kris
/
xmss-KAT-generator
1
0
Förgrening 0
Kod Ärenden 0 Pull-förfrågningar 0 Släpp 0 Wiki Aktiviteter
Du kan inte välja fler än 25 ämnen Ämnen måste starta med en bokstav eller siffra, kan innehålla bindestreck ('-') och vara max 35 tecken långa.
89 Incheckningar
1 Gren
488 KiB
 
 
Träd: 5ce8fc402b
Grenar Taggar
${ item.name }
Skapa branchen ${ searchTerm }
från '5ce8fc402b'
${ noResults }
xmss-KAT-generator/xmss_commons.c

278 rader
9.0 KiB
Blame Historik 

  1. #include <stdlib.h>

  2. #include <string.h>

  3. #include <stdint.h>

  4. 

  5. #include "hash.h"

  6. #include "hash_address.h"

  7. #include "params.h"

  8. #include "wots.h"

  9. #include "xmss_commons.h"

  10. 

  11. /**

  12.  * Converts the value of 'in' to 'outlen' bytes in big-endian byte order.

  13.  */

  14. void ull_to_bytes(unsigned char *out, unsigned int outlen,

  15.                   unsigned long long in)

  16. {

  17.     int i;

  18. 

  19.     /* Iterate over out in decreasing order, for big-endianness. */

  20.     for (i = outlen - 1; i >= 0; i--) {

  21.         out[i] = in & 0xff;

  22.         in = in >> 8;

  23.     }

  24. }

  25. 

  26. /**

  27.  * Converts the inlen bytes in 'in' from big-endian byte order to an integer.

  28.  */

  29. unsigned long long bytes_to_ull(const unsigned char *in, unsigned int inlen)

  30. {

  31.     unsigned long long retval = 0;

  32.     unsigned int i;

  33. 

  34.     for (i = 0; i < inlen; i++) {

  35.         retval |= ((unsigned long long)in[i]) << (8*(inlen - 1 - i));

  36.     }

  37.     return retval;

  38. }

  39. 

  40. /**

  41.  * Computes the leaf at a given address. First generates the WOTS key pair,

  42.  * then computes leaf using l_tree. As this happens position independent, we

  43.  * only require that addr encodes the right ltree-address.

  44.  */

  45. void gen_leaf_wots(const xmss_params *params, unsigned char *leaf,

  46.                    const unsigned char *sk_seed, const unsigned char *pub_seed,

  47.                    uint32_t ltree_addr[8], uint32_t ots_addr[8])

  48. {

  49.     unsigned char seed[params->n];

  50.     unsigned char pk[params->wots_sig_bytes];

  51. 

  52.     get_seed(params, seed, sk_seed, ots_addr);

  53.     wots_pkgen(params, pk, seed, pub_seed, ots_addr);

  54. 

  55.     l_tree(params, leaf, pk, pub_seed, ltree_addr);

  56. }

  57. 

  58. /**

  59.  * Used for pseudo-random key generation.

  60.  * Generates the seed for the WOTS key pair at address 'addr'.

  61.  *

  62.  * Takes n-byte sk_seed and returns n-byte seed using 32 byte address 'addr'.

  63.  */

  64. void get_seed(const xmss_params *params, unsigned char *seed,

  65.               const unsigned char *sk_seed, uint32_t addr[8])

  66. {

  67.     unsigned char bytes[32];

  68. 

  69.     /* Make sure that chain addr, hash addr, and key bit are zeroed. */

  70.     set_chain_addr(addr, 0);

  71.     set_hash_addr(addr, 0);

  72.     set_key_and_mask(addr, 0);

  73. 

  74.     /* Generate seed. */

  75.     addr_to_bytes(bytes, addr);

  76.     prf(params, seed, bytes, sk_seed, params->n);

  77. }

  78. 

  79. /**

  80.  * Computes a leaf node from a WOTS public key using an L-tree.

  81.  * Note that this destroys the used WOTS public key.

  82.  */

  83. void l_tree(const xmss_params *params,

  84.             unsigned char *leaf, unsigned char *wots_pk,

  85.             const unsigned char *pub_seed, uint32_t addr[8])

  86. {

  87.     unsigned int l = params->wots_len;

  88.     unsigned int parent_nodes;

  89.     uint32_t i;

  90.     uint32_t height = 0;

  91. 

  92.     set_tree_height(addr, height);

  93. 

  94.     while (l > 1) {

  95.         parent_nodes = l >> 1;

  96.         for (i = 0; i < parent_nodes; i++) {

  97.             set_tree_index(addr, i);

  98.             /* Hashes the nodes at (i*2)*params->n and (i*2)*params->n + 1 */

  99.             hash_h(params, wots_pk + i*params->n,

  100.                            wots_pk + (i*2)*params->n, pub_seed, addr);

  101.         }

  102.         /* If the row contained an odd number of nodes, the last node was not

  103.            hashed. Instead, we pull it up to the next layer. */

  104.         if (l & 1) {

  105.             memcpy(wots_pk + (l >> 1)*params->n,

  106.                    wots_pk + (l - 1)*params->n, params->n);

  107.             l = (l >> 1) + 1;

  108.         }

  109.         else {

  110.             l = l >> 1;

  111.         }

  112.         height++;

  113.         set_tree_height(addr, height);

  114.     }

  115.     memcpy(leaf, wots_pk, params->n);

  116. }

  117. 

  118. /**

  119.  * Computes the randomized message hash.

  120.  */

  121. void hash_message(const xmss_params *params, unsigned char *mhash,

  122.                   const unsigned char *R, const unsigned char *root,

  123.                   unsigned long long idx,

  124.                   const unsigned char *m, unsigned long long mlen)

  125. {

  126.     unsigned char hash_key[3*params->n];

  127. 

  128.     /* Compute hash key. */

  129.     memcpy(hash_key, R, params->n);

  130.     memcpy(hash_key + params->n, root, params->n);

  131.     ull_to_bytes(hash_key + 2*params->n, params->n, idx);

  132. 

  133.     /* Hash the message using the randomized hash key. */

  134.     h_msg(params, mhash, m, mlen, hash_key, 3*params->n);

  135. }

  136. 

  137. /**

  138.  * Computes a root node given a leaf and an auth path

  139.  */

  140. static void compute_root(const xmss_params *params, unsigned char *root,

  141.                          const unsigned char *leaf, unsigned long leafidx,

  142.                          const unsigned char *auth_path,

  143.                          const unsigned char *pub_seed, uint32_t addr[8])

  144. {

  145.     uint32_t i;

  146.     unsigned char buffer[2*params->n];

  147. 

  148.     /* If leafidx is odd (last bit = 1), current path element is a right child

  149.        and auth_path has to go left. Otherwise it is the other way around. */

  150.     if (leafidx & 1) {

  151.         memcpy(buffer + params->n, leaf, params->n);

  152.         memcpy(buffer, auth_path, params->n);

  153.     }

  154.     else {

  155.         memcpy(buffer, leaf, params->n);

  156.         memcpy(buffer + params->n, auth_path, params->n);

  157.     }

  158.     auth_path += params->n;

  159. 

  160.     for (i = 0; i < params->tree_height - 1; i++) {

  161.         set_tree_height(addr, i);

  162.         leafidx >>= 1;

  163.         set_tree_index(addr, leafidx);

  164. 

  165.         /* Pick the right or left neighbor, depending on parity of the node. */

  166.         if (leafidx & 1) {

  167.             hash_h(params, buffer + params->n, buffer, pub_seed, addr);

  168.             memcpy(buffer, auth_path, params->n);

  169.         }

  170.         else {

  171.             hash_h(params, buffer, buffer, pub_seed, addr);

  172.             memcpy(buffer + params->n, auth_path, params->n);

  173.         }

  174.         auth_path += params->n;

  175.     }

  176. 

  177.     /* The last iteration is exceptional; we do not copy an auth)path node. */

  178.     set_tree_height(addr, params->tree_height - 1);

  179.     leafidx >>= 1;

  180.     set_tree_index(addr, leafidx);

  181.     hash_h(params, root, buffer, pub_seed, addr);

  182. }

  183. 

  184. /**

  185.  * Verifies a given message signature pair under a given public key.

  186.  * Note that this assumes a pk without an OID, i.e. [root || PUB_SEED]

  187.  */

  188. int xmss_core_sign_open(const xmss_params *params,

  189.                         unsigned char *m, unsigned long long *mlen,

  190.                         const unsigned char *sm, unsigned long long smlen,

  191.                         const unsigned char *pk)

  192. {

  193.     /* XMSS signatures are fundamentally an instance of XMSSMT signatures.

  194.        For d=1, as is the case with XMSS, some of the calls in the XMSSMT

  195.        routine become vacuous (i.e. the loop only iterates once, and address

  196.        management can be simplified a bit).*/

  197.     return xmssmt_core_sign_open(params, m, mlen, sm, smlen, pk);

  198. }

  199. 

  200. /**

  201.  * Verifies a given message signature pair under a given public key.

  202.  * Note that this assumes a pk without an OID, i.e. [root || PUB_SEED]

  203.  */

  204. int xmssmt_core_sign_open(const xmss_params *params,

  205.                           unsigned char *m, unsigned long long *mlen,

  206.                           const unsigned char *sm, unsigned long long smlen,

  207.                           const unsigned char *pk)

  208. {

  209.     const unsigned char *pub_seed = pk + params->n;

  210.     unsigned char wots_pk[params->wots_sig_bytes];

  211.     unsigned char leaf[params->n];

  212.     unsigned char root[params->n];

  213.     unsigned char *mhash = root;

  214.     unsigned long long idx = 0;

  215.     unsigned int i;

  216.     uint32_t idx_leaf;

  217. 

  218.     uint32_t ots_addr[8] = {0};

  219.     uint32_t ltree_addr[8] = {0};

  220.     uint32_t node_addr[8] = {0};

  221. 

  222.     set_type(ots_addr, XMSS_ADDR_TYPE_OTS);

  223.     set_type(ltree_addr, XMSS_ADDR_TYPE_LTREE);

  224.     set_type(node_addr, XMSS_ADDR_TYPE_HASHTREE);

  225. 

  226.     *mlen = smlen - params->sig_bytes;

  227. 

  228.     /* Convert the index bytes from the signature to an integer. */

  229.     idx = bytes_to_ull(sm, params->index_bytes);

  230. 

  231.     /* Compute the message hash. */

  232.     hash_message(params, mhash, sm + params->index_bytes, pk, idx,

  233.                  sm + params->sig_bytes, *mlen);

  234.     sm += params->index_bytes + params->n;

  235. 

  236.     /* For each subtree.. */

  237.     for (i = 0; i < params->d; i++) {

  238.         idx_leaf = (idx & ((1 << params->tree_height)-1));

  239.         idx = idx >> params->tree_height;

  240. 

  241.         set_layer_addr(ots_addr, i);

  242.         set_layer_addr(ltree_addr, i);

  243.         set_layer_addr(node_addr, i);

  244. 

  245.         set_tree_addr(ltree_addr, idx);

  246.         set_tree_addr(ots_addr, idx);

  247.         set_tree_addr(node_addr, idx);

  248. 

  249.         /* The WOTS public key is only correct if the signature was correct. */

  250.         set_ots_addr(ots_addr, idx_leaf);

  251.         /* Initially, root = mhash, but on subsequent iterations it is the root

  252.            of the subtree below the currently processed subtree. */

  253.         wots_pk_from_sig(params, wots_pk, sm, root, pub_seed, ots_addr);

  254.         sm += params->wots_sig_bytes;

  255. 

  256.         /* Compute the leaf node using the WOTS public key. */

  257.         set_ltree_addr(ltree_addr, idx_leaf);

  258.         l_tree(params, leaf, wots_pk, pub_seed, ltree_addr);

  259. 

  260.         /* Compute the root node of this subtree. */

  261.         compute_root(params, root, leaf, idx_leaf, sm, pub_seed, node_addr);

  262.         sm += params->tree_height*params->n;

  263.     }

  264. 

  265.     /* Check if the root node equals the root node in the public key. */

  266.     if (memcmp(root, pk, params->n)) {

  267.         /* If not, zero the message */

  268.         memset(m, 0, *mlen);

  269.         *mlen = -1;

  270.         return -1;

  271.     }

  272. 

  273.     /* If verification was successful, copy the message from the signature. */

  274.     memcpy(m, sm, *mlen);

  275. 

  276.     return 0;

  277. }