xmss_wots.c 4.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193
  1. /* $OpenBSD: xmss_wots.c,v 1.3 2018/04/10 00:10:49 djm Exp $ */
  2. /*
  3. wots.c version 20160722
  4. Andreas Hülsing
  5. Joost Rijneveld
  6. Public domain.
  7. */
  8. #include "includes.h"
  9. #ifdef WITH_XMSS
  10. #include <stdlib.h>
  11. #ifdef HAVE_STDINT_H
  12. # include <stdint.h>
  13. #endif
  14. #include <limits.h>
  15. #include "xmss_commons.h"
  16. #include "xmss_hash.h"
  17. #include "xmss_wots.h"
  18. #include "xmss_hash_address.h"
  19. /* libm-free version of log2() for wots */
  20. static inline int
  21. wots_log2(uint32_t v)
  22. {
  23. int b;
  24. for (b = sizeof (v) * CHAR_BIT - 1; b >= 0; b--) {
  25. if ((1U << b) & v) {
  26. return b;
  27. }
  28. }
  29. return 0;
  30. }
  31. void
  32. wots_set_params(wots_params *params, int n, int w)
  33. {
  34. params->n = n;
  35. params->w = w;
  36. params->log_w = wots_log2(params->w);
  37. params->len_1 = (CHAR_BIT * n) / params->log_w;
  38. params->len_2 = (wots_log2(params->len_1 * (w - 1)) / params->log_w) + 1;
  39. params->len = params->len_1 + params->len_2;
  40. params->keysize = params->len * params->n;
  41. }
  42. /**
  43. * Helper method for pseudorandom key generation
  44. * Expands an n-byte array into a len*n byte array
  45. * this is done using PRF
  46. */
  47. static void expand_seed(unsigned char *outseeds, const unsigned char *inseed, const wots_params *params)
  48. {
  49. uint32_t i = 0;
  50. unsigned char ctr[32];
  51. for(i = 0; i < params->len; i++){
  52. to_byte(ctr, i, 32);
  53. prf((outseeds + (i*params->n)), ctr, inseed, params->n);
  54. }
  55. }
  56. /**
  57. * Computes the chaining function.
  58. * out and in have to be n-byte arrays
  59. *
  60. * interprets in as start-th value of the chain
  61. * addr has to contain the address of the chain
  62. */
  63. static void gen_chain(unsigned char *out, const unsigned char *in, unsigned int start, unsigned int steps, const wots_params *params, const unsigned char *pub_seed, uint32_t addr[8])
  64. {
  65. uint32_t i, j;
  66. for (j = 0; j < params->n; j++)
  67. out[j] = in[j];
  68. for (i = start; i < (start+steps) && i < params->w; i++) {
  69. setHashADRS(addr, i);
  70. hash_f(out, out, pub_seed, addr, params->n);
  71. }
  72. }
  73. /**
  74. * base_w algorithm as described in draft.
  75. *
  76. *
  77. */
  78. static void base_w(int *output, const int out_len, const unsigned char *input, const wots_params *params)
  79. {
  80. int in = 0;
  81. int out = 0;
  82. uint32_t total = 0;
  83. int bits = 0;
  84. int consumed = 0;
  85. for (consumed = 0; consumed < out_len; consumed++) {
  86. if (bits == 0) {
  87. total = input[in];
  88. in++;
  89. bits += 8;
  90. }
  91. bits -= params->log_w;
  92. output[out] = (total >> bits) & (params->w - 1);
  93. out++;
  94. }
  95. }
  96. void wots_pkgen(unsigned char *pk, const unsigned char *sk, const wots_params *params, const unsigned char *pub_seed, uint32_t addr[8])
  97. {
  98. uint32_t i;
  99. expand_seed(pk, sk, params);
  100. for (i=0; i < params->len; i++) {
  101. setChainADRS(addr, i);
  102. gen_chain(pk+i*params->n, pk+i*params->n, 0, params->w-1, params, pub_seed, addr);
  103. }
  104. }
  105. int wots_sign(unsigned char *sig, const unsigned char *msg, const unsigned char *sk, const wots_params *params, const unsigned char *pub_seed, uint32_t addr[8])
  106. {
  107. //int basew[params->len];
  108. int csum = 0;
  109. uint32_t i = 0;
  110. int *basew = calloc(params->len, sizeof(int));
  111. if (basew == NULL)
  112. return -1;
  113. base_w(basew, params->len_1, msg, params);
  114. for (i=0; i < params->len_1; i++) {
  115. csum += params->w - 1 - basew[i];
  116. }
  117. csum = csum << (8 - ((params->len_2 * params->log_w) % 8));
  118. int len_2_bytes = ((params->len_2 * params->log_w) + 7) / 8;
  119. unsigned char csum_bytes[len_2_bytes];
  120. to_byte(csum_bytes, csum, len_2_bytes);
  121. int csum_basew[params->len_2];
  122. base_w(csum_basew, params->len_2, csum_bytes, params);
  123. for (i = 0; i < params->len_2; i++) {
  124. basew[params->len_1 + i] = csum_basew[i];
  125. }
  126. expand_seed(sig, sk, params);
  127. for (i = 0; i < params->len; i++) {
  128. setChainADRS(addr, i);
  129. gen_chain(sig+i*params->n, sig+i*params->n, 0, basew[i], params, pub_seed, addr);
  130. }
  131. free(basew);
  132. return 0;
  133. }
  134. int wots_pkFromSig(unsigned char *pk, const unsigned char *sig, const unsigned char *msg, const wots_params *params, const unsigned char *pub_seed, uint32_t addr[8])
  135. {
  136. int csum = 0;
  137. uint32_t i = 0;
  138. int *basew = calloc(params->len, sizeof(int));
  139. if (basew == NULL)
  140. return -1;
  141. base_w(basew, params->len_1, msg, params);
  142. for (i=0; i < params->len_1; i++) {
  143. csum += params->w - 1 - basew[i];
  144. }
  145. csum = csum << (8 - ((params->len_2 * params->log_w) % 8));
  146. int len_2_bytes = ((params->len_2 * params->log_w) + 7) / 8;
  147. unsigned char csum_bytes[len_2_bytes];
  148. to_byte(csum_bytes, csum, len_2_bytes);
  149. int csum_basew[params->len_2];
  150. base_w(csum_basew, params->len_2, csum_bytes, params);
  151. for (i = 0; i < params->len_2; i++) {
  152. basew[params->len_1 + i] = csum_basew[i];
  153. }
  154. for (i=0; i < params->len; i++) {
  155. setChainADRS(addr, i);
  156. gen_chain(pk+i*params->n, sig+i*params->n, basew[i], params->w-1-basew[i], params, pub_seed, addr);
  157. }
  158. free(basew);
  159. return 0;
  160. }
  161. #endif /* WITH_XMSS */