kris
/
xmss-KAT-generator
1
0
Forka 0
Codice Problemi 0 Pull Requests 0 Rilasci 0 Wiki Attività
Non puoi selezionare più di 25 argomenti Gli argomenti devono iniziare con una lettera o un numero, possono includere trattini ('-') e possono essere lunghi fino a 35 caratteri.
134 Commit
1 Ramo (Branch)
488 KiB
 
 
Albero (Tree): 4ae726a82b
Rami (Branch) Tag
${ item.name }
Crea branch ${ searchTerm }
da '4ae726a82b'
${ noResults }
xmss-KAT-generator/xmss_commons.c

216 righe
7.3 KiB
Originale Blame Cronologia 

  1. #include <stdlib.h>

  2. #include <string.h>

  3. #include <stdint.h>

  4. 

  5. #include "hash.h"

  6. #include "hash_address.h"

  7. #include "params.h"

  8. #include "wots.h"

  9. #include "utils.h"

  10. #include "xmss_commons.h"

  11. 

  12. /**

  13.  * Computes a leaf node from a WOTS public key using an L-tree.

  14.  * Note that this destroys the used WOTS public key.

  15.  */

  16. static void l_tree(const xmss_params *params,

  17.                    unsigned char *leaf, unsigned char *wots_pk,

  18.                    const unsigned char *pub_seed, uint32_t addr[8])

  19. {

  20.     unsigned int l = params->wots_len;

  21.     unsigned int parent_nodes;

  22.     uint32_t i;

  23.     uint32_t height = 0;

  24. 

  25.     set_tree_height(addr, height);

  26. 

  27.     while (l > 1) {

  28.         parent_nodes = l >> 1;

  29.         for (i = 0; i < parent_nodes; i++) {

  30.             set_tree_index(addr, i);

  31.             /* Hashes the nodes at (i*2)*params->n and (i*2)*params->n + 1 */

  32.             thash_h(params, wots_pk + i*params->n,

  33.                            wots_pk + (i*2)*params->n, pub_seed, addr);

  34.         }

  35.         /* If the row contained an odd number of nodes, the last node was not

  36.            hashed. Instead, we pull it up to the next layer. */

  37.         if (l & 1) {

  38.             memcpy(wots_pk + (l >> 1)*params->n,

  39.                    wots_pk + (l - 1)*params->n, params->n);

  40.             l = (l >> 1) + 1;

  41.         }

  42.         else {

  43.             l = l >> 1;

  44.         }

  45.         height++;

  46.         set_tree_height(addr, height);

  47.     }

  48.     memcpy(leaf, wots_pk, params->n);

  49. }

  50. 

  51. /**

  52.  * Computes a root node given a leaf and an auth path

  53.  */

  54. static void compute_root(const xmss_params *params, unsigned char *root,

  55.                          const unsigned char *leaf, unsigned long leafidx,

  56.                          const unsigned char *auth_path,

  57.                          const unsigned char *pub_seed, uint32_t addr[8])

  58. {

  59.     uint32_t i;

  60.     unsigned char buffer[2*params->n];

  61. 

  62.     /* If leafidx is odd (last bit = 1), current path element is a right child

  63.        and auth_path has to go left. Otherwise it is the other way around. */

  64.     if (leafidx & 1) {

  65.         memcpy(buffer + params->n, leaf, params->n);

  66.         memcpy(buffer, auth_path, params->n);

  67.     }

  68.     else {

  69.         memcpy(buffer, leaf, params->n);

  70.         memcpy(buffer + params->n, auth_path, params->n);

  71.     }

  72.     auth_path += params->n;

  73. 

  74.     for (i = 0; i < params->tree_height - 1; i++) {

  75.         set_tree_height(addr, i);

  76.         leafidx >>= 1;

  77.         set_tree_index(addr, leafidx);

  78. 

  79.         /* Pick the right or left neighbor, depending on parity of the node. */

  80.         if (leafidx & 1) {

  81.             thash_h(params, buffer + params->n, buffer, pub_seed, addr);

  82.             memcpy(buffer, auth_path, params->n);

  83.         }

  84.         else {

  85.             thash_h(params, buffer, buffer, pub_seed, addr);

  86.             memcpy(buffer + params->n, auth_path, params->n);

  87.         }

  88.         auth_path += params->n;

  89.     }

  90. 

  91.     /* The last iteration is exceptional; we do not copy an auth_path node. */

  92.     set_tree_height(addr, params->tree_height - 1);

  93.     leafidx >>= 1;

  94.     set_tree_index(addr, leafidx);

  95.     thash_h(params, root, buffer, pub_seed, addr);

  96. }

  97. 

  98. 

  99. /**

  100.  * Computes the leaf at a given address. First generates the WOTS key pair,

  101.  * then computes leaf using l_tree. As this happens position independent, we

  102.  * only require that addr encodes the right ltree-address.

  103.  */

  104. void gen_leaf_wots(const xmss_params *params, unsigned char *leaf,

  105.                    const unsigned char *sk_seed, const unsigned char *pub_seed,

  106.                    uint32_t ltree_addr[8], uint32_t ots_addr[8])

  107. {

  108.     unsigned char pk[params->wots_sig_bytes];

  109. 

  110.     wots_pkgen(params, pk, sk_seed, pub_seed, ots_addr);

  111. 

  112.     l_tree(params, leaf, pk, pub_seed, ltree_addr);

  113. }

  114. 

  115. 

  116. /**

  117.  * Verifies a given message signature pair under a given public key.

  118.  * Note that this assumes a pk without an OID, i.e. [root || PUB_SEED]

  119.  */

  120. int xmss_core_sign_open(const xmss_params *params,

  121.                         unsigned char *m, unsigned long long *mlen,

  122.                         const unsigned char *sm, unsigned long long smlen,

  123.                         const unsigned char *pk)

  124. {

  125.     /* XMSS signatures are fundamentally an instance of XMSSMT signatures.

  126.        For d=1, as is the case with XMSS, some of the calls in the XMSSMT

  127.        routine become vacuous (i.e. the loop only iterates once, and address

  128.        management can be simplified a bit).*/

  129.     return xmssmt_core_sign_open(params, m, mlen, sm, smlen, pk);

  130. }

  131. 

  132. /**

  133.  * Verifies a given message signature pair under a given public key.

  134.  * Note that this assumes a pk without an OID, i.e. [root || PUB_SEED]

  135.  */

  136. int xmssmt_core_sign_open(const xmss_params *params,

  137.                           unsigned char *m, unsigned long long *mlen,

  138.                           const unsigned char *sm, unsigned long long smlen,

  139.                           const unsigned char *pk)

  140. {

  141.     const unsigned char *pub_root = pk;

  142.     const unsigned char *pub_seed = pk + params->n;

  143.     unsigned char wots_pk[params->wots_sig_bytes];

  144.     unsigned char leaf[params->n];

  145.     unsigned char root[params->n];

  146.     unsigned char *mhash = root;

  147.     unsigned long long idx = 0;

  148.     unsigned int i;

  149.     uint32_t idx_leaf;

  150. 

  151.     uint32_t ots_addr[8] = {0};

  152.     uint32_t ltree_addr[8] = {0};

  153.     uint32_t node_addr[8] = {0};

  154. 

  155.     set_type(ots_addr, XMSS_ADDR_TYPE_OTS);

  156.     set_type(ltree_addr, XMSS_ADDR_TYPE_LTREE);

  157.     set_type(node_addr, XMSS_ADDR_TYPE_HASHTREE);

  158. 

  159.     *mlen = smlen - params->sig_bytes;

  160. 

  161.     /* Convert the index bytes from the signature to an integer. */

  162.     idx = bytes_to_ull(sm, params->index_bytes);

  163. 

  164.     /* Put the message all the way at the end of the m buffer, so that we can

  165.      * prepend the required other inputs for the hash function. */

  166.     memcpy(m + params->sig_bytes, sm + params->sig_bytes, *mlen);

  167. 

  168.     /* Compute the message hash. */

  169.     hash_message(params, mhash, sm + params->index_bytes, pk, idx,

  170.                  m + params->sig_bytes - params->padding_len - 3*params->n,

  171.                  *mlen);

  172.     sm += params->index_bytes + params->n;

  173. 

  174.     /* For each subtree.. */

  175.     for (i = 0; i < params->d; i++) {

  176.         idx_leaf = (idx & ((1 << params->tree_height)-1));

  177.         idx = idx >> params->tree_height;

  178. 

  179.         set_layer_addr(ots_addr, i);

  180.         set_layer_addr(ltree_addr, i);

  181.         set_layer_addr(node_addr, i);

  182. 

  183.         set_tree_addr(ltree_addr, idx);

  184.         set_tree_addr(ots_addr, idx);

  185.         set_tree_addr(node_addr, idx);

  186. 

  187.         /* The WOTS public key is only correct if the signature was correct. */

  188.         set_ots_addr(ots_addr, idx_leaf);

  189.         /* Initially, root = mhash, but on subsequent iterations it is the root

  190.            of the subtree below the currently processed subtree. */

  191.         wots_pk_from_sig(params, wots_pk, sm, root, pub_seed, ots_addr);

  192.         sm += params->wots_sig_bytes;

  193. 

  194.         /* Compute the leaf node using the WOTS public key. */

  195.         set_ltree_addr(ltree_addr, idx_leaf);

  196.         l_tree(params, leaf, wots_pk, pub_seed, ltree_addr);

  197. 

  198.         /* Compute the root node of this subtree. */

  199.         compute_root(params, root, leaf, idx_leaf, sm, pub_seed, node_addr);

  200.         sm += params->tree_height*params->n;

  201.     }

  202. 

  203.     /* Check if the root node equals the root node in the public key. */

  204.     if (memcmp(root, pub_root, params->n)) {

  205.         /* If not, zero the message */

  206.         memset(m, 0, *mlen);

  207.         *mlen = 0;

  208.         return -1;

  209.     }

  210. 

  211.     /* If verification was successful, copy the message from the signature. */

  212.     memcpy(m, sm, *mlen);

  213. 

  214.     return 0;

  215. }