kris
/
xmss-KAT-generator
1
0
포크 0
코드 이슈 0 풀 리퀘스트 0 릴리즈 0 위키 활동
25개 이상의 토픽을 선택하실 수 없습니다. Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
65 커밋
1 브렌치
488 KiB
 
 
트리: c803860cf8
브랜치 태그
${ item.name }
${ searchTerm } 브랜치 생성
from 'c803860cf8'
${ noResults }
xmss-KAT-generator/xmss_commons.c

309 lines
8.8 KiB
Raw Blame 히스토리 

  1. /*

  2. xmss_commons.c 20160722

  3. Andreas Hülsing

  4. Joost Rijneveld

  5. Public domain.

  6. */

  7. 

  8. #include <stdlib.h>

  9. #include <string.h>

  10. #include <stdint.h>

  11. 

  12. #include "hash.h"

  13. #include "hash_address.h"

  14. #include "params.h"

  15. #include "wots.h"

  16. #include "xmss_commons.h"

  17. 

  18. void to_byte(unsigned char *out, unsigned long long in, uint32_t bytes)

  19. {

  20.     int i;

  21. 

  22.     for (i = bytes-1; i >= 0; i--) {

  23.         out[i] = in & 0xff;

  24.         in = in >> 8;

  25.     }

  26. }

  27. 

  28. /**

  29.  * Computes the leaf at a given address. First generates the WOTS key pair, then computes leaf using l_tree. As this happens position independent, we only require that addr encodes the right ltree-address.

  30.  */

  31. void gen_leaf_wots(const xmss_params *params, unsigned char *leaf,

  32.                    const unsigned char *sk_seed, const unsigned char *pub_seed,

  33.                    uint32_t ltree_addr[8], uint32_t ots_addr[8])

  34. {

  35.     unsigned char seed[params->n];

  36.     unsigned char pk[params->wots_keysize];

  37. 

  38.     get_seed(params, seed, sk_seed, ots_addr);

  39.     wots_pkgen(params, pk, seed, pub_seed, ots_addr);

  40. 

  41.     l_tree(params, leaf, pk, pub_seed, ltree_addr);

  42. }

  43. 

  44. /**

  45.  * Used for pseudorandom keygeneration,

  46.  * generates the seed for the WOTS keypair at address addr

  47.  *

  48.  * takes params->n byte sk_seed and returns params->n byte seed using 32 byte address addr.

  49.  */

  50. void get_seed(const xmss_params *params, unsigned char *seed,

  51.               const unsigned char *sk_seed, uint32_t addr[8])

  52. {

  53.     unsigned char bytes[32];

  54. 

  55.     // Make sure that chain addr, hash addr, and key bit are 0!

  56.     set_chain_addr(addr, 0);

  57.     set_hash_addr(addr, 0);

  58.     set_key_and_mask(addr, 0);

  59.     // Generate pseudorandom value

  60.     addr_to_byte(bytes, addr);

  61.     prf(params, seed, bytes, sk_seed, params->n);

  62. }

  63. 

  64. /**

  65.  * Computes a leaf from a WOTS public key using an L-tree.

  66.  */

  67. void l_tree(const xmss_params *params, unsigned char *leaf, unsigned char *wots_pk,

  68.             const unsigned char *pub_seed, uint32_t addr[8])

  69. {

  70.     unsigned int l = params->wots_len;

  71.     uint32_t i = 0;

  72.     uint32_t height = 0;

  73.     uint32_t bound;

  74. 

  75.     set_tree_height(addr, height);

  76. 

  77.     while (l > 1) {

  78.         bound = l >> 1;

  79.         for (i = 0; i < bound; i++) {

  80.             set_tree_index(addr, i);

  81.             hash_h(params, wots_pk + i*params->n, wots_pk + i*2*params->n, pub_seed, addr);

  82.         }

  83.         if (l & 1) {

  84.             memcpy(wots_pk + (l >> 1)*params->n, wots_pk + (l - 1)*params->n, params->n);

  85.             l = (l >> 1) + 1;

  86.         }

  87.         else {

  88.             l = l >> 1;

  89.         }

  90.         height++;

  91.         set_tree_height(addr, height);

  92.     }

  93.     memcpy(leaf, wots_pk, params->n);

  94. }

  95. 

  96. /**

  97.  * Computes a root node given a leaf and an authapth

  98.  */

  99. static void validate_authpath(const xmss_params *params, unsigned char *root,

  100.                               const unsigned char *leaf, unsigned long leafidx,

  101.                               const unsigned char *authpath,

  102.                               const unsigned char *pub_seed, uint32_t addr[8])

  103. {

  104.     uint32_t i, j;

  105.     unsigned char buffer[2*params->n];

  106. 

  107.     // If leafidx is odd (last bit = 1), current path element is a right child and authpath has to go to the left.

  108.     // Otherwise, it is the other way around

  109.     if (leafidx & 1) {

  110.         for (j = 0; j < params->n; j++) {

  111.             buffer[params->n + j] = leaf[j];

  112.             buffer[j] = authpath[j];

  113.         }

  114.     }

  115.     else {

  116.         for (j = 0; j < params->n; j++) {

  117.             buffer[j] = leaf[j];

  118.             buffer[params->n + j] = authpath[j];

  119.         }

  120.     }

  121.     authpath += params->n;

  122. 

  123.     for (i = 0; i < params->tree_height-1; i++) {

  124.         set_tree_height(addr, i);

  125.         leafidx >>= 1;

  126.         set_tree_index(addr, leafidx);

  127.         if (leafidx & 1) {

  128.             hash_h(params, buffer + params->n, buffer, pub_seed, addr);

  129.             for (j = 0; j < params->n; j++) {

  130.                 buffer[j] = authpath[j];

  131.             }

  132.         }

  133.         else {

  134.             hash_h(params, buffer, buffer, pub_seed, addr);

  135.             for (j = 0; j < params->n; j++) {

  136.                 buffer[j + params->n] = authpath[j];

  137.             }

  138.         }

  139.         authpath += params->n;

  140.     }

  141.     set_tree_height(addr, params->tree_height - 1);

  142.     leafidx >>= 1;

  143.     set_tree_index(addr, leafidx);

  144.     hash_h(params, root, buffer, pub_seed, addr);

  145. }

  146. 

  147. /**

  148.  * Verifies a given message signature pair under a given public key.

  149.  */

  150. int xmss_core_sign_open(const xmss_params *params,

  151.                         unsigned char *m, unsigned long long *mlen,

  152.                         const unsigned char *sm, unsigned long long smlen,

  153.                         const unsigned char *pk)

  154. {

  155.     unsigned long long i;

  156.     unsigned long idx = 0;

  157.     unsigned char wots_pk[params->wots_keysize];

  158.     unsigned char pkhash[params->n];

  159.     unsigned char root[params->n];

  160.     unsigned char msg_h[params->n];

  161.     unsigned char hash_key[3*params->n];

  162. 

  163.     unsigned char pub_seed[params->n];

  164.     memcpy(pub_seed, pk + params->n, params->n);

  165. 

  166.     // Init addresses

  167.     uint32_t ots_addr[8] = {0};

  168.     uint32_t ltree_addr[8] = {0};

  169.     uint32_t node_addr[8] = {0};

  170. 

  171.     set_type(ots_addr, 0);

  172.     set_type(ltree_addr, 1);

  173.     set_type(node_addr, 2);

  174. 

  175.     *mlen = smlen - params->bytes;

  176. 

  177.     // Extract index

  178.     for (i = 0; i < params->index_len; i++) {

  179.         idx |= ((unsigned long long)sm[i]) << (8*(params->index_len - 1 - i));

  180.     }

  181. 

  182.     // Generate hash key (R || root || idx)

  183.     memcpy(hash_key, sm + params->index_len, params->n);

  184.     memcpy(hash_key + params->n, pk, params->n);

  185.     to_byte(hash_key + 2*params->n, idx, params->n);

  186. 

  187.     // hash message

  188.     h_msg(params, msg_h, sm + params->bytes, *mlen, hash_key, 3*params->n);

  189.     sm += params->index_len + params->n;

  190. 

  191.     // Prepare Address

  192.     set_ots_addr(ots_addr, idx);

  193.     // Check WOTS signature

  194.     wots_pk_from_sig(params, wots_pk, sm, msg_h, pub_seed, ots_addr);

  195.     sm += params->wots_keysize;

  196. 

  197.     // Compute Ltree

  198.     set_ltree_addr(ltree_addr, idx);

  199.     l_tree(params, pkhash, wots_pk, pub_seed, ltree_addr);

  200. 

  201.     // Compute root

  202.     validate_authpath(params, root, pkhash, idx, sm, pub_seed, node_addr);

  203.     sm += params->tree_height*params->n;

  204. 

  205.     for (i = 0; i < params->n; i++) {

  206.         if (root[i] != pk[i]) {

  207.             for (i = 0; i < *mlen; i++) {

  208.                 m[i] = 0;

  209.             }

  210.             *mlen = -1;

  211.             return -1;

  212.         }

  213.     }

  214. 

  215.     for (i = 0; i < *mlen; i++) {

  216.         m[i] = sm[i];

  217.     }

  218. 

  219.     return 0;

  220. }

  221. 

  222. /**

  223.  * Verifies a given message signature pair under a given public key.

  224.  */

  225. int xmssmt_core_sign_open(const xmss_params *params,

  226.                           unsigned char *m, unsigned long long *mlen,

  227.                           const unsigned char *sm, unsigned long long smlen,

  228.                           const unsigned char *pk)

  229. {

  230.     uint32_t idx_leaf;

  231.     unsigned long long i;

  232.     unsigned long long idx = 0;

  233.     unsigned char wots_pk[params->wots_keysize];

  234.     unsigned char pkhash[params->n];

  235.     unsigned char root[params->n];

  236.     unsigned char *msg_h = root;

  237.     unsigned char hash_key[3*params->n];

  238.     const unsigned char *pub_seed = pk + params->n;

  239. 

  240.     // Init addresses

  241.     uint32_t ots_addr[8] = {0};

  242.     uint32_t ltree_addr[8] = {0};

  243.     uint32_t node_addr[8] = {0};

  244. 

  245.     set_type(ots_addr, 0);

  246.     set_type(ltree_addr, 1);

  247.     set_type(node_addr, 2);

  248. 

  249.     *mlen = smlen - params->bytes;

  250. 

  251.     // Extract index

  252.     for (i = 0; i < params->index_len; i++) {

  253.         idx |= ((unsigned long long)sm[i]) << (8*(params->index_len - 1 - i));

  254.     }

  255. 

  256.     // Generate hash key (R || root || idx)

  257.     memcpy(hash_key, sm + params->index_len, params->n);

  258.     memcpy(hash_key + params->n, pk, params->n);

  259.     to_byte(hash_key + 2*params->n, idx, params->n);

  260. 

  261.     // hash message

  262.     h_msg(params, msg_h, sm + params->bytes, *mlen, hash_key, 3*params->n);

  263.     sm += params->index_len + params->n;

  264. 

  265.     for (i = 0; i < params->d; i++) {

  266.         // Prepare Address

  267.         idx_leaf = (idx & ((1 << params->tree_height)-1));

  268.         idx = idx >> params->tree_height;

  269. 

  270.         set_layer_addr(ots_addr, i);

  271.         set_layer_addr(ltree_addr, i);

  272.         set_layer_addr(node_addr, i);

  273. 

  274.         set_tree_addr(ltree_addr, idx);

  275.         set_tree_addr(ots_addr, idx);

  276.         set_tree_addr(node_addr, idx);

  277. 

  278.         set_ots_addr(ots_addr, idx_leaf);

  279. 

  280.         // Check WOTS signature

  281.         wots_pk_from_sig(params, wots_pk, sm, root, pub_seed, ots_addr);

  282.         sm += params->wots_keysize;

  283. 

  284.         // Compute Ltree

  285.         set_ltree_addr(ltree_addr, idx_leaf);

  286.         l_tree(params, pkhash, wots_pk, pub_seed, ltree_addr);

  287. 

  288.         // Compute root

  289.         validate_authpath(params, root, pkhash, idx_leaf, sm, pub_seed, node_addr);

  290.         sm += params->tree_height*params->n;

  291.     }

  292. 

  293.     for (i = 0; i < params->n; i++) {

  294.         if (root[i] != pk[i]) {

  295.             for (i = 0; i < *mlen; i++) {

  296.                 m[i] = 0;

  297.             }

  298.             *mlen = -1;

  299.             return -1;

  300.         }

  301.     }

  302. 

  303.     for (i = 0; i < *mlen; i++) {

  304.         m[i] = sm[i];

  305.     }

  306. 

  307.     return 0;

  308. }