kris
/
xmss-KAT-generator
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
125 Commits
1 Branch
488 KiB
 
 
Tree: 2237b6f4f0
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '2237b6f4f0'
${ noResults }
xmss-KAT-generator/xmss_commons.c

237 lines
8.0 KiB
Raw Blame History 

  1. #include <stdlib.h>

  2. #include <string.h>

  3. #include <stdint.h>

  4. 

  5. #include "hash.h"

  6. #include "hash_address.h"

  7. #include "params.h"

  8. #include "wots.h"

  9. #include "utils.h"

  10. #include "xmss_commons.h"

  11. 

  12. /**

  13.  * Computes a leaf node from a WOTS public key using an L-tree.

  14.  * Note that this destroys the used WOTS public key.

  15.  */

  16. static void l_tree(const xmss_params *params,

  17.                    unsigned char *leaf, unsigned char *wots_pk,

  18.                    const unsigned char *pub_seed, uint32_t addr[8])

  19. {

  20.     unsigned int l = params->wots_len;

  21.     unsigned int parent_nodes;

  22.     uint32_t i;

  23.     uint32_t height = 0;

  24. 

  25.     set_tree_height(addr, height);

  26. 

  27.     while (l > 1) {

  28.         parent_nodes = l >> 1;

  29.         for (i = 0; i < parent_nodes; i++) {

  30.             set_tree_index(addr, i);

  31.             /* Hashes the nodes at (i*2)*params->n and (i*2)*params->n + 1 */

  32.             thash_h(params, wots_pk + i*params->n,

  33.                            wots_pk + (i*2)*params->n, pub_seed, addr);

  34.         }

  35.         /* If the row contained an odd number of nodes, the last node was not

  36.            hashed. Instead, we pull it up to the next layer. */

  37.         if (l & 1) {

  38.             memcpy(wots_pk + (l >> 1)*params->n,

  39.                    wots_pk + (l - 1)*params->n, params->n);

  40.             l = (l >> 1) + 1;

  41.         }

  42.         else {

  43.             l = l >> 1;

  44.         }

  45.         height++;

  46.         set_tree_height(addr, height);

  47.     }

  48.     memcpy(leaf, wots_pk, params->n);

  49. }

  50. 

  51. /**

  52.  * Computes a root node given a leaf and an auth path

  53.  */

  54. static void compute_root(const xmss_params *params, unsigned char *root,

  55.                          const unsigned char *leaf, unsigned long leafidx,

  56.                          const unsigned char *auth_path,

  57.                          const unsigned char *pub_seed, uint32_t addr[8])

  58. {

  59.     uint32_t i;

  60.     unsigned char buffer[2*params->n];

  61. 

  62.     /* If leafidx is odd (last bit = 1), current path element is a right child

  63.        and auth_path has to go left. Otherwise it is the other way around. */

  64.     if (leafidx & 1) {

  65.         memcpy(buffer + params->n, leaf, params->n);

  66.         memcpy(buffer, auth_path, params->n);

  67.     }

  68.     else {

  69.         memcpy(buffer, leaf, params->n);

  70.         memcpy(buffer + params->n, auth_path, params->n);

  71.     }

  72.     auth_path += params->n;

  73. 

  74.     for (i = 0; i < params->tree_height - 1; i++) {

  75.         set_tree_height(addr, i);

  76.         leafidx >>= 1;

  77.         set_tree_index(addr, leafidx);

  78. 

  79.         /* Pick the right or left neighbor, depending on parity of the node. */

  80.         if (leafidx & 1) {

  81.             thash_h(params, buffer + params->n, buffer, pub_seed, addr);

  82.             memcpy(buffer, auth_path, params->n);

  83.         }

  84.         else {

  85.             thash_h(params, buffer, buffer, pub_seed, addr);

  86.             memcpy(buffer + params->n, auth_path, params->n);

  87.         }

  88.         auth_path += params->n;

  89.     }

  90. 

  91.     /* The last iteration is exceptional; we do not copy an auth_path node. */

  92.     set_tree_height(addr, params->tree_height - 1);

  93.     leafidx >>= 1;

  94.     set_tree_index(addr, leafidx);

  95.     thash_h(params, root, buffer, pub_seed, addr);

  96. }

  97. 

  98. 

  99. /**

  100.  * Computes the leaf at a given address. First generates the WOTS key pair,

  101.  * then computes leaf using l_tree. As this happens position independent, we

  102.  * only require that addr encodes the right ltree-address.

  103.  */

  104. void gen_leaf_wots(const xmss_params *params, unsigned char *leaf,

  105.                    const unsigned char *sk_seed, const unsigned char *pub_seed,

  106.                    uint32_t ltree_addr[8], uint32_t ots_addr[8])

  107. {

  108.     unsigned char seed[params->n];

  109.     unsigned char pk[params->wots_sig_bytes];

  110. 

  111.     get_seed(params, seed, sk_seed, ots_addr);

  112.     wots_pkgen(params, pk, seed, pub_seed, ots_addr);

  113. 

  114.     l_tree(params, leaf, pk, pub_seed, ltree_addr);

  115. }

  116. 

  117. /**

  118.  * Used for pseudo-random key generation.

  119.  * Generates the seed for the WOTS key pair at address 'addr'.

  120.  *

  121.  * Takes n-byte sk_seed and returns n-byte seed using 32 byte address 'addr'.

  122.  */

  123. void get_seed(const xmss_params *params, unsigned char *seed,

  124.               const unsigned char *sk_seed, uint32_t addr[8])

  125. {

  126.     unsigned char bytes[32];

  127. 

  128.     /* Make sure that chain addr, hash addr, and key bit are zeroed. */

  129.     set_chain_addr(addr, 0);

  130.     set_hash_addr(addr, 0);

  131.     set_key_and_mask(addr, 0);

  132. 

  133.     /* Generate seed. */

  134.     addr_to_bytes(bytes, addr);

  135.     prf(params, seed, bytes, sk_seed);

  136. }

  137. 

  138. /**

  139.  * Verifies a given message signature pair under a given public key.

  140.  * Note that this assumes a pk without an OID, i.e. [root || PUB_SEED]

  141.  */

  142. int xmss_core_sign_open(const xmss_params *params,

  143.                         unsigned char *m, unsigned long long *mlen,

  144.                         const unsigned char *sm, unsigned long long smlen,

  145.                         const unsigned char *pk)

  146. {

  147.     /* XMSS signatures are fundamentally an instance of XMSSMT signatures.

  148.        For d=1, as is the case with XMSS, some of the calls in the XMSSMT

  149.        routine become vacuous (i.e. the loop only iterates once, and address

  150.        management can be simplified a bit).*/

  151.     return xmssmt_core_sign_open(params, m, mlen, sm, smlen, pk);

  152. }

  153. 

  154. /**

  155.  * Verifies a given message signature pair under a given public key.

  156.  * Note that this assumes a pk without an OID, i.e. [root || PUB_SEED]

  157.  */

  158. int xmssmt_core_sign_open(const xmss_params *params,

  159.                           unsigned char *m, unsigned long long *mlen,

  160.                           const unsigned char *sm, unsigned long long smlen,

  161.                           const unsigned char *pk)

  162. {

  163.     const unsigned char *pub_root = pk;

  164.     const unsigned char *pub_seed = pk + params->n;

  165.     unsigned char wots_pk[params->wots_sig_bytes];

  166.     unsigned char leaf[params->n];

  167.     unsigned char root[params->n];

  168.     unsigned char *mhash = root;

  169.     unsigned long long idx = 0;

  170.     unsigned int i;

  171.     uint32_t idx_leaf;

  172. 

  173.     uint32_t ots_addr[8] = {0};

  174.     uint32_t ltree_addr[8] = {0};

  175.     uint32_t node_addr[8] = {0};

  176. 

  177.     set_type(ots_addr, XMSS_ADDR_TYPE_OTS);

  178.     set_type(ltree_addr, XMSS_ADDR_TYPE_LTREE);

  179.     set_type(node_addr, XMSS_ADDR_TYPE_HASHTREE);

  180. 

  181.     *mlen = smlen - params->sig_bytes;

  182. 

  183.     /* Convert the index bytes from the signature to an integer. */

  184.     idx = bytes_to_ull(sm, params->index_bytes);

  185. 

  186.     /* Put the message all the way at the end of the m buffer, so that we can

  187.      * prepend the required other inputs for the hash function. */

  188.     memcpy(m + params->sig_bytes, sm + params->sig_bytes, *mlen);

  189. 

  190.     /* Compute the message hash. */

  191.     hash_message(params, mhash, sm + params->index_bytes, pk, idx,

  192.                  m + params->sig_bytes - 4*params->n, *mlen);

  193.     sm += params->index_bytes + params->n;

  194. 

  195.     /* For each subtree.. */

  196.     for (i = 0; i < params->d; i++) {

  197.         idx_leaf = (idx & ((1 << params->tree_height)-1));

  198.         idx = idx >> params->tree_height;

  199. 

  200.         set_layer_addr(ots_addr, i);

  201.         set_layer_addr(ltree_addr, i);

  202.         set_layer_addr(node_addr, i);

  203. 

  204.         set_tree_addr(ltree_addr, idx);

  205.         set_tree_addr(ots_addr, idx);

  206.         set_tree_addr(node_addr, idx);

  207. 

  208.         /* The WOTS public key is only correct if the signature was correct. */

  209.         set_ots_addr(ots_addr, idx_leaf);

  210.         /* Initially, root = mhash, but on subsequent iterations it is the root

  211.            of the subtree below the currently processed subtree. */

  212.         wots_pk_from_sig(params, wots_pk, sm, root, pub_seed, ots_addr);

  213.         sm += params->wots_sig_bytes;

  214. 

  215.         /* Compute the leaf node using the WOTS public key. */

  216.         set_ltree_addr(ltree_addr, idx_leaf);

  217.         l_tree(params, leaf, wots_pk, pub_seed, ltree_addr);

  218. 

  219.         /* Compute the root node of this subtree. */

  220.         compute_root(params, root, leaf, idx_leaf, sm, pub_seed, node_addr);

  221.         sm += params->tree_height*params->n;

  222.     }

  223. 

  224.     /* Check if the root node equals the root node in the public key. */

  225.     if (memcmp(root, pub_root, params->n)) {

  226.         /* If not, zero the message */

  227.         memset(m, 0, *mlen);

  228.         *mlen = 0;

  229.         return -1;

  230.     }

  231. 

  232.     /* If verification was successful, copy the message from the signature. */

  233.     memcpy(m, sm, *mlen);

  234. 

  235.     return 0;

  236. }