You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

151 rivejä
3.6 KiB

  1. /*
  2. wots.c version 20160722
  3. Andreas Hülsing
  4. Joost Rijneveld
  5. Public domain.
  6. */
  7. #include "math.h"
  8. #include "stdio.h"
  9. #include "stdint.h"
  10. #include "xmss_commons.h"
  11. #include "hash.h"
  12. #include "wots.h"
  13. #include "hash_address.h"
  14. #include "params.h"
  15. /**
  16. * Helper method for pseudorandom key generation
  17. * Expands an n-byte array into a len*n byte array
  18. * this is done using PRF
  19. */
  20. static void expand_seed(unsigned char *outseeds, const unsigned char *inseed)
  21. {
  22. uint32_t i = 0;
  23. unsigned char ctr[32];
  24. for(i = 0; i < XMSS_WOTS_LEN; i++){
  25. to_byte(ctr, i, 32);
  26. prf(outseeds + i*XMSS_N, ctr, inseed, XMSS_N);
  27. }
  28. }
  29. /**
  30. * Computes the chaining function.
  31. * out and in have to be n-byte arrays
  32. *
  33. * interpretes in as start-th value of the chain
  34. * addr has to contain the address of the chain
  35. */
  36. static void gen_chain(unsigned char *out, const unsigned char *in, unsigned int start, unsigned int steps, const unsigned char *pub_seed, uint32_t addr[8])
  37. {
  38. uint32_t i, j;
  39. for (j = 0; j < XMSS_N; j++)
  40. out[j] = in[j];
  41. for (i = start; i < (start+steps) && i < XMSS_WOTS_W; i++) {
  42. setHashADRS(addr, i);
  43. hash_f(out, out, pub_seed, addr);
  44. }
  45. }
  46. /**
  47. * base_w algorithm as described in draft.
  48. *
  49. *
  50. */
  51. static void base_w(int *output, const int out_len, const unsigned char *input)
  52. {
  53. int in = 0;
  54. int out = 0;
  55. uint32_t total = 0;
  56. int bits = 0;
  57. int consumed = 0;
  58. for (consumed = 0; consumed < out_len; consumed++) {
  59. if (bits == 0) {
  60. total = input[in];
  61. in++;
  62. bits += 8;
  63. }
  64. bits -= XMSS_WOTS_LOG_W;
  65. output[out] = (total >> bits) & (XMSS_WOTS_W - 1);
  66. out++;
  67. }
  68. }
  69. void wots_pkgen(unsigned char *pk, const unsigned char *sk, const unsigned char *pub_seed, uint32_t addr[8])
  70. {
  71. uint32_t i;
  72. expand_seed(pk, sk);
  73. for (i=0; i < XMSS_WOTS_LEN; i++) {
  74. setChainADRS(addr, i);
  75. gen_chain(pk+i*XMSS_N, pk+i*XMSS_N, 0, XMSS_WOTS_W-1, pub_seed, addr);
  76. }
  77. }
  78. void wots_sign(unsigned char *sig, const unsigned char *msg, const unsigned char *sk, const unsigned char *pub_seed, uint32_t addr[8])
  79. {
  80. int basew[XMSS_WOTS_LEN];
  81. int csum = 0;
  82. uint32_t i = 0;
  83. base_w(basew, XMSS_WOTS_LEN1, msg);
  84. for (i=0; i < XMSS_WOTS_LEN1; i++) {
  85. csum += XMSS_WOTS_W - 1 - basew[i];
  86. }
  87. csum = csum << (8 - ((XMSS_WOTS_LEN2 * XMSS_WOTS_LOG_W) % 8));
  88. int len_2_bytes = ((XMSS_WOTS_LEN2 * XMSS_WOTS_LOG_W) + 7) / 8;
  89. unsigned char csum_bytes[len_2_bytes];
  90. to_byte(csum_bytes, csum, len_2_bytes);
  91. int csum_basew[len_2_bytes / XMSS_WOTS_LOG_W];
  92. base_w(csum_basew, XMSS_WOTS_LEN2, csum_bytes);
  93. for (i = 0; i < XMSS_WOTS_LEN2; i++) {
  94. basew[XMSS_WOTS_LEN1 + i] = csum_basew[i];
  95. }
  96. expand_seed(sig, sk);
  97. for (i = 0; i < XMSS_WOTS_LEN; i++) {
  98. setChainADRS(addr, i);
  99. gen_chain(sig+i*XMSS_N, sig+i*XMSS_N, 0, basew[i], pub_seed, addr);
  100. }
  101. }
  102. void wots_pkFromSig(unsigned char *pk, const unsigned char *sig, const unsigned char *msg, const unsigned char *pub_seed, uint32_t addr[8])
  103. {
  104. int basew[XMSS_WOTS_LEN];
  105. int csum = 0;
  106. uint32_t i = 0;
  107. base_w(basew, XMSS_WOTS_LEN1, msg);
  108. for (i=0; i < XMSS_WOTS_LEN1; i++) {
  109. csum += XMSS_WOTS_W - 1 - basew[i];
  110. }
  111. csum = csum << (8 - ((XMSS_WOTS_LEN2 * XMSS_WOTS_LOG_W) % 8));
  112. int len_2_bytes = ((XMSS_WOTS_LEN2 * XMSS_WOTS_LOG_W) + 7) / 8;
  113. unsigned char csum_bytes[len_2_bytes];
  114. to_byte(csum_bytes, csum, len_2_bytes);
  115. int csum_basew[len_2_bytes / XMSS_WOTS_LOG_W];
  116. base_w(csum_basew, XMSS_WOTS_LEN2, csum_bytes);
  117. for (i = 0; i < XMSS_WOTS_LEN2; i++) {
  118. basew[XMSS_WOTS_LEN1 + i] = csum_basew[i];
  119. }
  120. for (i=0; i < XMSS_WOTS_LEN; i++) {
  121. setChainADRS(addr, i);
  122. gen_chain(pk+i*XMSS_N, sig+i*XMSS_N, basew[i], XMSS_WOTS_W-1-basew[i], pub_seed, addr);
  123. }
  124. }