kris
/
xmss-KAT-generator
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
70 Commits
1 Branch
488 KiB
 
 
Tree: 8970c4933c
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '8970c4933c'
${ noResults }
xmss-KAT-generator/xmss_core.c

400 lines
13 KiB
Raw Blame History 

  1. #include <stdlib.h>

  2. #include <string.h>

  3. #include <stdint.h>

  4. 

  5. #include "hash.h"

  6. #include "hash_address.h"

  7. #include "params.h"

  8. #include "randombytes.h"

  9. #include "wots.h"

  10. #include "xmss_commons.h"

  11. #include "xmss_core.h"

  12. 

  13. /**

  14.  * Merkle's TreeHash algorithm. The address only needs to initialize the first 78 bits of addr. Everything else will be set by treehash.

  15.  * Currently only used for key generation.

  16.  *

  17.  */

  18. static void treehash(const xmss_params *params, unsigned char *node, uint32_t index, const unsigned char *sk_seed, const unsigned char *pub_seed, const uint32_t addr[8])

  19. {

  20.     uint32_t idx = index;

  21.     // use three different addresses because at this point we use all three formats in parallel

  22.     uint32_t ots_addr[8];

  23.     uint32_t ltree_addr[8];

  24.     uint32_t node_addr[8];

  25.     // only copy layer and tree address parts

  26.     memcpy(ots_addr, addr, 12);

  27.     // type = ots

  28.     set_type(ots_addr, 0);

  29.     memcpy(ltree_addr, addr, 12);

  30.     set_type(ltree_addr, 1);

  31.     memcpy(node_addr, addr, 12);

  32.     set_type(node_addr, 2);

  33. 

  34.     uint32_t lastnode, i;

  35.     unsigned char stack[(params->tree_height+1)*params->n];

  36.     uint16_t stacklevels[params->tree_height+1];

  37.     unsigned int stackoffset=0;

  38. 

  39.     lastnode = idx+(1 << params->tree_height);

  40. 

  41.     for (; idx < lastnode; idx++) {

  42.         set_ltree_addr(ltree_addr, idx);

  43.         set_ots_addr(ots_addr, idx);

  44.         gen_leaf_wots(params, stack+stackoffset*params->n, sk_seed, pub_seed, ltree_addr, ots_addr);

  45.         stacklevels[stackoffset] = 0;

  46.         stackoffset++;

  47.         while (stackoffset>1 && stacklevels[stackoffset-1] == stacklevels[stackoffset-2]) {

  48.             set_tree_height(node_addr, stacklevels[stackoffset-1]);

  49.             set_tree_index(node_addr, (idx >> (stacklevels[stackoffset-1]+1)));

  50.             hash_h(params, stack+(stackoffset-2)*params->n, stack+(stackoffset-2)*params->n, pub_seed, node_addr);

  51.             stacklevels[stackoffset-2]++;

  52.             stackoffset--;

  53.         }

  54.     }

  55.     for (i = 0; i < params->n; i++) {

  56.         node[i] = stack[i];

  57.     }

  58. }

  59. 

  60. /**

  61.  * Computes the authpath and the root. This method is using a lot of space as we build the whole tree and then select the authpath nodes.

  62.  * For more efficient algorithms see e.g. the chapter on hash-based signatures in Bernstein, Buchmann, Dahmen. "Post-quantum Cryptography", Springer 2009.

  63.  * It returns the authpath in "authpath" with the node on level 0 at index 0.

  64.  */

  65. static void compute_authpath_wots(const xmss_params *params, unsigned char *root, unsigned char *authpath, unsigned long leaf_idx, const unsigned char *sk_seed, unsigned char *pub_seed, uint32_t addr[8])

  66. {

  67.     uint32_t i, j, level;

  68. 

  69.     unsigned char tree[2*(1 << params->tree_height)*params->n];

  70. 

  71.     uint32_t ots_addr[8];

  72.     uint32_t ltree_addr[8];

  73.     uint32_t node_addr[8];

  74. 

  75.     memcpy(ots_addr, addr, 12);

  76.     set_type(ots_addr, 0);

  77.     memcpy(ltree_addr, addr, 12);

  78.     set_type(ltree_addr, 1);

  79.     memcpy(node_addr, addr, 12);

  80.     set_type(node_addr, 2);

  81. 

  82.     // Compute all leaves

  83.     for (i = 0; i < (1U << params->tree_height); i++) {

  84.         set_ltree_addr(ltree_addr, i);

  85.         set_ots_addr(ots_addr, i);

  86.         gen_leaf_wots(params, tree+((1 << params->tree_height)*params->n + i*params->n), sk_seed, pub_seed, ltree_addr, ots_addr);

  87.     }

  88. 

  89. 

  90.     level = 0;

  91.     // Compute tree:

  92.     // Outer loop: For each inner layer

  93.     for (i = (1 << params->tree_height); i > 1; i>>=1) {

  94.         set_tree_height(node_addr, level);

  95.         // Inner loop: for each pair of sibling nodes

  96.         for (j = 0; j < i; j+=2) {

  97.             set_tree_index(node_addr, j>>1);

  98.             hash_h(params, tree + (i>>1)*params->n + (j>>1) * params->n, tree + i*params->n + j*params->n, pub_seed, node_addr);

  99.         }

  100.         level++;

  101.     }

  102. 

  103.     // copy authpath

  104.     for (i = 0; i < params->tree_height; i++) {

  105.         memcpy(authpath + i*params->n, tree + ((1 << params->tree_height)>>i)*params->n + ((leaf_idx >> i) ^ 1) * params->n, params->n);

  106.     }

  107. 

  108.     // copy root

  109.     memcpy(root, tree+params->n, params->n);

  110. }

  111. 

  112. 

  113. /*

  114.  * Generates a XMSS key pair for a given parameter set.

  115.  * Format sk: [(32bit) idx || SK_SEED || SK_PRF || PUB_SEED || root]

  116.  * Format pk: [root || PUB_SEED] omitting algo oid.

  117.  */

  118. int xmss_core_keypair(const xmss_params *params, unsigned char *pk, unsigned char *sk)

  119. {

  120.     // Set idx = 0

  121.     sk[0] = 0;

  122.     sk[1] = 0;

  123.     sk[2] = 0;

  124.     sk[3] = 0;

  125.     // Init SK_SEED (params->n byte), SK_PRF (params->n byte), and PUB_SEED (params->n byte)

  126.     randombytes(sk+4, 3*params->n);

  127.     // Copy PUB_SEED to public key

  128.     memcpy(pk+params->n, sk+4+2*params->n, params->n);

  129. 

  130.     uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  131.     // Compute root

  132.     treehash(params, pk, 0, sk+4, sk+4+2*params->n, addr);

  133.     // copy root to sk

  134.     memcpy(sk+4+3*params->n, pk, params->n);

  135.     return 0;

  136. }

  137. 

  138. /**

  139.  * Signs a message.

  140.  * Returns

  141.  * 1. an array containing the signature followed by the message AND

  142.  * 2. an updated secret key!

  143.  *

  144.  */

  145. int xmss_core_sign(const xmss_params *params, unsigned char *sk, unsigned char *sm, unsigned long long *smlen, const unsigned char *m, unsigned long long mlen)

  146. {

  147.     uint16_t i = 0;

  148. 

  149.     // Extract SK

  150.     uint32_t idx = ((unsigned long)sk[0] << 24) | ((unsigned long)sk[1] << 16) | ((unsigned long)sk[2] << 8) | sk[3];

  151.     unsigned char sk_seed[params->n];

  152.     unsigned char sk_prf[params->n];

  153.     unsigned char pub_seed[params->n];

  154.     unsigned char hash_key[3*params->n];

  155. 

  156.     // index as 32 bytes string

  157.     unsigned char idx_bytes_32[32];

  158.     to_byte(idx_bytes_32, idx, 32);

  159. 

  160.     memcpy(sk_seed, sk+4, params->n);

  161.     memcpy(sk_prf, sk+4+params->n, params->n);

  162.     memcpy(pub_seed, sk+4+2*params->n, params->n);

  163. 

  164.     // Update SK

  165.     sk[0] = ((idx + 1) >> 24) & 255;

  166.     sk[1] = ((idx + 1) >> 16) & 255;

  167.     sk[2] = ((idx + 1) >> 8) & 255;

  168.     sk[3] = (idx + 1) & 255;

  169.     // -- Secret key for this non-forward-secure version is now updated.

  170.     // -- A productive implementation should use a file handle instead and write the updated secret key at this point!

  171. 

  172.     // Init working params

  173.     unsigned char R[params->n];

  174.     unsigned char msg_h[params->n];

  175.     unsigned char root[params->n];

  176.     unsigned char ots_seed[params->n];

  177.     uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  178. 

  179.     // ---------------------------------

  180.     // Message Hashing

  181.     // ---------------------------------

  182. 

  183.     // Message Hash:

  184.     // First compute pseudorandom value

  185.     prf(params, R, idx_bytes_32, sk_prf, params->n);

  186.     // Generate hash key (R || root || idx)

  187.     memcpy(hash_key, R, params->n);

  188.     memcpy(hash_key+params->n, sk+4+3*params->n, params->n);

  189.     to_byte(hash_key+2*params->n, idx, params->n);

  190.     // Then use it for message digest

  191.     h_msg(params, msg_h, m, mlen, hash_key, 3*params->n);

  192. 

  193.     // Start collecting signature

  194.     *smlen = 0;

  195. 

  196.     // Copy index to signature

  197.     sm[0] = (idx >> 24) & 255;

  198.     sm[1] = (idx >> 16) & 255;

  199.     sm[2] = (idx >> 8) & 255;

  200.     sm[3] = idx & 255;

  201. 

  202.     sm += 4;

  203.     *smlen += 4;

  204. 

  205.     // Copy R to signature

  206.     for (i = 0; i < params->n; i++)

  207.     sm[i] = R[i];

  208. 

  209.     sm += params->n;

  210.     *smlen += params->n;

  211. 

  212.     // ----------------------------------

  213.     // Now we start to "really sign"

  214.     // ----------------------------------

  215. 

  216.     // Prepare Address

  217.     set_type(ots_addr, 0);

  218.     set_ots_addr(ots_addr, idx);

  219. 

  220.     // Compute seed for OTS key pair

  221.     get_seed(params, ots_seed, sk_seed, ots_addr);

  222. 

  223.     // Compute WOTS signature

  224.     wots_sign(params, sm, msg_h, ots_seed, pub_seed, ots_addr);

  225. 

  226.     sm += params->wots_keysize;

  227.     *smlen += params->wots_keysize;

  228. 

  229.     compute_authpath_wots(params, root, sm, idx, sk_seed, pub_seed, ots_addr);

  230.     sm += params->tree_height*params->n;

  231.     *smlen += params->tree_height*params->n;

  232. 

  233.     memcpy(sm, m, mlen);

  234.     *smlen += mlen;

  235. 

  236.     return 0;

  237. }

  238. 

  239. /*

  240.  * Generates a XMSSMT key pair for a given parameter set.

  241.  * Format sk: [(ceil(h/8) bit) idx || SK_SEED || SK_PRF || PUB_SEED]

  242.  * Format pk: [root || PUB_SEED] omitting algo oid.

  243.  */

  244. int xmssmt_core_keypair(const xmss_params *params, unsigned char *pk, unsigned char *sk)

  245. {

  246.     uint16_t i;

  247.     // Set idx = 0

  248.     for (i = 0; i < params->index_len; i++) {

  249.         sk[i] = 0;

  250.     }

  251.     // Init SK_SEED (params->n byte), SK_PRF (params->n byte), and PUB_SEED (params->n byte)

  252.     randombytes(sk+params->index_len, 3*params->n);

  253.     // Copy PUB_SEED to public key

  254.     memcpy(pk+params->n, sk+params->index_len+2*params->n, params->n);

  255. 

  256.     // Set address to point on the single tree on layer d-1

  257.     uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  258.     set_layer_addr(addr, (params->d-1));

  259. 

  260.     // Compute root

  261.     treehash(params, pk, 0, sk+params->index_len, pk+params->n, addr);

  262.     memcpy(sk+params->index_len+3*params->n, pk, params->n);

  263.     return 0;

  264. }

  265. 

  266. /**

  267.  * Signs a message.

  268.  * Returns

  269.  * 1. an array containing the signature followed by the message AND

  270.  * 2. an updated secret key!

  271.  *

  272.  */

  273. int xmssmt_core_sign(const xmss_params *params, unsigned char *sk, unsigned char *sm, unsigned long long *smlen, const unsigned char *m, unsigned long long mlen)

  274. {

  275.     uint64_t idx_tree;

  276.     uint32_t idx_leaf;

  277.     uint64_t i;

  278. 

  279.     unsigned char sk_seed[params->n];

  280.     unsigned char sk_prf[params->n];

  281.     unsigned char pub_seed[params->n];

  282.     // Init working params

  283.     unsigned char R[params->n];

  284.     unsigned char hash_key[3*params->n];

  285.     unsigned char msg_h[params->n];

  286.     unsigned char root[params->n];

  287.     unsigned char ots_seed[params->n];

  288.     uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  289.     unsigned char idx_bytes_32[32];

  290. 

  291.     // Extract SK

  292.     unsigned long long idx = 0;

  293.     for (i = 0; i < params->index_len; i++) {

  294.         idx |= ((unsigned long long)sk[i]) << 8*(params->index_len - 1 - i);

  295.     }

  296. 

  297.     memcpy(sk_seed, sk+params->index_len, params->n);

  298.     memcpy(sk_prf, sk+params->index_len+params->n, params->n);

  299.     memcpy(pub_seed, sk+params->index_len+2*params->n, params->n);

  300. 

  301.     // Update SK

  302.     for (i = 0; i < params->index_len; i++) {

  303.         sk[i] = ((idx + 1) >> 8*(params->index_len - 1 - i)) & 255;

  304.     }

  305.     // -- Secret key for this non-forward-secure version is now updated.

  306.     // -- A productive implementation should use a file handle instead and write the updated secret key at this point!

  307. 

  308. 

  309.     // ---------------------------------

  310.     // Message Hashing

  311.     // ---------------------------------

  312. 

  313.     // Message Hash:

  314.     // First compute pseudorandom value

  315.     to_byte(idx_bytes_32, idx, 32);

  316.     prf(params, R, idx_bytes_32, sk_prf, params->n);

  317.     // Generate hash key (R || root || idx)

  318.     memcpy(hash_key, R, params->n);

  319.     memcpy(hash_key+params->n, sk+params->index_len+3*params->n, params->n);

  320.     to_byte(hash_key+2*params->n, idx, params->n);

  321. 

  322.     // Then use it for message digest

  323.     h_msg(params, msg_h, m, mlen, hash_key, 3*params->n);

  324. 

  325.     // Start collecting signature

  326.     *smlen = 0;

  327. 

  328.     // Copy index to signature

  329.     for (i = 0; i < params->index_len; i++) {

  330.         sm[i] = (idx >> 8*(params->index_len - 1 - i)) & 255;

  331.     }

  332. 

  333.     sm += params->index_len;

  334.     *smlen += params->index_len;

  335. 

  336.     // Copy R to signature

  337.     for (i = 0; i < params->n; i++) {

  338.         sm[i] = R[i];

  339.     }

  340. 

  341.     sm += params->n;

  342.     *smlen += params->n;

  343. 

  344.     // ----------------------------------

  345.     // Now we start to "really sign"

  346.     // ----------------------------------

  347. 

  348.     // Handle lowest layer separately as it is slightly different...

  349. 

  350.     // Prepare Address

  351.     set_type(ots_addr, 0);

  352.     idx_tree = idx >> params->tree_height;

  353.     idx_leaf = (idx & ((1 << params->tree_height)-1));

  354.     set_layer_addr(ots_addr, 0);

  355.     set_tree_addr(ots_addr, idx_tree);

  356.     set_ots_addr(ots_addr, idx_leaf);

  357. 

  358.     // Compute seed for OTS key pair

  359.     get_seed(params, ots_seed, sk_seed, ots_addr);

  360. 

  361.     // Compute WOTS signature

  362.     wots_sign(params, sm, msg_h, ots_seed, pub_seed, ots_addr);

  363. 

  364.     sm += params->wots_keysize;

  365.     *smlen += params->wots_keysize;

  366. 

  367.     compute_authpath_wots(params, root, sm, idx_leaf, sk_seed, pub_seed, ots_addr);

  368.     sm += params->tree_height*params->n;

  369.     *smlen += params->tree_height*params->n;

  370. 

  371.     // Now loop over remaining layers...

  372.     unsigned int j;

  373.     for (j = 1; j < params->d; j++) {

  374.         // Prepare Address

  375.         idx_leaf = (idx_tree & ((1 << params->tree_height)-1));

  376.         idx_tree = idx_tree >> params->tree_height;

  377.         set_layer_addr(ots_addr, j);

  378.         set_tree_addr(ots_addr, idx_tree);

  379.         set_ots_addr(ots_addr, idx_leaf);

  380. 

  381.         // Compute seed for OTS key pair

  382.         get_seed(params, ots_seed, sk_seed, ots_addr);

  383. 

  384.         // Compute WOTS signature

  385.         wots_sign(params, sm, root, ots_seed, pub_seed, ots_addr);

  386. 

  387.         sm += params->wots_keysize;

  388.         *smlen += params->wots_keysize;

  389. 

  390.         compute_authpath_wots(params, root, sm, idx_leaf, sk_seed, pub_seed, ots_addr);

  391.         sm += params->tree_height*params->n;

  392.         *smlen += params->tree_height*params->n;

  393.     }

  394. 

  395.     memcpy(sm, m, mlen);

  396.     *smlen += mlen;

  397. 

  398.     return 0;

  399. }