kris
/
xmss-KAT-generator
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
70 Commits
1 Branch
488 KiB
 
 
Tree: 8970c4933c
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '8970c4933c'
${ noResults }
xmss-KAT-generator/xmss_commons.c

302 lines
8.7 KiB
Raw Blame History 

  1. #include <stdlib.h>

  2. #include <string.h>

  3. #include <stdint.h>

  4. 

  5. #include "hash.h"

  6. #include "hash_address.h"

  7. #include "params.h"

  8. #include "wots.h"

  9. #include "xmss_commons.h"

  10. 

  11. void to_byte(unsigned char *out, unsigned long long in, uint32_t bytes)

  12. {

  13.     int i;

  14. 

  15.     for (i = bytes-1; i >= 0; i--) {

  16.         out[i] = in & 0xff;

  17.         in = in >> 8;

  18.     }

  19. }

  20. 

  21. /**

  22.  * Computes the leaf at a given address. First generates the WOTS key pair, then computes leaf using l_tree. As this happens position independent, we only require that addr encodes the right ltree-address.

  23.  */

  24. void gen_leaf_wots(const xmss_params *params, unsigned char *leaf,

  25.                    const unsigned char *sk_seed, const unsigned char *pub_seed,

  26.                    uint32_t ltree_addr[8], uint32_t ots_addr[8])

  27. {

  28.     unsigned char seed[params->n];

  29.     unsigned char pk[params->wots_keysize];

  30. 

  31.     get_seed(params, seed, sk_seed, ots_addr);

  32.     wots_pkgen(params, pk, seed, pub_seed, ots_addr);

  33. 

  34.     l_tree(params, leaf, pk, pub_seed, ltree_addr);

  35. }

  36. 

  37. /**

  38.  * Used for pseudorandom keygeneration,

  39.  * generates the seed for the WOTS keypair at address addr

  40.  *

  41.  * takes params->n byte sk_seed and returns params->n byte seed using 32 byte address addr.

  42.  */

  43. void get_seed(const xmss_params *params, unsigned char *seed,

  44.               const unsigned char *sk_seed, uint32_t addr[8])

  45. {

  46.     unsigned char bytes[32];

  47. 

  48.     // Make sure that chain addr, hash addr, and key bit are 0!

  49.     set_chain_addr(addr, 0);

  50.     set_hash_addr(addr, 0);

  51.     set_key_and_mask(addr, 0);

  52.     // Generate pseudorandom value

  53.     addr_to_byte(bytes, addr);

  54.     prf(params, seed, bytes, sk_seed, params->n);

  55. }

  56. 

  57. /**

  58.  * Computes a leaf from a WOTS public key using an L-tree.

  59.  */

  60. void l_tree(const xmss_params *params, unsigned char *leaf, unsigned char *wots_pk,

  61.             const unsigned char *pub_seed, uint32_t addr[8])

  62. {

  63.     unsigned int l = params->wots_len;

  64.     uint32_t i = 0;

  65.     uint32_t height = 0;

  66.     uint32_t bound;

  67. 

  68.     set_tree_height(addr, height);

  69. 

  70.     while (l > 1) {

  71.         bound = l >> 1;

  72.         for (i = 0; i < bound; i++) {

  73.             set_tree_index(addr, i);

  74.             hash_h(params, wots_pk + i*params->n, wots_pk + i*2*params->n, pub_seed, addr);

  75.         }

  76.         if (l & 1) {

  77.             memcpy(wots_pk + (l >> 1)*params->n, wots_pk + (l - 1)*params->n, params->n);

  78.             l = (l >> 1) + 1;

  79.         }

  80.         else {

  81.             l = l >> 1;

  82.         }

  83.         height++;

  84.         set_tree_height(addr, height);

  85.     }

  86.     memcpy(leaf, wots_pk, params->n);

  87. }

  88. 

  89. /**

  90.  * Computes a root node given a leaf and an authapth

  91.  */

  92. static void validate_authpath(const xmss_params *params, unsigned char *root,

  93.                               const unsigned char *leaf, unsigned long leafidx,

  94.                               const unsigned char *authpath,

  95.                               const unsigned char *pub_seed, uint32_t addr[8])

  96. {

  97.     uint32_t i, j;

  98.     unsigned char buffer[2*params->n];

  99. 

  100.     // If leafidx is odd (last bit = 1), current path element is a right child and authpath has to go to the left.

  101.     // Otherwise, it is the other way around

  102.     if (leafidx & 1) {

  103.         for (j = 0; j < params->n; j++) {

  104.             buffer[params->n + j] = leaf[j];

  105.             buffer[j] = authpath[j];

  106.         }

  107.     }

  108.     else {

  109.         for (j = 0; j < params->n; j++) {

  110.             buffer[j] = leaf[j];

  111.             buffer[params->n + j] = authpath[j];

  112.         }

  113.     }

  114.     authpath += params->n;

  115. 

  116.     for (i = 0; i < params->tree_height-1; i++) {

  117.         set_tree_height(addr, i);

  118.         leafidx >>= 1;

  119.         set_tree_index(addr, leafidx);

  120.         if (leafidx & 1) {

  121.             hash_h(params, buffer + params->n, buffer, pub_seed, addr);

  122.             for (j = 0; j < params->n; j++) {

  123.                 buffer[j] = authpath[j];

  124.             }

  125.         }

  126.         else {

  127.             hash_h(params, buffer, buffer, pub_seed, addr);

  128.             for (j = 0; j < params->n; j++) {

  129.                 buffer[j + params->n] = authpath[j];

  130.             }

  131.         }

  132.         authpath += params->n;

  133.     }

  134.     set_tree_height(addr, params->tree_height - 1);

  135.     leafidx >>= 1;

  136.     set_tree_index(addr, leafidx);

  137.     hash_h(params, root, buffer, pub_seed, addr);

  138. }

  139. 

  140. /**

  141.  * Verifies a given message signature pair under a given public key.

  142.  */

  143. int xmss_core_sign_open(const xmss_params *params,

  144.                         unsigned char *m, unsigned long long *mlen,

  145.                         const unsigned char *sm, unsigned long long smlen,

  146.                         const unsigned char *pk)

  147. {

  148.     unsigned long long i;

  149.     unsigned long idx = 0;

  150.     unsigned char wots_pk[params->wots_keysize];

  151.     unsigned char pkhash[params->n];

  152.     unsigned char root[params->n];

  153.     unsigned char msg_h[params->n];

  154.     unsigned char hash_key[3*params->n];

  155. 

  156.     unsigned char pub_seed[params->n];

  157.     memcpy(pub_seed, pk + params->n, params->n);

  158. 

  159.     // Init addresses

  160.     uint32_t ots_addr[8] = {0};

  161.     uint32_t ltree_addr[8] = {0};

  162.     uint32_t node_addr[8] = {0};

  163. 

  164.     set_type(ots_addr, 0);

  165.     set_type(ltree_addr, 1);

  166.     set_type(node_addr, 2);

  167. 

  168.     *mlen = smlen - params->bytes;

  169. 

  170.     // Extract index

  171.     for (i = 0; i < params->index_len; i++) {

  172.         idx |= ((unsigned long long)sm[i]) << (8*(params->index_len - 1 - i));

  173.     }

  174. 

  175.     // Generate hash key (R || root || idx)

  176.     memcpy(hash_key, sm + params->index_len, params->n);

  177.     memcpy(hash_key + params->n, pk, params->n);

  178.     to_byte(hash_key + 2*params->n, idx, params->n);

  179. 

  180.     // hash message

  181.     h_msg(params, msg_h, sm + params->bytes, *mlen, hash_key, 3*params->n);

  182.     sm += params->index_len + params->n;

  183. 

  184.     // Prepare Address

  185.     set_ots_addr(ots_addr, idx);

  186.     // Check WOTS signature

  187.     wots_pk_from_sig(params, wots_pk, sm, msg_h, pub_seed, ots_addr);

  188.     sm += params->wots_keysize;

  189. 

  190.     // Compute Ltree

  191.     set_ltree_addr(ltree_addr, idx);

  192.     l_tree(params, pkhash, wots_pk, pub_seed, ltree_addr);

  193. 

  194.     // Compute root

  195.     validate_authpath(params, root, pkhash, idx, sm, pub_seed, node_addr);

  196.     sm += params->tree_height*params->n;

  197. 

  198.     for (i = 0; i < params->n; i++) {

  199.         if (root[i] != pk[i]) {

  200.             for (i = 0; i < *mlen; i++) {

  201.                 m[i] = 0;

  202.             }

  203.             *mlen = -1;

  204.             return -1;

  205.         }

  206.     }

  207. 

  208.     for (i = 0; i < *mlen; i++) {

  209.         m[i] = sm[i];

  210.     }

  211. 

  212.     return 0;

  213. }

  214. 

  215. /**

  216.  * Verifies a given message signature pair under a given public key.

  217.  */

  218. int xmssmt_core_sign_open(const xmss_params *params,

  219.                           unsigned char *m, unsigned long long *mlen,

  220.                           const unsigned char *sm, unsigned long long smlen,

  221.                           const unsigned char *pk)

  222. {

  223.     uint32_t idx_leaf;

  224.     unsigned long long i;

  225.     unsigned long long idx = 0;

  226.     unsigned char wots_pk[params->wots_keysize];

  227.     unsigned char pkhash[params->n];

  228.     unsigned char root[params->n];

  229.     unsigned char *msg_h = root;

  230.     unsigned char hash_key[3*params->n];

  231.     const unsigned char *pub_seed = pk + params->n;

  232. 

  233.     // Init addresses

  234.     uint32_t ots_addr[8] = {0};

  235.     uint32_t ltree_addr[8] = {0};

  236.     uint32_t node_addr[8] = {0};

  237. 

  238.     set_type(ots_addr, 0);

  239.     set_type(ltree_addr, 1);

  240.     set_type(node_addr, 2);

  241. 

  242.     *mlen = smlen - params->bytes;

  243. 

  244.     // Extract index

  245.     for (i = 0; i < params->index_len; i++) {

  246.         idx |= ((unsigned long long)sm[i]) << (8*(params->index_len - 1 - i));

  247.     }

  248. 

  249.     // Generate hash key (R || root || idx)

  250.     memcpy(hash_key, sm + params->index_len, params->n);

  251.     memcpy(hash_key + params->n, pk, params->n);

  252.     to_byte(hash_key + 2*params->n, idx, params->n);

  253. 

  254.     // hash message

  255.     h_msg(params, msg_h, sm + params->bytes, *mlen, hash_key, 3*params->n);

  256.     sm += params->index_len + params->n;

  257. 

  258.     for (i = 0; i < params->d; i++) {

  259.         // Prepare Address

  260.         idx_leaf = (idx & ((1 << params->tree_height)-1));

  261.         idx = idx >> params->tree_height;

  262. 

  263.         set_layer_addr(ots_addr, i);

  264.         set_layer_addr(ltree_addr, i);

  265.         set_layer_addr(node_addr, i);

  266. 

  267.         set_tree_addr(ltree_addr, idx);

  268.         set_tree_addr(ots_addr, idx);

  269.         set_tree_addr(node_addr, idx);

  270. 

  271.         set_ots_addr(ots_addr, idx_leaf);

  272. 

  273.         // Check WOTS signature

  274.         wots_pk_from_sig(params, wots_pk, sm, root, pub_seed, ots_addr);

  275.         sm += params->wots_keysize;

  276. 

  277.         // Compute Ltree

  278.         set_ltree_addr(ltree_addr, idx_leaf);

  279.         l_tree(params, pkhash, wots_pk, pub_seed, ltree_addr);

  280. 

  281.         // Compute root

  282.         validate_authpath(params, root, pkhash, idx_leaf, sm, pub_seed, node_addr);

  283.         sm += params->tree_height*params->n;

  284.     }

  285. 

  286.     for (i = 0; i < params->n; i++) {

  287.         if (root[i] != pk[i]) {

  288.             for (i = 0; i < *mlen; i++) {

  289.                 m[i] = 0;

  290.             }

  291.             *mlen = -1;

  292.             return -1;

  293.         }

  294.     }

  295. 

  296.     for (i = 0; i < *mlen; i++) {

  297.         m[i] = sm[i];

  298.     }

  299. 

  300.     return 0;

  301. }