf = sk + params->index_bytes + params->n;

  158.     const unsigned char *pub_seed = sk + params->index_bytes + 2*params->n;

  159.     const unsigned char *pub_root = sk + params->index_bytes + 3*params->n;

  160. 

  161.     unsigned char root[params->n];

  162.     unsigned char *mhash = root;

  163.     unsigned char ots_seed[params->n];

  164.     unsigned long long idx;

  165.     unsigned char idx_bytes_32[32];

  166.     unsigned int i;

  167.     uint32_t idx_leaf;

  168. 

  169.     uint32_t ots_addr[8] = {0};

  170.     set_type(ots_addr, XMSS_ADDR_TYPE_OTS);

  171. 

  172.     /* Read and use the current index from the secret key. */

  173.     idx = (unsigned long)bytes_to_ull(sk, params->index_bytes);

  174.     memcpy(sm, sk, params->index_bytes);

  175.     sm += params->index_bytes;

  176. 

  177.     /*************************************************************************

  178.      * THIS IS WHERE PRODUCTION IMPLEMENTATIONS WOULD UPDATE THE SECRET KEY. *

  179.      *************************************************************************/

  180.     /* Increment the index in the secret key. */

  181.     ull_to_bytes(sk, params->index_bytes, idx + 1);

  182. 

  183.     /* Compute the digest randomization value. */

  184.     ull_to_bytes(idx_bytes_32, 32, idx);

  185.     prf(params, sm, idx_bytes_32, sk_prf, params->n);

  186. 

  187.     /* Compute the message hash. */

  188.     hash_message(params, mhash, sm, pub_root, idx, m, mlen);

  189.     sm += params->n;

  190. 

  191.     set_type(ots_addr, XMSS_ADDR_TYPE_OTS);

  192. 

  193.     for (i = 0; i < params->d; i++) {

  194.         idx_leaf = (idx & ((1 << params->tree_height)-1));

  195.         idx = idx >> params->tree_height;

  196. 

  197.         set_layer_addr(ots_addr, i);

  198.         set_tree_addr(ots_addr, idx);

  199.         set_ots_addr(ots_addr, idx_leaf);

  200. 

  201.         /* Get a seed for the WOTS keypair. */

  202.         get_seed(params, ots_seed, sk_seed, ots_addr);

  203. 

  204.         /* Compute a WOTS signature. */

  205.         /* Initially, root = mhash, but on subsequent iterations it is the root

  206.            of the subtree below the currently processed subtree. */

  207.         wots_sign(params, sm, root, ots_seed, pub_seed, ots_addr);

  208.         sm += params->wots_sig_bytes;

  209. 

  210.         /* Compute the authentication path for the used WOTS leaf. */

  211.         treehash(params, root, sm, sk_seed, pub_seed, idx_leaf, ots_addr);

  212.         sm += params->tree_height*params->n;

  213.     }

  214. 

  215.     memcpy(sm, m, mlen);

  216.     *smlen = params->sig_bytes + mlen;

  217. 

  218.     return 0;

  219. }