kris
/
xmss-KAT-generator
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
76 Commits
1 Branch
488 KiB
 
 
Tree: a9fe0e43fe
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a9fe0e43fe'
${ noResults }
xmss-KAT-generator/xmss_core.c

402 lines
12 KiB
Raw Blame History 

  1. #include <stdlib.h>

  2. #include <string.h>

  3. #include <stdint.h>

  4. 

  5. #include "hash.h"

  6. #include "hash_address.h"

  7. #include "params.h"

  8. #include "randombytes.h"

  9. #include "wots.h"

  10. #include "xmss_commons.h"

  11. #include "xmss_core.h"

  12. 

  13. /**

  14.  * Merkle's TreeHash algorithm. Currently only used for key generation.

  15.  * Computes the root node of the top-most subtree.

  16.  */

  17. static void treehash_root(const xmss_params *params, unsigned char *root,

  18.                           const unsigned char *sk_seed,

  19.                           const unsigned char *pub_seed)

  20. {

  21.     unsigned char stack[(params->tree_height+1)*params->n];

  22.     unsigned int heights[params->tree_height+1];

  23.     unsigned int offset = 0;

  24. 

  25.     /* The subtree has at most 2^20 leafs, so uint32_t suffices. */

  26.     uint32_t idx;

  27. 

  28.     /* We need all three types of addresses in parallel. */

  29.     uint32_t ots_addr[8] = {0};

  30.     uint32_t ltree_addr[8] = {0};

  31.     uint32_t node_addr[8] = {0};

  32. 

  33.     /* To support the multi-tree setting, select the top tree. */

  34.     set_layer_addr(ots_addr, params->d - 1);

  35.     set_layer_addr(ltree_addr, params->d - 1);

  36.     set_layer_addr(node_addr, params->d - 1);

  37. 

  38.     set_type(ots_addr, 0);

  39.     set_type(ltree_addr, 1);

  40.     set_type(node_addr, 2);

  41. 

  42.     for (idx = 0; idx < (uint32_t)(1 << params->tree_height); idx++) {

  43.         /* Add the next leaf node to the stack. */

  44.         set_ltree_addr(ltree_addr, idx);

  45.         set_ots_addr(ots_addr, idx);

  46.         gen_leaf_wots(params, stack + offset*params->n,

  47.                       sk_seed, pub_seed, ltree_addr, ots_addr);

  48.         heights[offset] = 0;

  49.         offset++;

  50. 

  51.         /* While the top-most nodes are of equal height.. */

  52.         while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) {

  53.             /* Hash the top-most nodes from the stack together. */

  54.             set_tree_height(node_addr, heights[offset - 1]);

  55.             set_tree_index(node_addr, (idx >> (heights[offset - 1] + 1)));

  56.             hash_h(params, stack + (offset-2)*params->n,

  57.                            stack + (offset-2)*params->n, pub_seed, node_addr);

  58.             /* Note that the top-most node is now one layer higher. */

  59.             heights[offset-2]++;

  60.             offset--;

  61.         }

  62.     }

  63.     memcpy(root, stack, params->n);

  64. }

  65. 

  66. /**

  67.  * Computes the authpath and the root. This method is using a lot of space as we

  68.  * build the whole tree and then select the authpath nodes. For more efficient

  69.  * algorithms see e.g. the chapter on hash-based signatures in Bernstein,

  70.  * Buchmann, Dahmen. "Post-quantum Cryptography", Springer 2009.

  71.  *

  72.  * Returns the authpath in "authpath" with the node on level 0 at index 0.

  73.  */

  74. static void compute_authpath_wots(const xmss_params *params, unsigned char *root, unsigned char *authpath, unsigned long leaf_idx, const unsigned char *sk_seed, unsigned char *pub_seed, uint32_t addr[8])

  75. {

  76.     uint32_t i, j, level;

  77. 

  78.     unsigned char tree[2*(1 << params->tree_height)*params->n];

  79. 

  80.     uint32_t ots_addr[8];

  81.     uint32_t ltree_addr[8];

  82.     uint32_t node_addr[8];

  83. 

  84.     memcpy(ots_addr, addr, 12);

  85.     set_type(ots_addr, 0);

  86.     memcpy(ltree_addr, addr, 12);

  87.     set_type(ltree_addr, 1);

  88.     memcpy(node_addr, addr, 12);

  89.     set_type(node_addr, 2);

  90. 

  91.     // Compute all leaves

  92.     for (i = 0; i < (1U << params->tree_height); i++) {

  93.         set_ltree_addr(ltree_addr, i);

  94.         set_ots_addr(ots_addr, i);

  95.         gen_leaf_wots(params, tree+((1 << params->tree_height)*params->n + i*params->n), sk_seed, pub_seed, ltree_addr, ots_addr);

  96.     }

  97. 

  98. 

  99.     level = 0;

  100.     // Compute tree:

  101.     // Outer loop: For each inner layer

  102.     for (i = (1 << params->tree_height); i > 1; i>>=1) {

  103.         set_tree_height(node_addr, level);

  104.         // Inner loop: for each pair of sibling nodes

  105.         for (j = 0; j < i; j+=2) {

  106.             set_tree_index(node_addr, j>>1);

  107.             hash_h(params, tree + (i>>1)*params->n + (j>>1) * params->n, tree + i*params->n + j*params->n, pub_seed, node_addr);

  108.         }

  109.         level++;

  110.     }

  111. 

  112.     // copy authpath

  113.     for (i = 0; i < params->tree_height; i++) {

  114.         memcpy(authpath + i*params->n, tree + ((1 << params->tree_height)>>i)*params->n + ((leaf_idx >> i) ^ 1) * params->n, params->n);

  115.     }

  116. 

  117.     // copy root

  118.     memcpy(root, tree+params->n, params->n);

  119. }

  120. 

  121. /*

  122.  * Generates a XMSS key pair for a given parameter set.

  123.  * Format sk: [(32bit) index || SK_SEED || SK_PRF || PUB_SEED || root]

  124.  * Format pk: [root || PUB_SEED], omitting algorithm OID.

  125.  */

  126. int xmss_core_keypair(const xmss_params *params,

  127.                       unsigned char *pk, unsigned char *sk)

  128. {

  129.     /* Initialize index to 0. */

  130.     memset(sk, 0, params->index_len);

  131.     sk += 4;

  132. 

  133.     /* Initialize SK_SEED, SK_PRF and PUB_SEED. */

  134.     randombytes(sk, 3 * params->n);

  135.     memcpy(pk + params->n, sk + 2*params->n, params->n);

  136. 

  137.     /* Compute root node. */

  138.     treehash_root(params, pk, sk, pk + params->n);

  139.     memcpy(sk + 3*params->n, pk, params->n);

  140. 

  141.     return 0;

  142. }

  143. 

  144. /**

  145.  * Signs a message.

  146.  * Returns

  147.  * 1. an array containing the signature followed by the message AND

  148.  * 2. an updated secret key!

  149.  *

  150.  */

  151. int xmss_core_sign(const xmss_params *params, unsigned char *sk, unsigned char *sm, unsigned long long *smlen, const unsigned char *m, unsigned long long mlen)

  152. {

  153.     uint16_t i = 0;

  154. 

  155.     // Extract SK

  156.     uint32_t idx = ((unsigned long)sk[0] << 24) | ((unsigned long)sk[1] << 16) | ((unsigned long)sk[2] << 8) | sk[3];

  157.     unsigned char sk_seed[params->n];

  158.     unsigned char sk_prf[params->n];

  159.     unsigned char pub_seed[params->n];

  160.     unsigned char hash_key[3*params->n];

  161. 

  162.     // index as 32 bytes string

  163.     unsigned char idx_bytes_32[32];

  164.     ull_to_bytes(idx_bytes_32, 32, idx);

  165. 

  166.     memcpy(sk_seed, sk+4, params->n);

  167.     memcpy(sk_prf, sk+4+params->n, params->n);

  168.     memcpy(pub_seed, sk+4+2*params->n, params->n);

  169. 

  170.     // Update SK

  171.     sk[0] = ((idx + 1) >> 24) & 255;

  172.     sk[1] = ((idx + 1) >> 16) & 255;

  173.     sk[2] = ((idx + 1) >> 8) & 255;

  174.     sk[3] = (idx + 1) & 255;

  175.     // Secret key for this non-forward-secure version is now updated.

  176.     // A production implementation should consider using a file handle instead,

  177.     //  and write the updated secret key at this point!

  178. 

  179.     // Init working params

  180.     unsigned char R[params->n];

  181.     unsigned char msg_h[params->n];

  182.     unsigned char root[params->n];

  183.     unsigned char ots_seed[params->n];

  184.     uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  185. 

  186.     // ---------------------------------

  187.     // Message Hashing

  188.     // ---------------------------------

  189. 

  190.     // Message Hash:

  191.     // First compute pseudorandom value

  192.     prf(params, R, idx_bytes_32, sk_prf, params->n);

  193.     // Generate hash key (R || root || idx)

  194.     memcpy(hash_key, R, params->n);

  195.     memcpy(hash_key+params->n, sk+4+3*params->n, params->n);

  196.     ull_to_bytes(hash_key+2*params->n, params->n, idx);

  197.     // Then use it for message digest

  198.     h_msg(params, msg_h, m, mlen, hash_key, 3*params->n);

  199. 

  200.     // Start collecting signature

  201.     *smlen = 0;

  202. 

  203.     // Copy index to signature

  204.     sm[0] = (idx >> 24) & 255;

  205.     sm[1] = (idx >> 16) & 255;

  206.     sm[2] = (idx >> 8) & 255;

  207.     sm[3] = idx & 255;

  208. 

  209.     sm += 4;

  210.     *smlen += 4;

  211. 

  212.     // Copy R to signature

  213.     for (i = 0; i < params->n; i++)

  214.     sm[i] = R[i];

  215. 

  216.     sm += params->n;

  217.     *smlen += params->n;

  218. 

  219.     // ----------------------------------

  220.     // Now we start to "really sign"

  221.     // ----------------------------------

  222. 

  223.     // Prepare Address

  224.     set_type(ots_addr, 0);

  225.     set_ots_addr(ots_addr, idx);

  226. 

  227.     // Compute seed for OTS key pair

  228.     get_seed(params, ots_seed, sk_seed, ots_addr);

  229. 

  230.     // Compute WOTS signature

  231.     wots_sign(params, sm, msg_h, ots_seed, pub_seed, ots_addr);

  232. 

  233.     sm += params->wots_keysize;

  234.     *smlen += params->wots_keysize;

  235. 

  236.     compute_authpath_wots(params, root, sm, idx, sk_seed, pub_seed, ots_addr);

  237.     sm += params->tree_height*params->n;

  238.     *smlen += params->tree_height*params->n;

  239. 

  240.     memcpy(sm, m, mlen);

  241.     *smlen += mlen;

  242. 

  243.     return 0;

  244. }

  245. 

  246. /*

  247.  * Generates a XMSSMT key pair for a given parameter set.

  248.  * Format sk: [(ceil(h/8) bit) index || SK_SEED || SK_PRF || PUB_SEED]

  249.  * Format pk: [root || PUB_SEED] omitting algorithm OID.

  250.  */

  251. int xmssmt_core_keypair(const xmss_params *params, unsigned char *pk, unsigned char *sk)

  252. {

  253.     /* Initialize index to 0. */

  254.     memset(sk, 0, params->index_len);

  255.     sk += 4;

  256. 

  257.     /* Initialize SK_SEED, SK_PRF and PUB_SEED. */

  258.     randombytes(sk, 3 * params->n);

  259.     memcpy(pk + params->n, sk + 2*params->n, params->n);

  260. 

  261.     /* Compute root node of the top-most subtree. */

  262.     treehash_root(params, pk, sk, pk + params->n);

  263.     memcpy(sk + 3*params->n, pk, params->n);

  264. 

  265.     return 0;

  266. }

  267. 

  268. /**

  269.  * Signs a message.

  270.  * Returns

  271.  * 1. an array containing the signature followed by the message AND

  272.  * 2. an updated secret key!

  273.  *

  274.  */

  275. int xmssmt_core_sign(const xmss_params *params, unsigned char *sk, unsigned char *sm, unsigned long long *smlen, const unsigned char *m, unsigned long long mlen)

  276. {

  277.     uint64_t idx_tree;

  278.     uint32_t idx_leaf;

  279.     uint64_t i;

  280. 

  281.     unsigned char sk_seed[params->n];

  282.     unsigned char sk_prf[params->n];

  283.     unsigned char pub_seed[params->n];

  284.     // Init working params

  285.     unsigned char R[params->n];

  286.     unsigned char hash_key[3*params->n];

  287.     unsigned char msg_h[params->n];

  288.     unsigned char root[params->n];

  289.     unsigned char ots_seed[params->n];

  290.     uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  291.     unsigned char idx_bytes_32[32];

  292. 

  293.     // Extract SK

  294.     unsigned long long idx = 0;

  295.     for (i = 0; i < params->index_len; i++) {

  296.         idx |= ((unsigned long long)sk[i]) << 8*(params->index_len - 1 - i);

  297.     }

  298. 

  299.     memcpy(sk_seed, sk+params->index_len, params->n);

  300.     memcpy(sk_prf, sk+params->index_len+params->n, params->n);

  301.     memcpy(pub_seed, sk+params->index_len+2*params->n, params->n);

  302. 

  303.     // Update SK

  304.     for (i = 0; i < params->index_len; i++) {

  305.         sk[i] = ((idx + 1) >> 8*(params->index_len - 1 - i)) & 255;

  306.     }

  307.     // Secret key for this non-forward-secure version is now updated.

  308.     // A production implementation should consider using a file handle instead,

  309.     //  and write the updated secret key at this point!

  310. 

  311.     // ---------------------------------

  312.     // Message Hashing

  313.     // ---------------------------------

  314. 

  315.     // Message Hash:

  316.     // First compute pseudorandom value

  317.     ull_to_bytes(idx_bytes_32, 32, idx);

  318.     prf(params, R, idx_bytes_32, sk_prf, params->n);

  319.     // Generate hash key (R || root || idx)

  320.     memcpy(hash_key, R, params->n);

  321.     memcpy(hash_key+params->n, sk+params->index_len+3*params->n, params->n);

  322.     ull_to_bytes(hash_key+2*params->n, params->n, idx);

  323. 

  324.     // Then use it for message digest

  325.     h_msg(params, msg_h, m, mlen, hash_key, 3*params->n);

  326. 

  327.     // Start collecting signature

  328.     *smlen = 0;

  329. 

  330.     // Copy index to signature

  331.     for (i = 0; i < params->index_len; i++) {

  332.         sm[i] = (idx >> 8*(params->index_len - 1 - i)) & 255;

  333.     }

  334. 

  335.     sm += params->index_len;

  336.     *smlen += params->index_len;

  337. 

  338.     // Copy R to signature

  339.     for (i = 0; i < params->n; i++) {

  340.         sm[i] = R[i];

  341.     }

  342. 

  343.     sm += params->n;

  344.     *smlen += params->n;

  345. 

  346.     // ----------------------------------

  347.     // Now we start to "really sign"

  348.     // ----------------------------------

  349. 

  350.     // Handle lowest layer separately as it is slightly different...

  351. 

  352.     // Prepare Address

  353.     set_type(ots_addr, 0);

  354.     idx_tree = idx >> params->tree_height;

  355.     idx_leaf = (idx & ((1 << params->tree_height)-1));

  356.     set_layer_addr(ots_addr, 0);

  357.     set_tree_addr(ots_addr, idx_tree);

  358.     set_ots_addr(ots_addr, idx_leaf);

  359. 

  360.     // Compute seed for OTS key pair

  361.     get_seed(params, ots_seed, sk_seed, ots_addr);

  362. 

  363.     // Compute WOTS signature

  364.     wots_sign(params, sm, msg_h, ots_seed, pub_seed, ots_addr);

  365. 

  366.     sm += params->wots_keysize;

  367.     *smlen += params->wots_keysize;

  368. 

  369.     compute_authpath_wots(params, root, sm, idx_leaf, sk_seed, pub_seed, ots_addr);

  370.     sm += params->tree_height*params->n;

  371.     *smlen += params->tree_height*params->n;

  372. 

  373.     // Now loop over remaining layers...

  374.     unsigned int j;

  375.     for (j = 1; j < params->d; j++) {

  376.         // Prepare Address

  377.         idx_leaf = (idx_tree & ((1 << params->tree_height)-1));

  378.         idx_tree = idx_tree >> params->tree_height;

  379.         set_layer_addr(ots_addr, j);

  380.         set_tree_addr(ots_addr, idx_tree);

  381.         set_ots_addr(ots_addr, idx_leaf);

  382. 

  383.         // Compute seed for OTS key pair

  384.         get_seed(params, ots_seed, sk_seed, ots_addr);

  385. 

  386.         // Compute WOTS signature

  387.         wots_sign(params, sm, root, ots_seed, pub_seed, ots_addr);

  388. 

  389.         sm += params->wots_keysize;

  390.         *smlen += params->wots_keysize;

  391. 

  392.         compute_authpath_wots(params, root, sm, idx_leaf, sk_seed, pub_seed, ots_addr);

  393.         sm += params->tree_height*params->n;

  394.         *smlen += params->tree_height*params->n;

  395.     }

  396. 

  397.     memcpy(sm, m, mlen);

  398.     *smlen += mlen;

  399. 

  400.     return 0;

  401. }