1
0
Commit graph

141 Commits

Autor SHA1 Nachricht Datum
e293d105cf Fix memory corruption 2024-06-03 11:21:10 +01:00
db1d6a1eda add parameter name to the vectors 2024-06-03 00:52:19 +01:00
c5e4f43d04 [acvp-kat] Adds OID to keys and signature 2024-06-03 00:40:33 +01:00
b231090079 [xmss] Create ACVP tests 2024-06-01 01:38:11 +01:00
f6f2e7c444 Init 2024-05-31 15:17:45 +01:00
Andreas
171ccbd26f fixed two minor points in handling the maximum signature value 2021-03-16 09:23:17 +01:00
Andreas
f56dc0e8a7 Ensure that sign deletes key after 2^h signatures and returns -2 2021-03-15 10:41:00 +01:00
Joost Rijneveld
4ae726a82b
Fix prefix space for hash_message wrt padding_len
Padding_len was introduced in 7793c40c07,
but not fixed in the calls hash_message.

Resolves #12
2020-05-25 20:39:11 +02:00
Joost Rijneveld
e6b20992a2
Merge pull request #11 from bwesterb/vectors
Add test/vectors to generate intermediate test vectors
2020-05-25 13:15:32 +02:00
Joost Rijneveld
9384cc066a
Clean up compiler warnings/int overflow 2020-05-25 13:07:11 +02:00
Joost Rijneveld
feed976315
Unify keypair and seed_keypair 2020-05-25 13:04:02 +02:00
Bas Westerbaan
27f2f6eb45 Add test/vectors to generate intermediate test vectors
Helpful to test other implementations.

Used for instance for go-xmssmt.

Issue #5
2020-05-24 17:56:45 +02:00
Joost Rijneveld
89c2ab99f3
Merge pull request #10 from dcooper16/sp800-208_parameter_sets
Add NIST Special Publication 800-208 parameter sets
2020-05-22 12:43:21 +02:00
David Cooper
3dabea248f Add NIST Special Publication 800-208 parameter sets
This commit adds support for the parameter sets in the draft version of NIST SP 800-208.
2020-05-18 08:16:02 -04:00
Joost Rijneveld
965edf225b
Merge pull request #9 from dcooper16/revised_key_generation
Improved key generation
2020-05-11 14:23:23 +02:00
David Cooper
3e28db2362 Improved key generation
In the public comments to draft version of NIST Special Publication 800-208, ETSI TC CYBER WG QSC identified a multi-target attack against the method of pseudorandom key generation used in this referrence implementation. ETSI TC CYBER WG QSC suggested using the pseudorandom key generation method from SPHINCS+, however, there is still a multi-user attack against that key generation method.

This commit revises the pseudorandom key generation method by using the method from SPINCS+, but adding SEED as an input in order to protect against multi-user attacks. Since prf() only accepts 32-byte inputs, the new key generation method uses a new PRF. The resulting key generation method is sk[i] = prf_keygen(sk_seed, pub_seed || adrs).
2020-04-30 12:43:36 -04:00
Joost Rijneveld
2237b6f4f0
Merge pull request #8 from dcooper16/padding_length
Separate definition of padding length
2020-04-28 09:59:10 +02:00
David Cooper
7793c40c07 Separate definition of padding length
The reference implemention of XMSS currently assumes that n bytes of padding is used for the prefix in the functions prf, hash_message, thash_h, and thash_f. While this is the case for all of the parameter sets in RFC 8391, the draft version of NIST Special Publication 800-208 specifies paramter sets in which the amount of padding is different than n.

This commit allows for the padding length for a parameter set to be specified separately from n.
2020-04-14 15:18:01 -04:00
Joost Rijneveld
fb7e3f8edc
Add note on deploying reference code 2019-04-24 17:52:39 +02:00
Joost Rijneveld
49f72fd1a7
Update README to point to RFC 2019-04-15 09:19:45 +02:00
Joost Rijneveld
0d019ddc9f
Change order of SK elements to match RFC
The RFC suggests root||pubseed (in algorithm 10); note that
this choice does not influence interoperability.

Thanks go to Rafael Misoczki for bringing this up.
2018-12-17 16:25:08 +01:00
Joost Rijneveld
bb2d285814
Prevent overrunning stack for large benchmarks 2018-09-11 16:00:05 +02:00
Joost Rijneveld
75a42a86a6
Allow more flexible parameter selection
This also reduces some duplication between XMSS and XMSSMT
2018-09-03 16:53:45 +09:00
Joost Rijneveld
9207b91272
Add benchmarking binary/target 2018-09-03 13:23:55 +09:00
Joost Rijneveld
06281e057d
Merge pull request #4 from jamathews/master
Read OIDs in big-endian byte order in UI
2018-02-16 11:31:08 +01:00
Justin Mathews
2fd9fa9938 Fix OID parsing
Force the OIDs read from input files to be interpreted as big-endian integers.
Leaving them as little-endian results in invalid values in params, eventually
leading to a crash.
2018-02-15 17:45:19 -05:00
Joost Rijneveld
fd49bbbfe0
Fix pointer type codestyle inconsistency 2018-02-05 10:22:17 +01:00
Joost Rijneveld
05dac989c4
Store OID in bigendian notation in pk and sk 2018-01-30 08:42:22 +00:00
Joost Rijneveld
c63291fb8e
Add test to check existence of parameter sets 2018-01-11 10:09:59 +01:00
Joost Rijneveld
f8023bbc2b
Update IANA numeric identifiers to match Draft v12 2018-01-10 23:22:32 +01:00
Joost Rijneveld
b9c65792e5
More explicitly label pk parts in verification 2017-12-06 15:14:50 +01:00
Joost Rijneveld
758a6349fc
Do not expose l_tree function
It's not used outside xmss_commons
2017-12-06 15:13:07 +01:00
Joost Rijneveld
afad4fe13a
Fix typo in comments leaving root out of sk 2017-11-02 17:00:38 +01:00
Joost Rijneveld
42a2e8aa83
Make addr type switching not zero out remainder
This behavior was completely unpredictable from the function name,
in particular when comparing it to other set_*_addr functions.
2017-11-01 16:49:52 +01:00
Joost Rijneveld
51790b9d57
Fix prf when n != 32
It wrongfully assumed that 2n + 32 = 3n
2017-11-01 16:07:06 +01:00
Joost Rijneveld
daa4e2d6db
Rename hash functions to tweaked hashes
Since there's a tweak being introduced, this should be reflected
in the name of the functions.
2017-11-01 15:16:17 +01:00
Joost Rijneveld
fe252b8093
Move ull-byte-conversions to separate utils file 2017-11-01 14:59:33 +01:00
Joost Rijneveld
b9b84b9f9e
Consistently return -1 on failure 2017-11-01 14:33:07 +01:00
Joost Rijneveld
a95aaf0b37
Fix typo in WOTS comments: n-byte messages, not m 2017-11-01 13:35:58 +01:00
Joost Rijneveld
e5fceef2e2
Add TravisCI badge 2017-10-31 17:38:20 +01:00
Joost Rijneveld
0ad434698c
Add TravisCI configuration 2017-10-31 17:32:05 +01:00
Joost Rijneveld
b78d0756d0
Make return code of test/xmss meaningful 2017-10-31 17:24:06 +01:00
Joost Rijneveld
a234427390
Explicitly parse XMSS_VARIANT to get OID for tests 2017-10-31 17:23:37 +01:00
Joost Rijneveld
c248911178
Optionally specify number of test sigs in Makefile
This is relevant because of the enormous difference in signing
speed between the regular and BDS-traversal-based xmss core.
2017-10-31 17:23:28 +01:00
Joost Rijneveld
1cba1e7be8
Make core_fast use the secret key for the state
This ensures that xmss_core and xmss_core_fast offer the same API.
Note that xmss_core_fast still needs a major refactor, and this
wrapper is not exactly very clean. There is a considerable chance
this refactor will change the format of the state in the secret key.
2017-10-31 17:21:29 +01:00
Joost Rijneveld
2e96b03106
Clean up and simplify hash function definitions 2017-10-31 17:21:29 +01:00
Joost Rijneveld
384b228c58
Support messages that exceed the stack size
Previous code allocated an array on the stack of mlen bytes, but
it should be possible to also sign heap-space messages. By relying
on the fact that sm and m fit the message + signature, we move
the message so that 4*n bytes of prefix can be added.
2017-10-31 17:21:27 +01:00
Joost Rijneveld
f5d53b252e
Fix failing verification test formatting 2017-10-30 16:36:08 +01:00
Joost Rijneveld
df9fe909fc
Compute sk size after defining BDS k parameter 2017-10-30 13:11:22 +01:00
Joost Rijneveld
ac55d2ccf2
Make XMSSMT WOTS memory usage more accurate 2017-10-30 12:31:33 +01:00