Graphe des révisions

19 Révisions

Auteur SHA1 Message Date
David Cooper
3e28db2362 Improved key generation
In the public comments to draft version of NIST Special Publication 800-208, ETSI TC CYBER WG QSC identified a multi-target attack against the method of pseudorandom key generation used in this referrence implementation. ETSI TC CYBER WG QSC suggested using the pseudorandom key generation method from SPHINCS+, however, there is still a multi-user attack against that key generation method.

This commit revises the pseudorandom key generation method by using the method from SPINCS+, but adding SEED as an input in order to protect against multi-user attacks. Since prf() only accepts 32-byte inputs, the new key generation method uses a new PRF. The resulting key generation method is sk[i] = prf_keygen(sk_seed, pub_seed || adrs).
2020-04-30 12:43:36 -04:00
Joost Rijneveld
daa4e2d6db
Rename hash functions to tweaked hashes
Since there's a tweak being introduced, this should be reflected
in the name of the functions.
2017-11-01 15:16:17 +01:00
Joost Rijneveld
2e96b03106
Clean up and simplify hash function definitions 2017-10-31 17:21:29 +01:00
Joost Rijneveld
384b228c58
Support messages that exceed the stack size
Previous code allocated an array on the stack of mlen bytes, but
it should be possible to also sign heap-space messages. By relying
on the fact that sm and m fit the message + signature, we move
the message so that 4*n bytes of prefix can be added.
2017-10-31 17:21:27 +01:00
Joost Rijneveld
305bd614bb
Perform various reformatting / renaming 2017-10-23 14:10:39 +02:00
Joost Rijneveld
138a380a26
Remove unnecessary endianness difference
The current code results in the same output regardless of endianness.
Verified using a QEMU VM to emulate MIPS.
2017-10-19 18:11:52 +02:00
Joost Rijneveld
f3bad4a272
Simplify licensing using LICENSE file 2017-10-19 17:38:34 +02:00
Joost Rijneveld
dce1a1acda
Clean up includes 2017-10-19 17:38:26 +02:00
Joost Rijneveld
2c976d5268
Unify header guards
By prefixing with XMSS_, we hopefully prevent conflicts
2017-10-19 16:04:42 +02:00
Joost Rijneveld
6a8571d880
Revert to using runtime-only parameter struct
Using global defines for parameters (as seems to be typical in
academic crypto code) does not play nice with multithreading at all.
2017-10-16 12:09:07 +02:00
Joost Rijneveld
9d5884e120
Refactor for more consistent style and readability 2017-08-03 17:39:37 +02:00
Joost Rijneveld
8befb0d550
Add SHAKE128 and SHAKE256
This also performs numerous consistency fixes
2017-06-02 17:29:14 +02:00
Andreas
9f512fa8dc v06 2016-09-22 16:31:41 +02:00
Andreas
ddddfd9739 handle that most machines are little endian but addresses here are big endian... 2016-07-12 16:19:42 +02:00
Andreas
2c290d39be upgraded to draft-06 2016-07-11 11:15:16 +02:00
Andreas
c37b9dcfca SWITCH from v01 to v03
Versions are incompatible due to different address formats and differing message compression!
2016-02-16 16:31:18 +01:00
Andreas
622a9513b1 local changes 2016-02-10 15:57:16 +01:00
Andreas
d80a463e53 added copyright notes for publishing. Removed unused file. 2015-08-11 12:23:30 +02:00
Andreas
1826fb26ff Initial commit 2015-08-11 12:08:27 +02:00