Commit Graph

132 Commits

Author SHA1 Message Date
Joost Rijneveld
9384cc066a
Clean up compiler warnings/int overflow 2020-05-25 13:07:11 +02:00
Joost Rijneveld
feed976315
Unify keypair and seed_keypair 2020-05-25 13:04:02 +02:00
Bas Westerbaan
27f2f6eb45 Add test/vectors to generate intermediate test vectors
Helpful to test other implementations.

Used for instance for go-xmssmt.

Issue #5
2020-05-24 17:56:45 +02:00
Joost Rijneveld
89c2ab99f3
Merge pull request #10 from dcooper16/sp800-208_parameter_sets
Add NIST Special Publication 800-208 parameter sets
2020-05-22 12:43:21 +02:00
David Cooper
3dabea248f Add NIST Special Publication 800-208 parameter sets
This commit adds support for the parameter sets in the draft version of NIST SP 800-208.
2020-05-18 08:16:02 -04:00
Joost Rijneveld
965edf225b
Merge pull request #9 from dcooper16/revised_key_generation
Improved key generation
2020-05-11 14:23:23 +02:00
David Cooper
3e28db2362 Improved key generation
In the public comments to draft version of NIST Special Publication 800-208, ETSI TC CYBER WG QSC identified a multi-target attack against the method of pseudorandom key generation used in this referrence implementation. ETSI TC CYBER WG QSC suggested using the pseudorandom key generation method from SPHINCS+, however, there is still a multi-user attack against that key generation method.

This commit revises the pseudorandom key generation method by using the method from SPINCS+, but adding SEED as an input in order to protect against multi-user attacks. Since prf() only accepts 32-byte inputs, the new key generation method uses a new PRF. The resulting key generation method is sk[i] = prf_keygen(sk_seed, pub_seed || adrs).
2020-04-30 12:43:36 -04:00
Joost Rijneveld
2237b6f4f0
Merge pull request #8 from dcooper16/padding_length
Separate definition of padding length
2020-04-28 09:59:10 +02:00
David Cooper
7793c40c07 Separate definition of padding length
The reference implemention of XMSS currently assumes that n bytes of padding is used for the prefix in the functions prf, hash_message, thash_h, and thash_f. While this is the case for all of the parameter sets in RFC 8391, the draft version of NIST Special Publication 800-208 specifies paramter sets in which the amount of padding is different than n.

This commit allows for the padding length for a parameter set to be specified separately from n.
2020-04-14 15:18:01 -04:00
Joost Rijneveld
fb7e3f8edc
Add note on deploying reference code 2019-04-24 17:52:39 +02:00
Joost Rijneveld
49f72fd1a7
Update README to point to RFC 2019-04-15 09:19:45 +02:00
Joost Rijneveld
0d019ddc9f
Change order of SK elements to match RFC
The RFC suggests root||pubseed (in algorithm 10); note that
this choice does not influence interoperability.

Thanks go to Rafael Misoczki for bringing this up.
2018-12-17 16:25:08 +01:00
Joost Rijneveld
bb2d285814
Prevent overrunning stack for large benchmarks 2018-09-11 16:00:05 +02:00
Joost Rijneveld
75a42a86a6
Allow more flexible parameter selection
This also reduces some duplication between XMSS and XMSSMT
2018-09-03 16:53:45 +09:00
Joost Rijneveld
9207b91272
Add benchmarking binary/target 2018-09-03 13:23:55 +09:00
Joost Rijneveld
06281e057d
Merge pull request #4 from jamathews/master
Read OIDs in big-endian byte order in UI
2018-02-16 11:31:08 +01:00
Justin Mathews
2fd9fa9938 Fix OID parsing
Force the OIDs read from input files to be interpreted as big-endian integers.
Leaving them as little-endian results in invalid values in params, eventually
leading to a crash.
2018-02-15 17:45:19 -05:00
Joost Rijneveld
fd49bbbfe0
Fix pointer type codestyle inconsistency 2018-02-05 10:22:17 +01:00
Joost Rijneveld
05dac989c4
Store OID in bigendian notation in pk and sk 2018-01-30 08:42:22 +00:00
Joost Rijneveld
c63291fb8e
Add test to check existence of parameter sets 2018-01-11 10:09:59 +01:00
Joost Rijneveld
f8023bbc2b
Update IANA numeric identifiers to match Draft v12 2018-01-10 23:22:32 +01:00
Joost Rijneveld
b9c65792e5
More explicitly label pk parts in verification 2017-12-06 15:14:50 +01:00
Joost Rijneveld
758a6349fc
Do not expose l_tree function
It's not used outside xmss_commons
2017-12-06 15:13:07 +01:00
Joost Rijneveld
afad4fe13a
Fix typo in comments leaving root out of sk 2017-11-02 17:00:38 +01:00
Joost Rijneveld
42a2e8aa83
Make addr type switching not zero out remainder
This behavior was completely unpredictable from the function name,
in particular when comparing it to other set_*_addr functions.
2017-11-01 16:49:52 +01:00
Joost Rijneveld
51790b9d57
Fix prf when n != 32
It wrongfully assumed that 2n + 32 = 3n
2017-11-01 16:07:06 +01:00
Joost Rijneveld
daa4e2d6db
Rename hash functions to tweaked hashes
Since there's a tweak being introduced, this should be reflected
in the name of the functions.
2017-11-01 15:16:17 +01:00
Joost Rijneveld
fe252b8093
Move ull-byte-conversions to separate utils file 2017-11-01 14:59:33 +01:00
Joost Rijneveld
b9b84b9f9e
Consistently return -1 on failure 2017-11-01 14:33:07 +01:00
Joost Rijneveld
a95aaf0b37
Fix typo in WOTS comments: n-byte messages, not m 2017-11-01 13:35:58 +01:00
Joost Rijneveld
e5fceef2e2
Add TravisCI badge 2017-10-31 17:38:20 +01:00
Joost Rijneveld
0ad434698c
Add TravisCI configuration 2017-10-31 17:32:05 +01:00
Joost Rijneveld
b78d0756d0
Make return code of test/xmss meaningful 2017-10-31 17:24:06 +01:00
Joost Rijneveld
a234427390
Explicitly parse XMSS_VARIANT to get OID for tests 2017-10-31 17:23:37 +01:00
Joost Rijneveld
c248911178
Optionally specify number of test sigs in Makefile
This is relevant because of the enormous difference in signing
speed between the regular and BDS-traversal-based xmss core.
2017-10-31 17:23:28 +01:00
Joost Rijneveld
1cba1e7be8
Make core_fast use the secret key for the state
This ensures that xmss_core and xmss_core_fast offer the same API.
Note that xmss_core_fast still needs a major refactor, and this
wrapper is not exactly very clean. There is a considerable chance
this refactor will change the format of the state in the secret key.
2017-10-31 17:21:29 +01:00
Joost Rijneveld
2e96b03106
Clean up and simplify hash function definitions 2017-10-31 17:21:29 +01:00
Joost Rijneveld
384b228c58
Support messages that exceed the stack size
Previous code allocated an array on the stack of mlen bytes, but
it should be possible to also sign heap-space messages. By relying
on the fact that sm and m fit the message + signature, we move
the message so that 4*n bytes of prefix can be added.
2017-10-31 17:21:27 +01:00
Joost Rijneveld
f5d53b252e
Fix failing verification test formatting 2017-10-30 16:36:08 +01:00
Joost Rijneveld
df9fe909fc
Compute sk size after defining BDS k parameter 2017-10-30 13:11:22 +01:00
Joost Rijneveld
ac55d2ccf2
Make XMSSMT WOTS memory usage more accurate 2017-10-30 12:31:33 +01:00
Joost Rijneveld
59d304027c
Let xmss_core decide on secret key size
This allows different backends to store additional state information
in the secret key while the rest of the codebase remains agnostic.

In particular, this prepares for a common xmss_core.h API for both
the standard and the BDS-traversal-based implementations.
2017-10-26 18:06:17 +02:00
Joost Rijneveld
1b16921e3e
Clarify current BDS traversal support 2017-10-26 18:06:17 +02:00
Joost Rijneveld
5ce8fc402b
Clean up tests 2017-10-26 18:06:15 +02:00
Joost Rijneveld
d340e0700d
Remove fixed message length from UI 2017-10-26 14:47:34 +02:00
Joost Rijneveld
dd1ae2a6aa
Adapt UI to abstract from core functions 2017-10-26 14:24:10 +02:00
Joost Rijneveld
3c802756aa
Separate UI and test files 2017-10-26 14:13:28 +02:00
Joost Rijneveld
342dc1c50c
Clean up xmss_core header file 2017-10-26 12:10:17 +02:00
Joost Rijneveld
94a92ed2b1
Make XMSS sign/open functions instances of XMSSMT
This removes a lot of code duplication.
2017-10-26 12:07:57 +02:00
Joost Rijneveld
7c6354f762
Rename parameters for readability and consistency 2017-10-24 17:51:56 +02:00