Graf commitů

31 Commity

Autor SHA1 Zpráva Datum
Joost Rijneveld
4ae726a82b
Fix prefix space for hash_message wrt padding_len
Padding_len was introduced in 7793c40c07,
but not fixed in the calls hash_message.

Resolves #12
2020-05-25 20:39:11 +02:00
David Cooper
3dabea248f Add NIST Special Publication 800-208 parameter sets
This commit adds support for the parameter sets in the draft version of NIST SP 800-208.
2020-05-18 08:16:02 -04:00
David Cooper
3e28db2362 Improved key generation
In the public comments to draft version of NIST Special Publication 800-208, ETSI TC CYBER WG QSC identified a multi-target attack against the method of pseudorandom key generation used in this referrence implementation. ETSI TC CYBER WG QSC suggested using the pseudorandom key generation method from SPHINCS+, however, there is still a multi-user attack against that key generation method.

This commit revises the pseudorandom key generation method by using the method from SPINCS+, but adding SEED as an input in order to protect against multi-user attacks. Since prf() only accepts 32-byte inputs, the new key generation method uses a new PRF. The resulting key generation method is sk[i] = prf_keygen(sk_seed, pub_seed || adrs).
2020-04-30 12:43:36 -04:00
David Cooper
7793c40c07 Separate definition of padding length
The reference implemention of XMSS currently assumes that n bytes of padding is used for the prefix in the functions prf, hash_message, thash_h, and thash_f. While this is the case for all of the parameter sets in RFC 8391, the draft version of NIST Special Publication 800-208 specifies paramter sets in which the amount of padding is different than n.

This commit allows for the padding length for a parameter set to be specified separately from n.
2020-04-14 15:18:01 -04:00
Joost Rijneveld
51790b9d57
Fix prf when n != 32
It wrongfully assumed that 2n + 32 = 3n
2017-11-01 16:07:06 +01:00
Joost Rijneveld
daa4e2d6db
Rename hash functions to tweaked hashes
Since there's a tweak being introduced, this should be reflected
in the name of the functions.
2017-11-01 15:16:17 +01:00
Joost Rijneveld
fe252b8093
Move ull-byte-conversions to separate utils file 2017-11-01 14:59:33 +01:00
Joost Rijneveld
b9b84b9f9e
Consistently return -1 on failure 2017-11-01 14:33:07 +01:00
Joost Rijneveld
2e96b03106
Clean up and simplify hash function definitions 2017-10-31 17:21:29 +01:00
Joost Rijneveld
384b228c58
Support messages that exceed the stack size
Previous code allocated an array on the stack of mlen bytes, but
it should be possible to also sign heap-space messages. By relying
on the fact that sm and m fit the message + signature, we move
the message so that 4*n bytes of prefix can be added.
2017-10-31 17:21:27 +01:00
Joost Rijneveld
270e6cd753
Reorder ull_to_bytes parameters to group output 2017-10-23 16:19:16 +02:00
Joost Rijneveld
305bd614bb
Perform various reformatting / renaming 2017-10-23 14:10:39 +02:00
Joost Rijneveld
138a380a26
Remove unnecessary endianness difference
The current code results in the same output regardless of endianness.
Verified using a QEMU VM to emulate MIPS.
2017-10-19 18:11:52 +02:00
Joost Rijneveld
f3bad4a272
Simplify licensing using LICENSE file 2017-10-19 17:38:34 +02:00
Joost Rijneveld
6a8571d880
Revert to using runtime-only parameter struct
Using global defines for parameters (as seems to be typical in
academic crypto code) does not play nice with multithreading at all.
2017-10-16 12:09:07 +02:00
Joost Rijneveld
9d5884e120
Refactor for more consistent style and readability 2017-08-03 17:39:37 +02:00
Joost Rijneveld
1e041f25d5
Simplify hash family parameter definition 2017-08-01 16:18:09 +02:00
Joost Rijneveld
8befb0d550
Add SHAKE128 and SHAKE256
This also performs numerous consistency fixes
2017-06-02 17:29:14 +02:00
Andreas
9f512fa8dc v06 2016-09-22 16:31:41 +02:00
Andreas
ddddfd9739 handle that most machines are little endian but addresses here are big endian... 2016-07-12 16:19:42 +02:00
Andreas
2c290d39be upgraded to draft-06 2016-07-11 11:15:16 +02:00
Andreas
c37b9dcfca SWITCH from v01 to v03
Versions are incompatible due to different address formats and differing message compression!
2016-02-16 16:31:18 +01:00
Andreas
59a4846fbd changed version date
Merge branch 'master' of bitbucket.org:ahuelsing/xmss_ref
2016-02-10 16:00:07 +01:00
Andreas
622a9513b1 local changes 2016-02-10 15:57:16 +01:00
Joost Rijneveld
1e503b665e Make codestyle more consistent, fix -Wextra warns 2016-02-02 14:11:23 +01:00
Joost Rijneveld
17c5b2842f Make address masks more explicit and strict 2016-01-27 10:18:31 +01:00
Andreas
077e57f60e fixed bug in address for WOTS Key 2015-11-09 13:36:06 +01:00
Andreas
9d9b782ff9 added support for n = m = 64 2015-10-28 15:49:46 +01:00
Andreas
136f10dae0 Added support for n=m=64 2015-08-12 17:59:29 +02:00
Andreas
d80a463e53 added copyright notes for publishing. Removed unused file. 2015-08-11 12:23:30 +02:00
Andreas
1826fb26ff Initial commit 2015-08-11 12:08:27 +02:00