kris
/
xmss-KAT-generator
1
0
派生 0
代码 工单 0 合并请求 0 版本发布 0 百科 动态
您最多选择25个主题 主题必须以字母或数字开头,可以包含连字符 (-),并且长度不得超过35个字符
106 提交
1 分支
488 KiB
 
 
目录树: daa4e2d6db
分支列表 标签列表
${ item.name }
创建分支 ${ searchTerm }
从 'daa4e2d6db'
${ noResults }
xmss-KAT-generator/xmss_commons.c

235 行
7.9 KiB
原始文件 Blame 文件历史 

  1. #include <stdlib.h>

  2. #include <string.h>

  3. #include <stdint.h>

  4. 

  5. #include "hash.h"

  6. #include "hash_address.h"

  7. #include "params.h"

  8. #include "wots.h"

  9. #include "utils.h"

  10. #include "xmss_commons.h"

  11. 

  12. /**

  13.  * Computes the leaf at a given address. First generates the WOTS key pair,

  14.  * then computes leaf using l_tree. As this happens position independent, we

  15.  * only require that addr encodes the right ltree-address.

  16.  */

  17. void gen_leaf_wots(const xmss_params *params, unsigned char *leaf,

  18.                    const unsigned char *sk_seed, const unsigned char *pub_seed,

  19.                    uint32_t ltree_addr[8], uint32_t ots_addr[8])

  20. {

  21.     unsigned char seed[params->n];

  22.     unsigned char pk[params->wots_sig_bytes];

  23. 

  24.     get_seed(params, seed, sk_seed, ots_addr);

  25.     wots_pkgen(params, pk, seed, pub_seed, ots_addr);

  26. 

  27.     l_tree(params, leaf, pk, pub_seed, ltree_addr);

  28. }

  29. 

  30. /**

  31.  * Used for pseudo-random key generation.

  32.  * Generates the seed for the WOTS key pair at address 'addr'.

  33.  *

  34.  * Takes n-byte sk_seed and returns n-byte seed using 32 byte address 'addr'.

  35.  */

  36. void get_seed(const xmss_params *params, unsigned char *seed,

  37.               const unsigned char *sk_seed, uint32_t addr[8])

  38. {

  39.     unsigned char bytes[32];

  40. 

  41.     /* Make sure that chain addr, hash addr, and key bit are zeroed. */

  42.     set_chain_addr(addr, 0);

  43.     set_hash_addr(addr, 0);

  44.     set_key_and_mask(addr, 0);

  45. 

  46.     /* Generate seed. */

  47.     addr_to_bytes(bytes, addr);

  48.     prf(params, seed, bytes, sk_seed);

  49. }

  50. 

  51. /**

  52.  * Computes a leaf node from a WOTS public key using an L-tree.

  53.  * Note that this destroys the used WOTS public key.

  54.  */

  55. void l_tree(const xmss_params *params,

  56.             unsigned char *leaf, unsigned char *wots_pk,

  57.             const unsigned char *pub_seed, uint32_t addr[8])

  58. {

  59.     unsigned int l = params->wots_len;

  60.     unsigned int parent_nodes;

  61.     uint32_t i;

  62.     uint32_t height = 0;

  63. 

  64.     set_tree_height(addr, height);

  65. 

  66.     while (l > 1) {

  67.         parent_nodes = l >> 1;

  68.         for (i = 0; i < parent_nodes; i++) {

  69.             set_tree_index(addr, i);

  70.             /* Hashes the nodes at (i*2)*params->n and (i*2)*params->n + 1 */

  71.             thash_h(params, wots_pk + i*params->n,

  72.                            wots_pk + (i*2)*params->n, pub_seed, addr);

  73.         }

  74.         /* If the row contained an odd number of nodes, the last node was not

  75.            hashed. Instead, we pull it up to the next layer. */

  76.         if (l & 1) {

  77.             memcpy(wots_pk + (l >> 1)*params->n,

  78.                    wots_pk + (l - 1)*params->n, params->n);

  79.             l = (l >> 1) + 1;

  80.         }

  81.         else {

  82.             l = l >> 1;

  83.         }

  84.         height++;

  85.         set_tree_height(addr, height);

  86.     }

  87.     memcpy(leaf, wots_pk, params->n);

  88. }

  89. 

  90. /**

  91.  * Computes a root node given a leaf and an auth path

  92.  */

  93. static void compute_root(const xmss_params *params, unsigned char *root,

  94.                          const unsigned char *leaf, unsigned long leafidx,

  95.                          const unsigned char *auth_path,

  96.                          const unsigned char *pub_seed, uint32_t addr[8])

  97. {

  98.     uint32_t i;

  99.     unsigned char buffer[2*params->n];

  100. 

  101.     /* If leafidx is odd (last bit = 1), current path element is a right child

  102.        and auth_path has to go left. Otherwise it is the other way around. */

  103.     if (leafidx & 1) {

  104.         memcpy(buffer + params->n, leaf, params->n);

  105.         memcpy(buffer, auth_path, params->n);

  106.     }

  107.     else {

  108.         memcpy(buffer, leaf, params->n);

  109.         memcpy(buffer + params->n, auth_path, params->n);

  110.     }

  111.     auth_path += params->n;

  112. 

  113.     for (i = 0; i < params->tree_height - 1; i++) {

  114.         set_tree_height(addr, i);

  115.         leafidx >>= 1;

  116.         set_tree_index(addr, leafidx);

  117. 

  118.         /* Pick the right or left neighbor, depending on parity of the node. */

  119.         if (leafidx & 1) {

  120.             thash_h(params, buffer + params->n, buffer, pub_seed, addr);

  121.             memcpy(buffer, auth_path, params->n);

  122.         }

  123.         else {

  124.             thash_h(params, buffer, buffer, pub_seed, addr);

  125.             memcpy(buffer + params->n, auth_path, params->n);

  126.         }

  127.         auth_path += params->n;

  128.     }

  129. 

  130.     /* The last iteration is exceptional; we do not copy an auth)path node. */

  131.     set_tree_height(addr, params->tree_height - 1);

  132.     leafidx >>= 1;

  133.     set_tree_index(addr, leafidx);

  134.     thash_h(params, root, buffer, pub_seed, addr);

  135. }

  136. 

  137. /**

  138.  * Verifies a given message signature pair under a given public key.

  139.  * Note that this assumes a pk without an OID, i.e. [root || PUB_SEED]

  140.  */

  141. int xmss_core_sign_open(const xmss_params *params,

  142.                         unsigned char *m, unsigned long long *mlen,

  143.                         const unsigned char *sm, unsigned long long smlen,

  144.                         const unsigned char *pk)

  145. {

  146.     /* XMSS signatures are fundamentally an instance of XMSSMT signatures.

  147.        For d=1, as is the case with XMSS, some of the calls in the XMSSMT

  148.        routine become vacuous (i.e. the loop only iterates once, and address

  149.        management can be simplified a bit).*/

  150.     return xmssmt_core_sign_open(params, m, mlen, sm, smlen, pk);

  151. }

  152. 

  153. /**

  154.  * Verifies a given message signature pair under a given public key.

  155.  * Note that this assumes a pk without an OID, i.e. [root || PUB_SEED]

  156.  */

  157. int xmssmt_core_sign_open(const xmss_params *params,

  158.                           unsigned char *m, unsigned long long *mlen,

  159.                           const unsigned char *sm, unsigned long long smlen,

  160.                           const unsigned char *pk)

  161. {

  162.     const unsigned char *pub_seed = pk + params->n;

  163.     unsigned char wots_pk[params->wots_sig_bytes];

  164.     unsigned char leaf[params->n];

  165.     unsigned char root[params->n];

  166.     unsigned char *mhash = root;

  167.     unsigned long long idx = 0;

  168.     unsigned int i;

  169.     uint32_t idx_leaf;

  170. 

  171.     uint32_t ots_addr[8] = {0};

  172.     uint32_t ltree_addr[8] = {0};

  173.     uint32_t node_addr[8] = {0};

  174. 

  175.     set_type(ots_addr, XMSS_ADDR_TYPE_OTS);

  176.     set_type(ltree_addr, XMSS_ADDR_TYPE_LTREE);

  177.     set_type(node_addr, XMSS_ADDR_TYPE_HASHTREE);

  178. 

  179.     *mlen = smlen - params->sig_bytes;

  180. 

  181.     /* Convert the index bytes from the signature to an integer. */

  182.     idx = bytes_to_ull(sm, params->index_bytes);

  183. 

  184.     /* Put the message all the way at the end of the m buffer, so that we can

  185.      * prepend the required other inputs for the hash function. */

  186.     memcpy(m + params->sig_bytes, sm + params->sig_bytes, *mlen);

  187. 

  188.     /* Compute the message hash. */

  189.     hash_message(params, mhash, sm + params->index_bytes, pk, idx,

  190.                  m + params->sig_bytes - 4*params->n, *mlen);

  191.     sm += params->index_bytes + params->n;

  192. 

  193.     /* For each subtree.. */

  194.     for (i = 0; i < params->d; i++) {

  195.         idx_leaf = (idx & ((1 << params->tree_height)-1));

  196.         idx = idx >> params->tree_height;

  197. 

  198.         set_layer_addr(ots_addr, i);

  199.         set_layer_addr(ltree_addr, i);

  200.         set_layer_addr(node_addr, i);

  201. 

  202.         set_tree_addr(ltree_addr, idx);

  203.         set_tree_addr(ots_addr, idx);

  204.         set_tree_addr(node_addr, idx);

  205. 

  206.         /* The WOTS public key is only correct if the signature was correct. */

  207.         set_ots_addr(ots_addr, idx_leaf);

  208.         /* Initially, root = mhash, but on subsequent iterations it is the root

  209.            of the subtree below the currently processed subtree. */

  210.         wots_pk_from_sig(params, wots_pk, sm, root, pub_seed, ots_addr);

  211.         sm += params->wots_sig_bytes;

  212. 

  213.         /* Compute the leaf node using the WOTS public key. */

  214.         set_ltree_addr(ltree_addr, idx_leaf);

  215.         l_tree(params, leaf, wots_pk, pub_seed, ltree_addr);

  216. 

  217.         /* Compute the root node of this subtree. */

  218.         compute_root(params, root, leaf, idx_leaf, sm, pub_seed, node_addr);

  219.         sm += params->tree_height*params->n;

  220.     }

  221. 

  222.     /* Check if the root node equals the root node in the public key. */

  223.     if (memcmp(root, pk, params->n)) {

  224.         /* If not, zero the message */

  225.         memset(m, 0, *mlen);

  226.         *mlen = 0;

  227.         return -1;

  228.     }

  229. 

  230.     /* If verification was successful, copy the message from the signature. */

  231.     memcpy(m, sm, *mlen);

  232. 

  233.     return 0;

  234. }