kris
/
xmss-KAT-generator
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
488 KiB
 
 
Tree: d80a463e53
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'd80a463e53'
${ noResults }
xmss-KAT-generator/xmss.c

530 lines
14 KiB
Raw Blame History 

  1. /*

  2. xmss.c version 20150811

  3. Andreas Hülsing

  4. Public domain.

  5. */

  6. 

  7. #include "xmss.h"

  8. #include <stdlib.h>

  9. #include <string.h>

  10. #include <stdint.h>

  11. #include <math.h>

  12. 

  13. #include "randombytes.h"

  14. #include "wots.h"

  15. #include "hash.h"

  16. #include "prg.h"

  17. #include "xmss_commons.h"

  18. 

  19. // For testing

  20. #include "stdio.h"

  21. 

  22. /**

  23.  * Macros used to manipulate the respective fields

  24.  * in the 16byte hash address

  25.  */    

  26. #define SET_OTS_BIT(a, b) {\

  27.   a[9] = (a[9] & 253) | (b << 1);}

  28. 

  29. #define SET_OTS_ADDRESS(a, v) {\

  30.   a[12] = (a[12] & 1) | ((v << 1) & 255);\

  31.   a[11] = (v >> 7) & 255;\

  32.   a[10] = (v >> 15) & 255;\

  33.   a[9] = (a[9] & 254) | ((v >> 23) & 1);}  

  34.   

  35. #define ZEROISE_OTS_ADDR(a) {\

  36.   a[12] = (a[12] & 254);\

  37.   a[13] = 0;\

  38.   a[14] = 0;\

  39.   a[15] = 0;}

  40.   

  41. #define SET_LTREE_BIT(a, b) {\

  42.   a[9] = (a[9] & 254) | b;}

  43. 

  44. #define SET_LTREE_ADDRESS(a, v) {\

  45.   a[12] = v & 255;\

  46.   a[11] = (v >> 8) & 255;\

  47.   a[10] = (v >> 16) & 255;}

  48. 

  49. #define SET_LTREE_TREE_HEIGHT(a, v) {\

  50.   a[13] = (a[13] & 3) | ((v << 2) & 255);}

  51. 

  52. #define SET_LTREE_TREE_INDEX(a, v) {\

  53.   a[15] = (a[15] & 3) | ((v << 2) & 255);\

  54.   a[14] = (v >> 6) & 255;\

  55.   a[13] = (a[13] & 252) | ((v >> 14) & 3);}

  56.   

  57. #define SET_NODE_PADDING(a) {\

  58.   a[10] = 0;\

  59.   a[11] = a[11] & 3;}  

  60. 

  61. #define SET_NODE_TREE_HEIGHT(a, v) {\

  62.   a[12] = (a[12] & 3) | ((v << 2) & 255);\

  63.   a[11] = (a[11] & 252) | ((v >> 6) & 3);}

  64. 

  65. #define SET_NODE_TREE_INDEX(a, v) {\

  66.   a[15] = (a[15] & 3) | ((v << 2) & 255);\

  67.   a[14] = (v >> 6) & 255;\

  68.   a[13] = (v >> 14) & 255;\

  69.   a[12] = (a[12] & 252) | ((v >> 22) & 3);}

  70. 

  71. 

  72.   /**

  73.  * Used for pseudorandom keygeneration,

  74.  * generates the seed for the WOTS keypair at address addr

  75.  */

  76. static void get_seed(unsigned char seed[32], const unsigned char *sk_seed, unsigned char addr[16])

  77. {

  78.   // Make sure that chain addr, hash addr, and key bit are 0!

  79.   ZEROISE_OTS_ADDR(addr);

  80.   // Generate pseudorandom value

  81.   prg_with_counter(seed, 32, sk_seed, 32, addr);

  82. }

  83. 

  84. /**

  85.  * Initialize xmss params struct

  86.  * parameter names are the same as in the draft

  87.  */

  88. void xmss_set_params(xmss_params *params, int m, int n, int h, int w)

  89. {

  90.   params->h = h;

  91.   params->m = m;

  92.   params->n = n;

  93.   wots_params wots_par;

  94.   wots_set_params(&wots_par, m, n, w);

  95.   params->wots_par = &wots_par;

  96. }

  97. 

  98. /**

  99.  * Computes a leaf from a WOTS public key using an L-tree.

  100.  */

  101. static void l_tree(unsigned char *leaf, unsigned char *wots_pk, const xmss_params *params, const unsigned char *pub_seed, unsigned char addr[16])

  102. { 

  103.   uint l = params->wots_par->len;

  104.   uint n = params->n;

  105.   unsigned long i = 0;

  106.   uint height = 0;

  107.   

  108.   //ADRS.setTreeHeight(0);

  109.   SET_LTREE_TREE_HEIGHT(addr,height);

  110.   unsigned long bound;

  111.   while ( l > 1 ) 

  112.   {

  113.      bound = l >> 1; //floor(l / 2); 

  114.      for ( i = 0; i < bound; i = i + 1 ) {

  115.        //ADRS.setTreeIndex(i);

  116.        SET_LTREE_TREE_INDEX(addr,i);

  117.        //wots_pk[i] = RAND_HASH(pk[2i], pk[2i + 1], SEED, ADRS);

  118.        hash_2n_n(wots_pk+i*n,wots_pk+i*2*n, pub_seed, addr, n);

  119.      }

  120.      //if ( l % 2 == 1 ) {

  121.      if(l&1)

  122.      {

  123.        //pk[floor(l / 2) + 1] = pk[l];

  124.        memcpy(wots_pk+(l>>1)*n,wots_pk+(l-1)*n, n);

  125.        //l = ceil(l / 2);

  126.        l=(l>>1)+1;

  127.      }

  128.      else

  129.      {

  130.        //l = ceil(l / 2);

  131.        l=(l>>1);

  132.      }     

  133.      //ADRS.setTreeHeight(ADRS.getTreeHeight() + 1);

  134.      height++;

  135.      SET_LTREE_TREE_HEIGHT(addr,height);

  136.    }

  137.    //return pk[0];

  138.    memcpy(leaf,wots_pk,n);

  139. }

  140. 

  141. /**

  142.  * Computes the leaf at a given address. First generates the WOTS key pair, then computes leaf using l_tree. As this happens position independent, we only require that addr encodes the right ltree-address.

  143.  */

  144. static void gen_leaf_wots(unsigned char *leaf, const unsigned char *sk_seed, const xmss_params *params, const unsigned char *pub_seed, unsigned char ltree_addr[16], unsigned char ots_addr[16])

  145. {

  146.   unsigned char seed[32];

  147.   unsigned char pk[params->wots_par->keysize];

  148. 

  149.   get_seed(seed, sk_seed, ots_addr);

  150.   wots_pkgen(pk, seed, params->wots_par, pub_seed, ots_addr);

  151. 

  152.   l_tree(leaf, pk, params, pub_seed, ltree_addr); 

  153. }

  154. 

  155. /**

  156.  * Merkle's TreeHash algorithm. The address only needs to initialize the first 78 bits of addr. Everything else will be set by treehash.

  157.  * Currently only used for key generation.

  158.  * 

  159.  */

  160. static void treehash(unsigned char *node, int height, int index, const unsigned char *sk_seed, const xmss_params *params, const unsigned char *pub_seed, const unsigned char addr[16])

  161. {

  162. 

  163.   uint idx = index;

  164.   uint n = params->n;

  165.   // use three different addresses because at this point we use all three formats in parallel

  166.   unsigned char ots_addr[16];

  167.   unsigned char ltree_addr[16];

  168.   unsigned char node_addr[16];

  169.   memcpy(ots_addr, addr, 10);

  170.   SET_OTS_BIT(ots_addr, 1);

  171.   memcpy(ltree_addr, addr, 10);

  172.   SET_OTS_BIT(ltree_addr, 0);

  173.   SET_LTREE_BIT(ltree_addr, 1);

  174.   memcpy(node_addr, ltree_addr, 10);

  175.   SET_LTREE_BIT(node_addr, 0);

  176.   SET_NODE_PADDING(node_addr);

  177.   

  178.   int lastnode,i;

  179.   unsigned char stack[(height+1)*n];

  180.   unsigned int  stacklevels[height+1];

  181.   unsigned int  stackoffset=0;

  182.   

  183.   lastnode = idx+(1<<height);

  184. 

  185.   for(;idx<lastnode;idx++) 

  186.   {

  187.     SET_LTREE_ADDRESS(ltree_addr,idx);

  188.     SET_OTS_ADDRESS(ots_addr,idx);

  189.     gen_leaf_wots(stack+stackoffset*n,sk_seed,params, pub_seed, ltree_addr, ots_addr);

  190.     stacklevels[stackoffset] = 0;

  191.     stackoffset++;

  192.     while(stackoffset>1 && stacklevels[stackoffset-1] == stacklevels[stackoffset-2])

  193.     {

  194.       SET_NODE_TREE_HEIGHT(node_addr,stacklevels[stackoffset-1]);

  195.       SET_NODE_TREE_INDEX(node_addr, (idx >> (stacklevels[stackoffset-1]+1)));

  196.       hash_2n_n(stack+(stackoffset-2)*n,stack+(stackoffset-2)*n, pub_seed,

  197.           node_addr, n);

  198.       stacklevels[stackoffset-2]++;

  199.       stackoffset--;

  200.     }

  201.   }

  202.   for(i=0;i<n;i++)

  203.     node[i] = stack[i];

  204. }

  205. 

  206. /**

  207.  * Computes a root node given a leaf and an authapth

  208.  */

  209. static void validate_authpath(unsigned char *root, const unsigned char *leaf, unsigned long leafidx, const unsigned char *authpath, const xmss_params *params, const unsigned char *pub_seed, unsigned char addr[16])

  210. {

  211.   uint n = params->n;

  212.   

  213.   int i,j;

  214.   unsigned char buffer[2*n];

  215. 

  216.   // If leafidx is odd (last bit = 1), current path element is a right child and authpath has to go to the left.

  217.   // Otherwise, it is the other way around

  218.   if(leafidx&1)

  219.   {

  220.     for(j=0;j<n;j++)

  221.       buffer[n+j] = leaf[j];

  222.     for(j=0;j<n;j++)

  223.       buffer[j] = authpath[j];

  224.   }

  225.   else

  226.   {

  227.     for(j=0;j<n;j++)

  228.       buffer[j] = leaf[j];

  229.     for(j=0;j<n;j++)

  230.       buffer[n+j] = authpath[j];

  231.   }

  232.   authpath += n;

  233. 

  234.   for(i=0;i<params->h-1;i++)

  235.   {

  236.     SET_NODE_TREE_HEIGHT(addr,i);

  237.     leafidx >>= 1;

  238.     SET_NODE_TREE_INDEX(addr, leafidx);

  239.     if(leafidx&1)

  240.     {

  241.       hash_2n_n(buffer+n,buffer,pub_seed, addr, n);

  242.       for(j=0;j<n;j++)

  243.         buffer[j] = authpath[j];

  244.     }

  245.     else

  246.     {

  247.       hash_2n_n(buffer,buffer,pub_seed, addr, n);

  248.       for(j=0;j<n;j++)

  249.         buffer[j+n] = authpath[j];

  250.     }

  251.     authpath += n;

  252.   }

  253.   SET_NODE_TREE_HEIGHT(addr, (params->h-1));

  254.   leafidx >>= 1;

  255.   SET_NODE_TREE_INDEX(addr, leafidx);

  256.   hash_2n_n(root,buffer,pub_seed,addr,n);

  257. }

  258. 

  259. /**

  260.  * Computes the authpath and the root. This method is using a lot of space as we build the whole tree and then select the authpath nodes.

  261.  * For more efficient algorithms see e.g. the chapter on hash-based signatures in Bernstein, Buchmann, Dahmen. "Post-quantum Cryptography", Springer 2009.

  262.  * It returns the authpath in "authpath" with the node on level 0 at index 0.  

  263.  */

  264. static void compute_authpath_wots(unsigned char *root, unsigned char *authpath, unsigned long leaf_idx, const unsigned char *sk_seed, const xmss_params *params, unsigned char *pub_seed, unsigned char addr[16])

  265. {

  266.   uint i, j, level;

  267.   int n = params->n;

  268.   int h = params->h;

  269.   

  270.   unsigned char tree[2*(1<<h)*n];

  271. 

  272.   unsigned char ots_addr[16];

  273.   unsigned char ltree_addr[16];

  274.   unsigned char node_addr[16];

  275.   

  276.   memcpy(ots_addr, addr, 10);

  277.   SET_OTS_BIT(ots_addr, 1);

  278.   memcpy(ltree_addr, addr, 10);

  279.   SET_OTS_BIT(ltree_addr, 0);

  280.   SET_LTREE_BIT(ltree_addr, 1);

  281.   memcpy(node_addr, ltree_addr, 10);

  282.   SET_LTREE_BIT(node_addr, 0);

  283.   SET_NODE_PADDING(node_addr);

  284. 

  285.   

  286.   // Compute all leaves

  287.   for(i = 0; i < (1<<h); i++)

  288.   {

  289.     SET_LTREE_ADDRESS(ltree_addr,i);

  290.     SET_OTS_ADDRESS(ots_addr,i);

  291.     gen_leaf_wots(tree+((1<<h)*n + i*n), sk_seed, params, pub_seed, ltree_addr, ots_addr);

  292.   }

  293.   

  294.   

  295.   level = 0;

  296.   // Compute tree:

  297.   // Outer loop: For each inner layer 

  298.   for (i = (1<<h); i > 0; i>>=1)

  299.   {

  300.     SET_NODE_TREE_HEIGHT(node_addr, level);

  301.     // Inner loop: for each pair of sibling nodes

  302.     for (j = 0; j < i; j+=2)

  303.     {

  304.       SET_NODE_TREE_INDEX(node_addr, j>>1);

  305.       hash_2n_n(tree + (i>>1)*n + (j>>1) * n, tree + i*n + j*n, pub_seed, node_addr, n);

  306.     }

  307.     level++;

  308.   }

  309. 

  310.   // copy authpath

  311.   for(i=0;i<h;i++)

  312.     memcpy(authpath + i*n, tree + ((1<<h)>>i)*n + ((leaf_idx >> i) ^ 1) * n, n);

  313.   

  314.   // copy root

  315.   memcpy(root, tree+n, n);

  316. }

  317. 

  318. 

  319. /*

  320.  * Generates a XMSS key pair for a given parameter set.

  321.  * Format sk: [(32bit) idx || SK_SEED || SK_PRF || PUB_SEED]

  322.  * Format pk: [root || PUB_SEED] omitting algo oid.

  323.  */

  324. int xmss_keypair(unsigned char *pk, unsigned char *sk, xmss_params *params)

  325. {

  326.   uint n = params->n;

  327.   uint m = params->m;

  328.   // Set idx = 0

  329.   sk[0] = 0;

  330.   sk[1] = 0;

  331.   sk[2] = 0;

  332.   sk[3] = 0;

  333.   // Init SK_SEED (n byte), SK_PRF (m byte), and PUB_SEED (n byte)

  334.   randombytes(sk+4,2*n+m);

  335.   // Copy PUB_SEED to public key

  336.   memcpy(pk+n, sk+4+n+m,n);

  337. 

  338.   unsigned char addr[16] = {0,0,0,0};

  339.   // Compute root

  340.   treehash(pk, params->h, 0, sk+4, params, sk+4+n+m, addr);

  341.   return 0;

  342. }

  343. 

  344. /**

  345.  * Signs a message.

  346.  * Returns 

  347.  * 1. an array containing the signature followed by the message AND

  348.  * 2. an updated secret key!

  349.  * 

  350.  */

  351. int xmss_sign(unsigned char *sk, unsigned char *sig_msg, unsigned long long *sig_msg_len, const unsigned char *msg, unsigned long long msglen, const xmss_params *params, unsigned char* pk)

  352. {

  353.   uint n = params->n;

  354.   uint m = params->m;

  355.   

  356.   // Extract SK

  357.   unsigned long idx = (sk[0] << 24) | (sk[1] << 16) | (sk[2] << 8) || sk[3];

  358.   unsigned char sk_seed[n];

  359.   memcpy(sk_seed,sk+4,n);

  360.   unsigned char sk_prf[m];

  361.   memcpy(sk_prf,sk+4+n,m);

  362.   unsigned char pub_seed[n];

  363.   memcpy(pub_seed,sk+4+n+m,n);  

  364.   

  365.   // Update SK

  366.   sk[0] = ((idx + 1) >> 24) & 255;

  367.   sk[1] = ((idx + 1) >> 16) & 255;

  368.   sk[2] = ((idx + 1) >> 8) & 255;

  369.   sk[3] = (idx + 1) & 255;

  370.   // -- Secret key for this non-forward-secure version is now updated. 

  371.   // -- A productive implementation should use a file handle instead and write the updated secret key at this point! 

  372.   

  373.   // Init working params

  374.   unsigned long long i;

  375.   unsigned char R[m];

  376.   unsigned char msg_h[m];

  377.   unsigned char root[n];

  378.   unsigned char ots_seed[n];

  379.   unsigned char ots_addr[16] = {0,0,0,0};

  380.   

  381.   // ---------------------------------

  382.   // Message Hashing

  383.   // ---------------------------------

  384.   

  385.   // Message Hash: 

  386.   // First compute pseudorandom key

  387.   prf_m(R, msg, msglen, sk_prf, m); 

  388.   // Then use it for message digest

  389.   hash_m(msg_h, msg, msglen, R, m, m);

  390.   

  391.   // Start collecting signature

  392.   *sig_msg_len = 0;

  393. 

  394.   // Copy index to signature

  395.   sig_msg[0] = (idx >> 24) & 255;

  396.   sig_msg[1] = (idx >> 16) & 255;

  397.   sig_msg[2] = (idx >> 8) & 255;

  398.   sig_msg[3] = idx & 255;

  399.   

  400.   sig_msg += 4;

  401.   *sig_msg_len += 4;

  402.   

  403.   // Copy R to signature

  404.   for(i=0; i<m; i++)

  405.     sig_msg[i] = R[i];

  406. 

  407.   sig_msg += m;

  408.   *sig_msg_len += m;

  409.   

  410.   // ----------------------------------

  411.   // Now we start to "really sign" 

  412.   // ----------------------------------

  413.   

  414.   // Prepare Address

  415.   SET_OTS_BIT(ots_addr,1);

  416.   SET_OTS_ADDRESS(ots_addr,idx);

  417.   

  418.   // Compute seed for OTS key pair

  419.   get_seed(ots_seed, sk_seed, ots_addr);

  420.      

  421.   // Compute WOTS signature

  422.   wots_sign(sig_msg, msg_h, ots_seed, params->wots_par, pub_seed, ots_addr);

  423.   

  424.   sig_msg += params->wots_par->keysize;

  425.   *sig_msg_len += params->wots_par->keysize;

  426. 

  427.   compute_authpath_wots(root, sig_msg, idx, sk_seed, params, pub_seed, ots_addr);

  428.   sig_msg += params->h*n;

  429.   *sig_msg_len += params->h*n;

  430.   

  431.   //DEBUG

  432.   for(i=0;i<n;i++)

  433.     if(root[i] != pk[i])

  434.       printf("Different PK's %llu",i);

  435.   

  436.   //Whipe secret elements?  

  437.   //zerobytes(tsk, CRYPTO_SECRETKEYBYTES);

  438. 

  439.   memcpy(sig_msg,msg,msglen);

  440.   *sig_msg_len += msglen;

  441. 

  442.   return 0;

  443. }

  444. 

  445. /**

  446.  * Verifies a given message signature pair under a given public key.

  447.  */

  448. int xmss_sign_open(unsigned char *msg, unsigned long long *msglen, const unsigned char *sig_msg, unsigned long long sig_msg_len, const unsigned char *pk, const xmss_params *params)

  449. {

  450.   uint n = params->n;

  451.   uint m = params->m;

  452.     

  453.   unsigned long long i, m_len;

  454.   unsigned long idx=0;

  455.   unsigned char wots_pk[params->wots_par->keysize];

  456.   unsigned char pkhash[n];

  457.   unsigned char root[n];

  458.   unsigned char msg_h[m];

  459.   

  460.   unsigned char pub_seed[n];

  461.   memcpy(pub_seed,pk+n,n);  

  462.   

  463.   // Init addresses

  464.   unsigned char ots_addr[16] = {0,0,0,0};

  465.   unsigned char ltree_addr[16];

  466.   unsigned char node_addr[16];

  467.   

  468.   SET_OTS_BIT(ots_addr, 1);

  469.   

  470.   memcpy(ltree_addr, ots_addr, 10);

  471.   SET_OTS_BIT(ltree_addr, 0);

  472.   SET_LTREE_BIT(ltree_addr, 1);

  473.   

  474.   memcpy(node_addr, ltree_addr, 10);

  475.   SET_LTREE_BIT(node_addr, 0);

  476.   SET_NODE_PADDING(node_addr);  

  477.   

  478.   // Extract index

  479.   idx = (sig_msg[0] << 24) | (sig_msg[1] << 16) | (sig_msg[2] << 8) || sig_msg[3];

  480.   sig_msg += 4;

  481.   sig_msg_len -= 4;

  482.   

  483.   // hash message (recall, R is now on pole position at sig_msg

  484.   unsigned long long tmp_sig_len = m+params->wots_par->keysize+params->h*n;

  485.   m_len = sig_msg_len - tmp_sig_len;

  486.   hash_m(msg_h, sig_msg + tmp_sig_len, m_len, sig_msg, m, m);

  487. 

  488.   sig_msg += m;

  489.   sig_msg_len -= m;

  490.   

  491.   //-----------------------

  492.   // Verify signature

  493.   //-----------------------

  494.   

  495.   // Prepare Address

  496.   SET_OTS_ADDRESS(ots_addr,idx);

  497.   // Check WOTS signature 

  498.   wots_pkFromSig(wots_pk, sig_msg, msg_h, params->wots_par, pub_seed, ots_addr);

  499. 

  500.   sig_msg += params->wots_par->keysize;

  501.   sig_msg_len -= params->wots_par->keysize;

  502.   

  503.   // Compute Ltree

  504.   SET_LTREE_ADDRESS(ltree_addr, idx); 

  505.   l_tree(pkhash, wots_pk, params, pub_seed, ltree_addr);

  506.   

  507.   // Compute root

  508.   validate_authpath(root, pkhash, idx, sig_msg, params, pub_seed, node_addr);  

  509. 

  510.   sig_msg += params->h*n;

  511.   sig_msg_len -= params->h*n;

  512.   

  513.   for(i=0;i<n;i++)

  514.     if(root[i] != pk[i])

  515.       goto fail;

  516.   

  517.   *msglen = sig_msg_len;

  518.   for(i=0;i<*msglen;i++)

  519.     msg[i] = sig_msg[i];

  520. 

  521.   return 0;

  522.   

  523.   

  524. fail:

  525.   *msglen = sig_msg_len;

  526.   for(i=0;i<*msglen;i++)

  527.     msg[i] = 0;

  528.   *msglen = -1;

  529.   return -1;

  530. }