kris
/
xmss-KAT-generator
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
45 Commits
1 Branch
488 KiB
 
 
Tree: b8ec30fc2c
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'b8ec30fc2c'
${ noResults }
xmss-KAT-generator/xmss.c

404 lines
11 KiB
Raw Blame History 

  1. /*

  2. xmss.c version 20160722

  3. Andreas Hülsing

  4. Joost Rijneveld

  5. Public domain.

  6. */

  7. 

  8. #include "xmss.h"

  9. #include <stdlib.h>

  10. #include <string.h>

  11. #include <stdint.h>

  12. 

  13. #include "randombytes.h"

  14. #include "wots.h"

  15. #include "hash.h"

  16. #include "xmss_commons.h"

  17. #include "hash_address.h"

  18. #include "params.h"

  19. 

  20. /**

  21.  * Merkle's TreeHash algorithm. The address only needs to initialize the first 78 bits of addr. Everything else will be set by treehash.

  22.  * Currently only used for key generation.

  23.  *

  24.  */

  25. static void treehash(unsigned char *node, uint32_t index, const unsigned char *sk_seed, const unsigned char *pub_seed, const uint32_t addr[8])

  26. {

  27.   uint32_t idx = index;

  28.   // use three different addresses because at this point we use all three formats in parallel

  29.   uint32_t ots_addr[8];

  30.   uint32_t ltree_addr[8];

  31.   uint32_t node_addr[8];

  32.   // only copy layer and tree address parts

  33.   memcpy(ots_addr, addr, 12);

  34.   // type = ots

  35.   setType(ots_addr, 0);

  36.   memcpy(ltree_addr, addr, 12);

  37.   setType(ltree_addr, 1);

  38.   memcpy(node_addr, addr, 12);

  39.   setType(node_addr, 2);

  40. 

  41.   uint32_t lastnode, i;

  42.   unsigned char stack[(XMSS_TREEHEIGHT+1)*XMSS_N];

  43.   uint16_t stacklevels[XMSS_TREEHEIGHT+1];

  44.   unsigned int stackoffset=0;

  45. 

  46.   lastnode = idx+(1 << XMSS_TREEHEIGHT);

  47. 

  48.   for (; idx < lastnode; idx++) {

  49.     setLtreeADRS(ltree_addr, idx);

  50.     setOTSADRS(ots_addr, idx);

  51.     gen_leaf_wots(stack+stackoffset*XMSS_N, sk_seed, pub_seed, ltree_addr, ots_addr);

  52.     stacklevels[stackoffset] = 0;

  53.     stackoffset++;

  54.     while (stackoffset>1 && stacklevels[stackoffset-1] == stacklevels[stackoffset-2]) {

  55.       setTreeHeight(node_addr, stacklevels[stackoffset-1]);

  56.       setTreeIndex(node_addr, (idx >> (stacklevels[stackoffset-1]+1)));

  57.       hash_h(stack+(stackoffset-2)*XMSS_N, stack+(stackoffset-2)*XMSS_N, pub_seed, node_addr);

  58.       stacklevels[stackoffset-2]++;

  59.       stackoffset--;

  60.     }

  61.   }

  62.   for (i = 0; i < XMSS_N; i++)

  63.     node[i] = stack[i];

  64. }

  65. 

  66. /**

  67.  * Computes the authpath and the root. This method is using a lot of space as we build the whole tree and then select the authpath nodes.

  68.  * For more efficient algorithms see e.g. the chapter on hash-based signatures in Bernstein, Buchmann, Dahmen. "Post-quantum Cryptography", Springer 2009.

  69.  * It returns the authpath in "authpath" with the node on level 0 at index 0.

  70.  */

  71. static void compute_authpath_wots(unsigned char *root, unsigned char *authpath, unsigned long leaf_idx, const unsigned char *sk_seed, unsigned char *pub_seed, uint32_t addr[8])

  72. {

  73.   uint32_t i, j, level;

  74. 

  75.   unsigned char tree[2*(1<<XMSS_TREEHEIGHT)*XMSS_N];

  76. 

  77.   uint32_t ots_addr[8];

  78.   uint32_t ltree_addr[8];

  79.   uint32_t node_addr[8];

  80. 

  81.   memcpy(ots_addr, addr, 12);

  82.   setType(ots_addr, 0);

  83.   memcpy(ltree_addr, addr, 12);

  84.   setType(ltree_addr, 1);

  85.   memcpy(node_addr, addr, 12);

  86.   setType(node_addr, 2);

  87. 

  88.   // Compute all leaves

  89.   for (i = 0; i < (1U << XMSS_TREEHEIGHT); i++) {

  90.     setLtreeADRS(ltree_addr, i);

  91.     setOTSADRS(ots_addr, i);

  92.     gen_leaf_wots(tree+((1<<XMSS_TREEHEIGHT)*XMSS_N + i*XMSS_N), sk_seed, pub_seed, ltree_addr, ots_addr);

  93.   }

  94. 

  95. 

  96.   level = 0;

  97.   // Compute tree:

  98.   // Outer loop: For each inner layer

  99.   for (i = (1<<XMSS_TREEHEIGHT); i > 1; i>>=1) {

  100.     setTreeHeight(node_addr, level);

  101.     // Inner loop: for each pair of sibling nodes

  102.     for (j = 0; j < i; j+=2) {

  103.       setTreeIndex(node_addr, j>>1);

  104.       hash_h(tree + (i>>1)*XMSS_N + (j>>1) * XMSS_N, tree + i*XMSS_N + j*XMSS_N, pub_seed, node_addr);

  105.     }

  106.     level++;

  107.   }

  108. 

  109.   // copy authpath

  110.   for (i = 0; i < XMSS_TREEHEIGHT; i++)

  111.     memcpy(authpath + i*XMSS_N, tree + ((1<<XMSS_TREEHEIGHT)>>i)*XMSS_N + ((leaf_idx >> i) ^ 1) * XMSS_N, XMSS_N);

  112. 

  113.   // copy root

  114.   memcpy(root, tree+XMSS_N, XMSS_N);

  115. }

  116. 

  117. 

  118. /*

  119.  * Generates a XMSS key pair for a given parameter set.

  120.  * Format sk: [(32bit) idx || SK_SEED || SK_PRF || PUB_SEED || root]

  121.  * Format pk: [root || PUB_SEED] omitting algo oid.

  122.  */

  123. int xmss_keypair(unsigned char *pk, unsigned char *sk)

  124. {

  125.   // Set idx = 0

  126.   sk[0] = 0;

  127.   sk[1] = 0;

  128.   sk[2] = 0;

  129.   sk[3] = 0;

  130.   // Init SK_SEED (XMSS_N byte), SK_PRF (XMSS_N byte), and PUB_SEED (XMSS_N byte)

  131.   randombytes(sk+4, 3*XMSS_N);

  132.   // Copy PUB_SEED to public key

  133.   memcpy(pk+XMSS_N, sk+4+2*XMSS_N, XMSS_N);

  134. 

  135.   uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  136.   // Compute root

  137.   treehash(pk, 0, sk+4, sk+4+2*XMSS_N, addr);

  138.   // copy root to sk

  139.   memcpy(sk+4+3*XMSS_N, pk, XMSS_N);

  140.   return 0;

  141. }

  142. 

  143. /**

  144.  * Signs a message.

  145.  * Returns

  146.  * 1. an array containing the signature followed by the message AND

  147.  * 2. an updated secret key!

  148.  *

  149.  */

  150. int xmss_sign(unsigned char *sk, unsigned char *sm, unsigned long long *smlen, const unsigned char *m, unsigned long long mlen)

  151. {

  152.   uint16_t i = 0;

  153. 

  154.   // Extract SK

  155.   uint32_t idx = ((unsigned long)sk[0] << 24) | ((unsigned long)sk[1] << 16) | ((unsigned long)sk[2] << 8) | sk[3];

  156.   unsigned char sk_seed[XMSS_N];

  157.   unsigned char sk_prf[XMSS_N];

  158.   unsigned char pub_seed[XMSS_N];

  159.   unsigned char hash_key[3*XMSS_N];

  160. 

  161.   // index as 32 bytes string

  162.   unsigned char idx_bytes_32[32];

  163.   to_byte(idx_bytes_32, idx, 32);

  164. 

  165.   memcpy(sk_seed, sk+4, XMSS_N);

  166.   memcpy(sk_prf, sk+4+XMSS_N, XMSS_N);

  167.   memcpy(pub_seed, sk+4+2*XMSS_N, XMSS_N);

  168. 

  169.   // Update SK

  170.   sk[0] = ((idx + 1) >> 24) & 255;

  171.   sk[1] = ((idx + 1) >> 16) & 255;

  172.   sk[2] = ((idx + 1) >> 8) & 255;

  173.   sk[3] = (idx + 1) & 255;

  174.   // -- Secret key for this non-forward-secure version is now updated.

  175.   // -- A productive implementation should use a file handle instead and write the updated secret key at this point!

  176. 

  177.   // Init working params

  178.   unsigned char R[XMSS_N];

  179.   unsigned char msg_h[XMSS_N];

  180.   unsigned char root[XMSS_N];

  181.   unsigned char ots_seed[XMSS_N];

  182.   uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  183. 

  184.   // ---------------------------------

  185.   // Message Hashing

  186.   // ---------------------------------

  187. 

  188.   // Message Hash:

  189.   // First compute pseudorandom value

  190.   prf(R, idx_bytes_32, sk_prf, XMSS_N);

  191.   // Generate hash key (R || root || idx)

  192.   memcpy(hash_key, R, XMSS_N);

  193.   memcpy(hash_key+XMSS_N, sk+4+3*XMSS_N, XMSS_N);

  194.   to_byte(hash_key+2*XMSS_N, idx, XMSS_N);

  195.   // Then use it for message digest

  196.   h_msg(msg_h, m, mlen, hash_key, 3*XMSS_N);

  197. 

  198.   // Start collecting signature

  199.   *smlen = 0;

  200. 

  201.   // Copy index to signature

  202.   sm[0] = (idx >> 24) & 255;

  203.   sm[1] = (idx >> 16) & 255;

  204.   sm[2] = (idx >> 8) & 255;

  205.   sm[3] = idx & 255;

  206. 

  207.   sm += 4;

  208.   *smlen += 4;

  209. 

  210.   // Copy R to signature

  211.   for (i = 0; i < XMSS_N; i++)

  212.     sm[i] = R[i];

  213. 

  214.   sm += XMSS_N;

  215.   *smlen += XMSS_N;

  216. 

  217.   // ----------------------------------

  218.   // Now we start to "really sign"

  219.   // ----------------------------------

  220. 

  221.   // Prepare Address

  222.   setType(ots_addr, 0);

  223.   setOTSADRS(ots_addr, idx);

  224. 

  225.   // Compute seed for OTS key pair

  226.   get_seed(ots_seed, sk_seed, ots_addr);

  227. 

  228.   // Compute WOTS signature

  229.   wots_sign(sm, msg_h, ots_seed, pub_seed, ots_addr);

  230. 

  231.   sm += XMSS_WOTS_KEYSIZE;

  232.   *smlen += XMSS_WOTS_KEYSIZE;

  233. 

  234.   compute_authpath_wots(root, sm, idx, sk_seed, pub_seed, ots_addr);

  235.   sm += XMSS_TREEHEIGHT*XMSS_N;

  236.   *smlen += XMSS_TREEHEIGHT*XMSS_N;

  237. 

  238.   memcpy(sm, m, mlen);

  239.   *smlen += mlen;

  240. 

  241.   return 0;

  242. }

  243. 

  244. /*

  245.  * Generates a XMSSMT key pair for a given parameter set.

  246.  * Format sk: [(ceil(h/8) bit) idx || SK_SEED || SK_PRF || PUB_SEED]

  247.  * Format pk: [root || PUB_SEED] omitting algo oid.

  248.  */

  249. int xmssmt_keypair(unsigned char *pk, unsigned char *sk)

  250. {

  251.   uint16_t i;

  252.   // Set idx = 0

  253.   for (i = 0; i < XMSS_INDEX_LEN; i++) {

  254.     sk[i] = 0;

  255.   }

  256.   // Init SK_SEED (XMSS_N byte), SK_PRF (XMSS_N byte), and PUB_SEED (XMSS_N byte)

  257.   randombytes(sk+XMSS_INDEX_LEN, 3*XMSS_N);

  258.   // Copy PUB_SEED to public key

  259.   memcpy(pk+XMSS_N, sk+XMSS_INDEX_LEN+2*XMSS_N, XMSS_N);

  260. 

  261.   // Set address to point on the single tree on layer d-1

  262.   uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  263.   setLayerADRS(addr, (XMSS_D-1));

  264. 

  265.   // Compute root

  266.   treehash(pk, 0, sk+XMSS_INDEX_LEN, pk+XMSS_N, addr);

  267.   memcpy(sk+XMSS_INDEX_LEN+3*XMSS_N, pk, XMSS_N);

  268.   return 0;

  269. }

  270. 

  271. /**

  272.  * Signs a message.

  273.  * Returns

  274.  * 1. an array containing the signature followed by the message AND

  275.  * 2. an updated secret key!

  276.  *

  277.  */

  278. int xmssmt_sign(unsigned char *sk, unsigned char *sm, unsigned long long *smlen, const unsigned char *m, unsigned long long mlen)

  279. {

  280.   uint64_t idx_tree;

  281.   uint32_t idx_leaf;

  282.   uint64_t i;

  283. 

  284.   unsigned char sk_seed[XMSS_N];

  285.   unsigned char sk_prf[XMSS_N];

  286.   unsigned char pub_seed[XMSS_N];

  287.   // Init working params

  288.   unsigned char R[XMSS_N];

  289.   unsigned char hash_key[3*XMSS_N];

  290.   unsigned char msg_h[XMSS_N];

  291.   unsigned char root[XMSS_N];

  292.   unsigned char ots_seed[XMSS_N];

  293.   uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  294.   unsigned char idx_bytes_32[32];

  295. 

  296.   // Extract SK

  297.   unsigned long long idx = 0;

  298.   for (i = 0; i < XMSS_INDEX_LEN; i++) {

  299.     idx |= ((unsigned long long)sk[i]) << 8*(XMSS_INDEX_LEN - 1 - i);

  300.   }

  301. 

  302.   memcpy(sk_seed, sk+XMSS_INDEX_LEN, XMSS_N);

  303.   memcpy(sk_prf, sk+XMSS_INDEX_LEN+XMSS_N, XMSS_N);

  304.   memcpy(pub_seed, sk+XMSS_INDEX_LEN+2*XMSS_N, XMSS_N);

  305. 

  306.   // Update SK

  307.   for (i = 0; i < XMSS_INDEX_LEN; i++) {

  308.     sk[i] = ((idx + 1) >> 8*(XMSS_INDEX_LEN - 1 - i)) & 255;

  309.   }

  310.   // -- Secret key for this non-forward-secure version is now updated.

  311.   // -- A productive implementation should use a file handle instead and write the updated secret key at this point!

  312. 

  313. 

  314.   // ---------------------------------

  315.   // Message Hashing

  316.   // ---------------------------------

  317. 

  318.   // Message Hash:

  319.   // First compute pseudorandom value

  320.   to_byte(idx_bytes_32, idx, 32);

  321.   prf(R, idx_bytes_32, sk_prf, XMSS_N);

  322.   // Generate hash key (R || root || idx)

  323.   memcpy(hash_key, R, XMSS_N);

  324.   memcpy(hash_key+XMSS_N, sk+XMSS_INDEX_LEN+3*XMSS_N, XMSS_N);

  325.   to_byte(hash_key+2*XMSS_N, idx, XMSS_N);

  326. 

  327.   // Then use it for message digest

  328.   h_msg(msg_h, m, mlen, hash_key, 3*XMSS_N);

  329. 

  330.   // Start collecting signature

  331.   *smlen = 0;

  332. 

  333.   // Copy index to signature

  334.   for (i = 0; i < XMSS_INDEX_LEN; i++) {

  335.     sm[i] = (idx >> 8*(XMSS_INDEX_LEN - 1 - i)) & 255;

  336.   }

  337. 

  338.   sm += XMSS_INDEX_LEN;

  339.   *smlen += XMSS_INDEX_LEN;

  340. 

  341.   // Copy R to signature

  342.   for (i = 0; i < XMSS_N; i++)

  343.     sm[i] = R[i];

  344. 

  345.   sm += XMSS_N;

  346.   *smlen += XMSS_N;

  347. 

  348.   // ----------------------------------

  349.   // Now we start to "really sign"

  350.   // ----------------------------------

  351. 

  352.   // Handle lowest layer separately as it is slightly different...

  353. 

  354.   // Prepare Address

  355.   setType(ots_addr, 0);

  356.   idx_tree = idx >> XMSS_TREEHEIGHT;

  357.   idx_leaf = (idx & ((1 << XMSS_TREEHEIGHT)-1));

  358.   setLayerADRS(ots_addr, 0);

  359.   setTreeADRS(ots_addr, idx_tree);

  360.   setOTSADRS(ots_addr, idx_leaf);

  361. 

  362.   // Compute seed for OTS key pair

  363.   get_seed(ots_seed, sk_seed, ots_addr);

  364. 

  365.   // Compute WOTS signature

  366.   wots_sign(sm, msg_h, ots_seed, pub_seed, ots_addr);

  367. 

  368.   sm += XMSS_WOTS_KEYSIZE;

  369.   *smlen += XMSS_WOTS_KEYSIZE;

  370. 

  371.   compute_authpath_wots(root, sm, idx_leaf, sk_seed, pub_seed, ots_addr);

  372.   sm += XMSS_TREEHEIGHT*XMSS_N;

  373.   *smlen += XMSS_TREEHEIGHT*XMSS_N;

  374. 

  375.   // Now loop over remaining layers...

  376.   unsigned int j;

  377.   for (j = 1; j < XMSS_D; j++) {

  378.     // Prepare Address

  379.     idx_leaf = (idx_tree & ((1 << XMSS_TREEHEIGHT)-1));

  380.     idx_tree = idx_tree >> XMSS_TREEHEIGHT;

  381.     setLayerADRS(ots_addr, j);

  382.     setTreeADRS(ots_addr, idx_tree);

  383.     setOTSADRS(ots_addr, idx_leaf);

  384. 

  385.     // Compute seed for OTS key pair

  386.     get_seed(ots_seed, sk_seed, ots_addr);

  387. 

  388.     // Compute WOTS signature

  389.     wots_sign(sm, root, ots_seed, pub_seed, ots_addr);

  390. 

  391.     sm += XMSS_WOTS_KEYSIZE;

  392.     *smlen += XMSS_WOTS_KEYSIZE;

  393. 

  394.     compute_authpath_wots(root, sm, idx_leaf, sk_seed, pub_seed, ots_addr);

  395.     sm += XMSS_TREEHEIGHT*XMSS_N;

  396.     *smlen += XMSS_TREEHEIGHT*XMSS_N;

  397.   }

  398. 

  399.   memcpy(sm, m, mlen);

  400.   *smlen += mlen;

  401. 

  402.   return 0;

  403. }