kris
/
xmss-KAT-generator
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
81 Commits
1 Branch
488 KiB
 
 
Tree: 4111393912
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '4111393912'
${ noResults }
xmss-KAT-generator/xmss_commons.c

323 lines
10 KiB
Raw Blame History 

  1. #include <stdlib.h>

  2. #include <string.h>

  3. #include <stdint.h>

  4. 

  5. #include "hash.h"

  6. #include "hash_address.h"

  7. #include "params.h"

  8. #include "wots.h"

  9. #include "xmss_commons.h"

  10. 

  11. /**

  12.  * Converts the value of 'in' to 'outlen' bytes in big-endian byte order.

  13.  */

  14. void ull_to_bytes(unsigned char *out, unsigned int outlen,

  15.                   unsigned long long in)

  16. {

  17.     int i;

  18. 

  19.     /* Iterate over out in decreasing order, for big-endianness. */

  20.     for (i = outlen - 1; i >= 0; i--) {

  21.         out[i] = in & 0xff;

  22.         in = in >> 8;

  23.     }

  24. }

  25. 

  26. /**

  27.  * Converts the inlen bytes in 'in' from big-endian byte order to an integer.

  28.  */

  29. unsigned long long bytes_to_ull(const unsigned char *in, unsigned int inlen)

  30. {

  31.     unsigned long long retval = 0;

  32.     unsigned int i;

  33. 

  34.     for (i = 0; i < inlen; i++) {

  35.         retval |= ((unsigned long long)in[i]) << (8*(inlen - 1 - i));

  36.     }

  37.     return retval;

  38. }

  39. 

  40. /**

  41.  * Computes the leaf at a given address. First generates the WOTS key pair,

  42.  * then computes leaf using l_tree. As this happens position independent, we

  43.  * only require that addr encodes the right ltree-address.

  44.  */

  45. void gen_leaf_wots(const xmss_params *params, unsigned char *leaf,

  46.                    const unsigned char *sk_seed, const unsigned char *pub_seed,

  47.                    uint32_t ltree_addr[8], uint32_t ots_addr[8])

  48. {

  49.     unsigned char seed[params->n];

  50.     unsigned char pk[params->wots_keysize];

  51. 

  52.     get_seed(params, seed, sk_seed, ots_addr);

  53.     wots_pkgen(params, pk, seed, pub_seed, ots_addr);

  54. 

  55.     l_tree(params, leaf, pk, pub_seed, ltree_addr);

  56. }

  57. 

  58. /**

  59.  * Used for pseudo-random key generation.

  60.  * Generates the seed for the WOTS key pair at address 'addr'.

  61.  *

  62.  * Takes n-byte sk_seed and returns n-byte seed using 32 byte address 'addr'.

  63.  */

  64. void get_seed(const xmss_params *params, unsigned char *seed,

  65.               const unsigned char *sk_seed, uint32_t addr[8])

  66. {

  67.     unsigned char bytes[32];

  68. 

  69.     /* Make sure that chain addr, hash addr, and key bit are zeroed. */

  70.     set_chain_addr(addr, 0);

  71.     set_hash_addr(addr, 0);

  72.     set_key_and_mask(addr, 0);

  73. 

  74.     /* Generate seed. */

  75.     addr_to_bytes(bytes, addr);

  76.     prf(params, seed, bytes, sk_seed, params->n);

  77. }

  78. 

  79. /**

  80.  * Computes a leaf node from a WOTS public key using an L-tree.

  81.  * Note that this destroys the used WOTS public key.

  82.  */

  83. void l_tree(const xmss_params *params,

  84.             unsigned char *leaf, unsigned char *wots_pk,

  85.             const unsigned char *pub_seed, uint32_t addr[8])

  86. {

  87.     unsigned int l = params->wots_len;

  88.     unsigned int parent_nodes;

  89.     uint32_t i;

  90.     uint32_t height = 0;

  91. 

  92.     set_tree_height(addr, height);

  93. 

  94.     while (l > 1) {

  95.         parent_nodes = l >> 1;

  96.         for (i = 0; i < parent_nodes; i++) {

  97.             set_tree_index(addr, i);

  98.             /* Hashes the nodes at (i*2)*params->n and (i*2)*params->n + 1 */

  99.             hash_h(params, wots_pk + i*params->n,

  100.                            wots_pk + (i*2)*params->n, pub_seed, addr);

  101.         }

  102.         /* If the row contained an odd number of nodes, the last node was not

  103.            hashed. Instead, we pull it up to the next layer. */

  104.         if (l & 1) {

  105.             memcpy(wots_pk + (l >> 1)*params->n,

  106.                    wots_pk + (l - 1)*params->n, params->n);

  107.             l = (l >> 1) + 1;

  108.         }

  109.         else {

  110.             l = l >> 1;

  111.         }

  112.         height++;

  113.         set_tree_height(addr, height);

  114.     }

  115.     memcpy(leaf, wots_pk, params->n);

  116. }

  117. 

  118. /**

  119.  * Computes the randomized message hash.

  120.  */

  121. void hash_message(const xmss_params *params, unsigned char *mhash,

  122.                   const unsigned char *R, const unsigned char *root,

  123.                   unsigned long long idx,

  124.                   const unsigned char *m, unsigned long long mlen)

  125. {

  126.     unsigned char hash_key[3*params->n];

  127. 

  128.     /* Compute hash key. */

  129.     memcpy(hash_key, R, params->n);

  130.     memcpy(hash_key + params->n, root, params->n);

  131.     ull_to_bytes(hash_key + 2*params->n, params->n, idx);

  132. 

  133.     /* Hash the message using the randomized hash key. */

  134.     h_msg(params, mhash, m, mlen, hash_key, 3*params->n);

  135. }

  136. 

  137. /**

  138.  * Computes a root node given a leaf and an auth path

  139.  */

  140. static void compute_root(const xmss_params *params, unsigned char *root,

  141.                          const unsigned char *leaf, unsigned long leafidx,

  142.                          const unsigned char *auth_path,

  143.                          const unsigned char *pub_seed, uint32_t addr[8])

  144. {

  145.     uint32_t i;

  146.     unsigned char buffer[2*params->n];

  147. 

  148.     /* If leafidx is odd (last bit = 1), current path element is a right child

  149.        and auth_path has to go left. Otherwise it is the other way around. */

  150.     if (leafidx & 1) {

  151.         memcpy(buffer + params->n, leaf, params->n);

  152.         memcpy(buffer, auth_path, params->n);

  153.     }

  154.     else {

  155.         memcpy(buffer, leaf, params->n);

  156.         memcpy(buffer + params->n, auth_path, params->n);

  157.     }

  158.     auth_path += params->n;

  159. 

  160.     for (i = 0; i < params->tree_height - 1; i++) {

  161.         set_tree_height(addr, i);

  162.         leafidx >>= 1;

  163.         set_tree_index(addr, leafidx);

  164. 

  165.         /* Pick the right or left neighbor, depending on parity of the node. */

  166.         if (leafidx & 1) {

  167.             hash_h(params, buffer + params->n, buffer, pub_seed, addr);

  168.             memcpy(buffer, auth_path, params->n);

  169.         }

  170.         else {

  171.             hash_h(params, buffer, buffer, pub_seed, addr);

  172.             memcpy(buffer + params->n, auth_path, params->n);

  173.         }

  174.         auth_path += params->n;

  175.     }

  176. 

  177.     /* The last iteration is exceptional; we do not copy an auth)path node. */

  178.     set_tree_height(addr, params->tree_height - 1);

  179.     leafidx >>= 1;

  180.     set_tree_index(addr, leafidx);

  181.     hash_h(params, root, buffer, pub_seed, addr);

  182. }

  183. 

  184. /**

  185.  * Verifies a given message signature pair under a given public key.

  186.  * Note that this assumes a pk without an OID, i.e. [root || PUB_SEED]

  187.  */

  188. int xmss_core_sign_open(const xmss_params *params,

  189.                         unsigned char *m, unsigned long long *mlen,

  190.                         const unsigned char *sm, unsigned long long smlen,

  191.                         const unsigned char *pk)

  192. {

  193.     const unsigned char *pub_seed = pk + params->n;

  194.     unsigned char wots_pk[params->wots_keysize];

  195.     unsigned char leaf[params->n];

  196.     unsigned char root[params->n];

  197.     unsigned char mhash[params->n];

  198.     unsigned long idx;

  199. 

  200.     uint32_t ots_addr[8] = {0};

  201.     uint32_t ltree_addr[8] = {0};

  202.     uint32_t node_addr[8] = {0};

  203. 

  204.     set_type(ots_addr, XMSS_ADDR_TYPE_OTS);

  205.     set_type(ltree_addr, XMSS_ADDR_TYPE_LTREE);

  206.     set_type(node_addr, XMSS_ADDR_TYPE_HASHTREE);

  207. 

  208.     *mlen = smlen - params->bytes;

  209. 

  210.     /* Convert the index bytes from the signature to an integer. */

  211.     idx = (unsigned long)bytes_to_ull(sm, params->index_len);

  212. 

  213.     /* Compute the message hash. */

  214.     hash_message(params, mhash, sm + params->index_len, pk, idx,

  215.                  sm + params->bytes, *mlen);

  216.     sm += params->index_len + params->n;

  217. 

  218.     /* The WOTS public key is only correct if the signature was correct. */

  219.     set_ots_addr(ots_addr, idx);

  220.     wots_pk_from_sig(params, wots_pk, sm, mhash, pub_seed, ots_addr);

  221.     sm += params->wots_keysize;

  222. 

  223.     /* Compute the leaf node using the WOTS public key. */

  224.     set_ltree_addr(ltree_addr, idx);

  225.     l_tree(params, leaf, wots_pk, pub_seed, ltree_addr);

  226. 

  227.     /* Compute the root node. */

  228.     compute_root(params, root, leaf, idx, sm, pub_seed, node_addr);

  229.     sm += params->tree_height*params->n;

  230. 

  231.     /* Check if the root node equals the root node in the public key. */

  232.     if (memcmp(root, pk, params->n)) {

  233.         /* If not, zero the message */

  234.         memset(m, 0, *mlen);

  235.         *mlen = -1;

  236.         return -1;

  237.     }

  238. 

  239.     /* If verification was successful, copy the message from the signature. */

  240.     memcpy(m, sm, *mlen);

  241. 

  242.     return 0;

  243. }

  244. 

  245. /**

  246.  * Verifies a given message signature pair under a given public key.

  247.  * Note that this assumes a pk without an OID, i.e. [root || PUB_SEED]

  248.  */

  249. int xmssmt_core_sign_open(const xmss_params *params,

  250.                           unsigned char *m, unsigned long long *mlen,

  251.                           const unsigned char *sm, unsigned long long smlen,

  252.                           const unsigned char *pk)

  253. {

  254.     const unsigned char *pub_seed = pk + params->n;

  255.     unsigned char wots_pk[params->wots_keysize];

  256.     unsigned char leaf[params->n];

  257.     unsigned char root[params->n];

  258.     unsigned char *mhash = root;

  259.     unsigned long long idx = 0;

  260.     unsigned int i;

  261.     uint32_t idx_leaf;

  262. 

  263.     uint32_t ots_addr[8] = {0};

  264.     uint32_t ltree_addr[8] = {0};

  265.     uint32_t node_addr[8] = {0};

  266. 

  267.     set_type(ots_addr, XMSS_ADDR_TYPE_OTS);

  268.     set_type(ltree_addr, XMSS_ADDR_TYPE_LTREE);

  269.     set_type(node_addr, XMSS_ADDR_TYPE_HASHTREE);

  270. 

  271.     *mlen = smlen - params->bytes;

  272. 

  273.     /* Convert the index bytes from the signature to an integer. */

  274.     idx = bytes_to_ull(sm, params->index_len);

  275. 

  276.     /* Compute the message hash. */

  277.     hash_message(params, mhash, sm + params->index_len, pk, idx,

  278.                  sm + params->bytes, *mlen);

  279.     sm += params->index_len + params->n;

  280. 

  281.     /* For each subtree.. */

  282.     for (i = 0; i < params->d; i++) {

  283.         idx_leaf = (idx & ((1 << params->tree_height)-1));

  284.         idx = idx >> params->tree_height;

  285. 

  286.         set_layer_addr(ots_addr, i);

  287.         set_layer_addr(ltree_addr, i);

  288.         set_layer_addr(node_addr, i);

  289. 

  290.         set_tree_addr(ltree_addr, idx);

  291.         set_tree_addr(ots_addr, idx);

  292.         set_tree_addr(node_addr, idx);

  293. 

  294.         /* The WOTS public key is only correct if the signature was correct. */

  295.         set_ots_addr(ots_addr, idx_leaf);

  296.         /* Initially, root = mhash, but on subsequent iterations it is the root

  297.            of the subtree below the currently processed subtree. */

  298.         wots_pk_from_sig(params, wots_pk, sm, root, pub_seed, ots_addr);

  299.         sm += params->wots_keysize;

  300. 

  301.         /* Compute the leaf node using the WOTS public key. */

  302.         set_ltree_addr(ltree_addr, idx_leaf);

  303.         l_tree(params, leaf, wots_pk, pub_seed, ltree_addr);

  304. 

  305.         /* Compute the root node of this subtree. */

  306.         compute_root(params, root, leaf, idx_leaf, sm, pub_seed, node_addr);

  307.         sm += params->tree_height*params->n;

  308.     }

  309. 

  310.     /* Check if the root node equals the root node in the public key. */

  311.     if (memcmp(root, pk, params->n)) {

  312.         /* If not, zero the message */

  313.         memset(m, 0, *mlen);

  314.         *mlen = -1;

  315.         return -1;

  316.     }

  317. 

  318.     /* If verification was successful, copy the message from the signature. */

  319.     memcpy(m, sm, *mlen);

  320. 

  321.     return 0;

  322. }