mirror of
https://github.com/guanzhi/GmSSL.git
synced 2026-06-27 07:33:41 +08:00
Clean code
This commit is contained in:
Zhi Guan
@@ -533,12 +533,6 @@ if (ENABLE_XMSS)
|
||||
list(APPEND tools tools/xmsskeygen.c tools/xmsssign.c tools/xmssverify.c)
|
||||
list(APPEND tools tools/xmssmtkeygen.c tools/xmssmtsign.c tools/xmssmtverify.c)
|
||||
list(APPEND tests xmss)
|
||||
|
||||
option(ENABLE_XMSS_CROSSCHECK "Enable XMSS SHA-256 cross-check" ON)
|
||||
if (ENABLE_XMSS_CROSSCHECK)
|
||||
message(STATUS "ENABLE_XMSS_CROSSCHECK is ON")
|
||||
add_definitions(-DENABLE_XMSS_CROSSCHECK)
|
||||
endif()
|
||||
endif()
|
||||
|
||||
|
||||
@@ -548,12 +542,6 @@ if (ENABLE_SPHINCS)
|
||||
list(APPEND src src/sphincs.c)
|
||||
list(APPEND tools tools/sphincskeygen.c tools/sphincssign.c tools/sphincsverify.c)
|
||||
list(APPEND tests sphincs)
|
||||
|
||||
option(ENABLE_SPHINCS_CROSSCHECK "Enable SPHINCS SHA-256 cross-check" ON)
|
||||
if (ENABLE_SPHINCS_CROSSCHECK)
|
||||
message(STATUS "ENABLE_SPHINCS_CROSSCHECK is ON")
|
||||
add_definitions(-DENABLE_SPHINCS_CROSSCHECK)
|
||||
endif()
|
||||
endif()
|
||||
|
||||
|
||||
@@ -931,7 +919,7 @@ endif()
|
||||
#
|
||||
set(CPACK_PACKAGE_NAME "GmSSL")
|
||||
set(CPACK_PACKAGE_VENDOR "GmSSL develop team")
|
||||
set(CPACK_PACKAGE_VERSION "3.3.0-dev.1158")
|
||||
set(CPACK_PACKAGE_VERSION "3.3.0-dev.1159")
|
||||
set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md)
|
||||
set(CPACK_NSIS_MODIFY_PATH ON)
|
||||
include(CPack)
|
||||
|
||||
@@ -15,9 +15,6 @@
|
||||
#include <string.h>
|
||||
#include <stdint.h>
|
||||
#include <gmssl/sm3.h>
|
||||
#ifdef ENABLE_SHA2
|
||||
#include <gmssl/sha2.h>
|
||||
#endif
|
||||
|
||||
|
||||
#ifdef __cplusplus
|
||||
@@ -47,7 +44,7 @@ extern "C" {
|
||||
#define SPHINCS_TBS_SIZE (SPHINCS_TBS_FORS_SIZE + SPHINCS_TBS_TREE_ADDRESS_SIZE + SPHINCS_TBS_KEYPAIR_ADDRESS_SIZE) // = 30
|
||||
|
||||
|
||||
// sizeof(sphincs_hash128_t) == n, when sm3/sha256, n == 16
|
||||
// sizeof(sphincs_hash128_t) == n, when sm3, n == 16
|
||||
#define SPHINCS_DIGEST_SIZE 16
|
||||
|
||||
// only support w = 16, w_bits = 4
|
||||
@@ -60,29 +57,7 @@ extern "C" {
|
||||
|
||||
typedef uint8_t sphincs_hash128_t[16];
|
||||
|
||||
typedef uint8_t sphincs_hash256_t[32];
|
||||
|
||||
#if defined(ENABLE_SPHINCS_CROSSCHECK) && defined(ENABLE_SHA2) && !defined(SPHINCS_HASH256_CTX)
|
||||
# define SPHINCS_HASH256_CTX SHA256_CTX
|
||||
# define sphincs_hash256_init sha256_init
|
||||
# define sphincs_hash256_update sha256_update
|
||||
# define sphincs_hash256_finish sha256_finish
|
||||
# define SPHINCS_HASH256_BLOCK_SIZE SHA256_BLOCK_SIZE
|
||||
# define SPHINCS_HMAC256_CTX SHA256_HMAC_CTX
|
||||
# define sphincs_hmac256_init sha256_hmac_init
|
||||
# define sphincs_hmac256_update sha256_hmac_update
|
||||
# define sphincs_hmac256_finish sha256_hmac_finish
|
||||
#else
|
||||
# define SPHINCS_HASH256_CTX SM3_CTX
|
||||
# define sphincs_hash256_init sm3_init
|
||||
# define sphincs_hash256_update sm3_update
|
||||
# define sphincs_hash256_finish sm3_finish
|
||||
# define SPHINCS_HASH256_BLOCK_SIZE SM3_BLOCK_SIZE
|
||||
# define SPHINCS_HMAC256_CTX SM3_HMAC_CTX
|
||||
# define sphincs_hmac256_init sm3_hmac_init
|
||||
# define sphincs_hmac256_update sm3_hmac_update
|
||||
# define sphincs_hmac256_finish sm3_hmac_finish
|
||||
#endif
|
||||
typedef uint8_t sphincs_sm3_digest_t[32];
|
||||
|
||||
|
||||
// ADRS scheme
|
||||
@@ -351,8 +326,8 @@ int sphincs_signature_print_ex(FILE *fp, int fmt, int ind, const char *label, co
|
||||
int sphincs_signature_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *sig, size_t siglen);
|
||||
|
||||
typedef struct {
|
||||
SPHINCS_HMAC256_CTX hmac_ctx;
|
||||
SPHINCS_HASH256_CTX hash_ctx;
|
||||
SM3_HMAC_CTX hmac_ctx;
|
||||
SM3_CTX hash_ctx;
|
||||
SPHINCS_SIGNATURE sig;
|
||||
int state; // after init 0, after prepare 1, after update 2
|
||||
size_t round1_msglen;
|
||||
|
||||
@@ -18,7 +18,7 @@ extern "C" {
|
||||
|
||||
|
||||
#define GMSSL_VERSION_NUM 30300
|
||||
#define GMSSL_VERSION_STR "GmSSL 3.3.0-dev.1158"
|
||||
#define GMSSL_VERSION_STR "GmSSL 3.3.0-dev.1159"
|
||||
|
||||
int gmssl_version_num(void);
|
||||
const char *gmssl_version_str(void);
|
||||
|
||||
@@ -15,33 +15,13 @@
|
||||
#include <string.h>
|
||||
#include <stdint.h>
|
||||
#include <gmssl/sm3.h>
|
||||
#ifdef ENABLE_SHA2
|
||||
#include <gmssl/sha2.h>
|
||||
#endif
|
||||
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
#endif
|
||||
|
||||
typedef uint8_t xmss_hash256_t[32];
|
||||
|
||||
|
||||
// Crosscheck with data from xmss-reference (SHA-256), except the XMSS signature.
|
||||
#if defined(ENABLE_XMSS_CROSSCHECK) && defined(ENABLE_SHA2) && !defined(HASH256_CTX)
|
||||
# define XMSS_HASH256_CTX SHA256_CTX
|
||||
# define xmss_hash256_init sha256_init
|
||||
# define xmss_hash256_update sha256_update
|
||||
# define xmss_hash256_finish sha256_finish
|
||||
# define XMSS_HASH256_BLOCK_SIZE SHA256_BLOCK_SIZE
|
||||
#else
|
||||
# define XMSS_HASH256_CTX SM3_CTX
|
||||
# define xmss_hash256_init sm3_init
|
||||
# define xmss_hash256_update sm3_update
|
||||
# define xmss_hash256_finish sm3_finish
|
||||
# define XMSS_HASH256_BLOCK_SIZE SM3_BLOCK_SIZE
|
||||
#endif
|
||||
|
||||
typedef uint8_t xmss_sm3_digest_t[32];
|
||||
|
||||
// ADRS scheme
|
||||
|
||||
@@ -112,50 +92,41 @@ void xmss_adrs_set_hash_address(xmss_adrs_t adrs, uint32_t address);
|
||||
void xmss_adrs_set_tree_index(xmss_adrs_t adrs, uint32_t index);
|
||||
void xmss_adrs_set_key_and_mask(xmss_adrs_t adrs, uint32_t key_and_mask);
|
||||
|
||||
int xmss_adrs_print(FILE *fp, int fmt, int ind, const char *label, const xmss_hash256_t adrs);
|
||||
int xmss_adrs_print(FILE *fp, int fmt, int ind, const char *label, const xmss_sm3_digest_t adrs);
|
||||
|
||||
// WOTS+ with SM3/SHA256
|
||||
// WOTS+ with SM3
|
||||
|
||||
#define XMSS_WOTS_WINTERNITZ_W 16 // rfc 8391 named algors only support w = 2^4 = 16
|
||||
#define XMSS_WOTS_NUM_CHAINS 67
|
||||
|
||||
typedef xmss_hash256_t xmss_wots_key_t[XMSS_WOTS_NUM_CHAINS];
|
||||
typedef xmss_hash256_t xmss_wots_sig_t[XMSS_WOTS_NUM_CHAINS];
|
||||
typedef xmss_sm3_digest_t xmss_wots_key_t[XMSS_WOTS_NUM_CHAINS];
|
||||
typedef xmss_sm3_digest_t xmss_wots_sig_t[XMSS_WOTS_NUM_CHAINS];
|
||||
|
||||
|
||||
void xmss_wots_derive_sk(const xmss_hash256_t secret,
|
||||
const xmss_hash256_t seed, const xmss_adrs_t adrs,
|
||||
void xmss_wots_derive_sk(const xmss_sm3_digest_t secret,
|
||||
const xmss_sm3_digest_t seed, const xmss_adrs_t adrs,
|
||||
xmss_wots_key_t sk);
|
||||
void xmss_wots_chain(const xmss_hash256_t x,
|
||||
const xmss_hash256_t seed, const xmss_adrs_t adrs,
|
||||
int start, int steps, xmss_hash256_t y);
|
||||
void xmss_wots_chain(const xmss_sm3_digest_t x,
|
||||
const xmss_sm3_digest_t seed, const xmss_adrs_t adrs,
|
||||
int start, int steps, xmss_sm3_digest_t y);
|
||||
void xmss_wots_sk_to_pk(const xmss_wots_key_t sk,
|
||||
const xmss_hash256_t seed, const xmss_adrs_t adrs,
|
||||
const xmss_sm3_digest_t seed, const xmss_adrs_t adrs,
|
||||
xmss_wots_key_t pk);
|
||||
void xmss_wots_sign(const xmss_wots_key_t sk,
|
||||
const xmss_hash256_t seed, const xmss_adrs_t adrs,
|
||||
const xmss_hash256_t dgst, xmss_wots_sig_t sig);
|
||||
const xmss_sm3_digest_t seed, const xmss_adrs_t adrs,
|
||||
const xmss_sm3_digest_t dgst, xmss_wots_sig_t sig);
|
||||
void xmss_wots_sig_to_pk(const xmss_wots_sig_t sig,
|
||||
const xmss_hash256_t seed, const xmss_adrs_t adrs,
|
||||
const xmss_hash256_t dgst, xmss_wots_key_t pk);
|
||||
const xmss_sm3_digest_t seed, const xmss_adrs_t adrs,
|
||||
const xmss_sm3_digest_t dgst, xmss_wots_key_t pk);
|
||||
void xmss_wots_pk_to_root(const xmss_wots_key_t pk,
|
||||
const xmss_hash256_t seed, const xmss_adrs_t adrs,
|
||||
xmss_hash256_t wots_root);
|
||||
void xmss_wots_derive_root(const xmss_hash256_t secret,
|
||||
const xmss_hash256_t seed, const xmss_adrs_t adrs,
|
||||
xmss_hash256_t wots_root);
|
||||
int xmss_wots_verify(const xmss_hash256_t wots_root,
|
||||
const xmss_hash256_t seed, const xmss_adrs_t adrs,
|
||||
const xmss_hash256_t dgst, const xmss_wots_sig_t sig);
|
||||
|
||||
|
||||
|
||||
// from RFC 8391 table 7
|
||||
enum {
|
||||
XMSS_SHA2_10_256 = 0x00000001,
|
||||
XMSS_SHA2_16_256 = 0x00000002,
|
||||
XMSS_SHA2_20_256 = 0x00000003,
|
||||
};
|
||||
const xmss_sm3_digest_t seed, const xmss_adrs_t adrs,
|
||||
xmss_sm3_digest_t wots_root);
|
||||
void xmss_wots_derive_root(const xmss_sm3_digest_t secret,
|
||||
const xmss_sm3_digest_t seed, const xmss_adrs_t adrs,
|
||||
xmss_sm3_digest_t wots_root);
|
||||
int xmss_wots_verify(const xmss_sm3_digest_t wots_root,
|
||||
const xmss_sm3_digest_t seed, const xmss_adrs_t adrs,
|
||||
const xmss_sm3_digest_t dgst, const xmss_wots_sig_t sig);
|
||||
|
||||
enum {
|
||||
XMSS_SM3_10_256 = 0x10000001, // height = 10, sigs = 2^10
|
||||
@@ -165,22 +136,9 @@ enum {
|
||||
|
||||
#define XMSS_MAX_HEIGHT 20
|
||||
|
||||
// Crosscheck with data from xmss-reference (SHA-256), except the XMSS signature.
|
||||
#if defined(ENABLE_XMSS_CROSSCHECK) && defined(ENABLE_SHA2)
|
||||
# define XMSS_HASH256_10_256 XMSS_SHA2_10_256
|
||||
# define XMSS_HASH256_16_256 XMSS_SHA2_16_256
|
||||
# define XMSS_HASH256_20_256 XMSS_SHA2_20_256
|
||||
# define XMSS_HASH256_10_256_NAME "XMSS_SHA2_10_256"
|
||||
# define XMSS_HASH256_16_256_NAME "XMSS_SHA2_16_256"
|
||||
# define XMSS_HASH256_20_256_NAME "XMSS_SHA2_20_256"
|
||||
#else
|
||||
# define XMSS_HASH256_10_256 XMSS_SM3_10_256
|
||||
# define XMSS_HASH256_16_256 XMSS_SM3_16_256
|
||||
# define XMSS_HASH256_20_256 XMSS_SM3_20_256
|
||||
# define XMSS_HASH256_10_256_NAME "XMSS_SM3_10_256"
|
||||
# define XMSS_HASH256_16_256_NAME "XMSS_SM3_16_256"
|
||||
# define XMSS_HASH256_20_256_NAME "XMSS_SM3_20_256"
|
||||
#endif
|
||||
#define XMSS_SM3_10_256_NAME "XMSS_SM3_10_256"
|
||||
#define XMSS_SM3_16_256_NAME "XMSS_SM3_16_256"
|
||||
#define XMSS_SM3_20_256_NAME "XMSS_SM3_20_256"
|
||||
|
||||
char *xmss_type_name(uint32_t xmss_type);
|
||||
uint32_t xmss_type_from_name(const char *name);
|
||||
@@ -188,21 +146,21 @@ uint32_t xmss_type_from_name(const char *name);
|
||||
int xmss_type_to_height(uint32_t xmss_type, size_t *height);
|
||||
|
||||
size_t xmss_num_tree_nodes(size_t height);
|
||||
void xmss_build_tree(const xmss_hash256_t secret,
|
||||
const xmss_hash256_t seed, const xmss_adrs_t adrs,
|
||||
size_t height, xmss_hash256_t *tree); // tree[xmss_num_tree_nodes(height)]
|
||||
void xmss_build_auth_path(const xmss_hash256_t *tree, size_t height,
|
||||
uint32_t index, xmss_hash256_t *auth_path); // auth_path[height]
|
||||
void xmss_build_root(const xmss_hash256_t wots_root, uint32_t index,
|
||||
const xmss_hash256_t seed, const xmss_adrs_t adrs,
|
||||
const xmss_hash256_t *auth_path, size_t height,
|
||||
xmss_hash256_t xmss_root);
|
||||
void xmss_build_tree(const xmss_sm3_digest_t secret,
|
||||
const xmss_sm3_digest_t seed, const xmss_adrs_t adrs,
|
||||
size_t height, xmss_sm3_digest_t *tree); // tree[xmss_num_tree_nodes(height)]
|
||||
void xmss_build_auth_path(const xmss_sm3_digest_t *tree, size_t height,
|
||||
uint32_t index, xmss_sm3_digest_t *auth_path); // auth_path[height]
|
||||
void xmss_build_root(const xmss_sm3_digest_t wots_root, uint32_t index,
|
||||
const xmss_sm3_digest_t seed, const xmss_adrs_t adrs,
|
||||
const xmss_sm3_digest_t *auth_path, size_t height,
|
||||
xmss_sm3_digest_t xmss_root);
|
||||
|
||||
|
||||
typedef struct {
|
||||
uint32_t xmss_type;
|
||||
xmss_hash256_t seed;
|
||||
xmss_hash256_t root;
|
||||
xmss_sm3_digest_t seed;
|
||||
xmss_sm3_digest_t root;
|
||||
} XMSS_PUBLIC_KEY;
|
||||
|
||||
#define XMSS_PUBLIC_KEY_SIZE (4 + 32 + 32) // = 68
|
||||
@@ -214,16 +172,16 @@ typedef int (*xmss_key_update_callback)(XMSS_KEY *key);
|
||||
typedef struct XMSS_KEY_st {
|
||||
XMSS_PUBLIC_KEY public_key;
|
||||
uint32_t index;
|
||||
xmss_hash256_t secret;
|
||||
xmss_hash256_t sk_prf;
|
||||
xmss_hash256_t *tree; // xmss_hash256_t[2^(h + 1) - 1]
|
||||
xmss_sm3_digest_t secret;
|
||||
xmss_sm3_digest_t sk_prf;
|
||||
xmss_sm3_digest_t *tree; // xmss_sm3_digest_t[2^(h + 1) - 1]
|
||||
xmss_key_update_callback update_callback;
|
||||
void *update_param;
|
||||
} XMSS_KEY;
|
||||
|
||||
// XMSS_SHA2_10_256: 65,640
|
||||
// XMSS_SHA2_16_256: 4,194,408
|
||||
// XMSS_SHA2_20_256: 67,108,968
|
||||
// XMSS_SM3_10_256: 65,640
|
||||
// XMSS_SM3_16_256: 4,194,408
|
||||
// XMSS_SM3_20_256: 67,108,968
|
||||
int xmss_private_key_size(uint32_t xmss_type, size_t *keysize);
|
||||
|
||||
//#define XMSS_PRIVATE_KEY_SIZE (XMSS_PUBLIC_KEY_SIZE + 32 + 32 + 4) // = 136
|
||||
@@ -245,9 +203,9 @@ int xmss_private_key_print(FILE *fp, int fmt, int ind, const char *label, const
|
||||
|
||||
typedef struct {
|
||||
uint32_t index; // < 2^(XMSS_MAX_HEIGHT) = 2^20, always encode to 4 bytes
|
||||
xmss_hash256_t random;
|
||||
xmss_sm3_digest_t random;
|
||||
xmss_wots_sig_t wots_sig;
|
||||
xmss_hash256_t auth_path[XMSS_MAX_HEIGHT];
|
||||
xmss_sm3_digest_t auth_path[XMSS_MAX_HEIGHT];
|
||||
} XMSS_SIGNATURE;
|
||||
|
||||
// XMSS_SM3_10_256 2500 bytes
|
||||
@@ -265,7 +223,7 @@ int xmss_signature_print_ex(FILE *fp, int fmt, int ind, const char *label, const
|
||||
typedef struct {
|
||||
XMSS_PUBLIC_KEY xmss_public_key;
|
||||
XMSS_SIGNATURE xmss_sig;
|
||||
XMSS_HASH256_CTX hash256_ctx;
|
||||
SM3_CTX sm3_ctx;
|
||||
} XMSS_SIGN_CTX;
|
||||
|
||||
int xmss_sign_init(XMSS_SIGN_CTX *ctx, XMSS_KEY *key);
|
||||
@@ -289,55 +247,14 @@ enum {
|
||||
XMSSMT_SM3_60_12_256 = 0x00000008,
|
||||
};
|
||||
|
||||
// from rfc 8391 table 8
|
||||
enum {
|
||||
XMSSMT_RESERVED = 0x00000000,
|
||||
XMSSMT_SHA2_20_2_256 = 0x00000001,
|
||||
XMSSMT_SHA2_20_4_256 = 0x00000002,
|
||||
XMSSMT_SHA2_40_2_256 = 0x00000003,
|
||||
XMSSMT_SHA2_40_4_256 = 0x00000004,
|
||||
XMSSMT_SHA2_40_8_256 = 0x00000005,
|
||||
XMSSMT_SHA2_60_3_256 = 0x00000006,
|
||||
XMSSMT_SHA2_60_6_256 = 0x00000007,
|
||||
XMSSMT_SHA2_60_12_256 = 0x00000008,
|
||||
};
|
||||
|
||||
|
||||
#if defined(ENABLE_XMSS_CROSSCHECK) && defined(ENABLE_SHA2)
|
||||
# define XMSSMT_HASH256_20_2_256 XMSSMT_SHA2_20_2_256
|
||||
# define XMSSMT_HASH256_20_4_256 XMSSMT_SHA2_20_4_256
|
||||
# define XMSSMT_HASH256_40_2_256 XMSSMT_SHA2_40_2_256
|
||||
# define XMSSMT_HASH256_40_4_256 XMSSMT_SHA2_40_4_256
|
||||
# define XMSSMT_HASH256_40_8_256 XMSSMT_SHA2_40_8_256
|
||||
# define XMSSMT_HASH256_60_3_256 XMSSMT_SHA2_60_3_256
|
||||
# define XMSSMT_HASH256_60_6_256 XMSSMT_SHA2_60_6_256
|
||||
# define XMSSMT_HASH256_60_12_256 XMSSMT_SHA2_60_12_256
|
||||
# define XMSSMT_HASH256_20_2_256_NAME "XMSSMT_SHA2_20_2_256"
|
||||
# define XMSSMT_HASH256_20_4_256_NAME "XMSSMT_SHA2_20_4_256"
|
||||
# define XMSSMT_HASH256_40_2_256_NAME "XMSSMT_SHA2_40_2_256"
|
||||
# define XMSSMT_HASH256_40_4_256_NAME "XMSSMT_SHA2_40_4_256"
|
||||
# define XMSSMT_HASH256_40_8_256_NAME "XMSSMT_SHA2_40_8_256"
|
||||
# define XMSSMT_HASH256_60_3_256_NAME "XMSSMT_SHA2_60_3_256"
|
||||
# define XMSSMT_HASH256_60_6_256_NAME "XMSSMT_SHA2_60_6_256"
|
||||
# define XMSSMT_HASH256_60_12_256_NAME "XMSSMT_SHA2_60_12_256"
|
||||
#else
|
||||
# define XMSSMT_HASH256_20_2_256 XMSSMT_SM3_20_2_256
|
||||
# define XMSSMT_HASH256_20_4_256 XMSSMT_SM3_20_4_256
|
||||
# define XMSSMT_HASH256_40_2_256 XMSSMT_SM3_40_2_256
|
||||
# define XMSSMT_HASH256_40_4_256 XMSSMT_SM3_40_4_256
|
||||
# define XMSSMT_HASH256_40_8_256 XMSSMT_SM3_40_8_256
|
||||
# define XMSSMT_HASH256_60_3_256 XMSSMT_SM3_60_3_256
|
||||
# define XMSSMT_HASH256_60_6_256 XMSSMT_SM3_60_6_256
|
||||
# define XMSSMT_HASH256_60_12_256 XMSSMT_SM3_60_12_256
|
||||
# define XMSSMT_HASH256_20_2_256_NAME "XMSSMT_SM3_20_2_256"
|
||||
# define XMSSMT_HASH256_20_4_256_NAME "XMSSMT_SM3_20_4_256"
|
||||
# define XMSSMT_HASH256_40_2_256_NAME "XMSSMT_SM3_40_2_256"
|
||||
# define XMSSMT_HASH256_40_4_256_NAME "XMSSMT_SM3_40_4_256"
|
||||
# define XMSSMT_HASH256_40_8_256_NAME "XMSSMT_SM3_40_8_256"
|
||||
# define XMSSMT_HASH256_60_3_256_NAME "XMSSMT_SM3_60_3_256"
|
||||
# define XMSSMT_HASH256_60_6_256_NAME "XMSSMT_SM3_60_6_256"
|
||||
# define XMSSMT_HASH256_60_12_256_NAME "XMSSMT_SM3_60_12_256"
|
||||
#endif
|
||||
#define XMSSMT_SM3_20_2_256_NAME "XMSSMT_SM3_20_2_256"
|
||||
#define XMSSMT_SM3_20_4_256_NAME "XMSSMT_SM3_20_4_256"
|
||||
#define XMSSMT_SM3_40_2_256_NAME "XMSSMT_SM3_40_2_256"
|
||||
#define XMSSMT_SM3_40_4_256_NAME "XMSSMT_SM3_40_4_256"
|
||||
#define XMSSMT_SM3_40_8_256_NAME "XMSSMT_SM3_40_8_256"
|
||||
#define XMSSMT_SM3_60_3_256_NAME "XMSSMT_SM3_60_3_256"
|
||||
#define XMSSMT_SM3_60_6_256_NAME "XMSSMT_SM3_60_6_256"
|
||||
#define XMSSMT_SM3_60_12_256_NAME "XMSSMT_SM3_60_12_256"
|
||||
|
||||
char *xmssmt_type_name(uint32_t xmssmt_type);
|
||||
uint32_t xmssmt_type_from_name(const char *name);
|
||||
@@ -350,11 +267,11 @@ size_t xmssmt_num_trees_nodes(size_t height, size_t layers);
|
||||
|
||||
typedef struct {
|
||||
uint32_t xmssmt_type;
|
||||
xmss_hash256_t seed;
|
||||
xmss_hash256_t root;
|
||||
xmss_sm3_digest_t seed;
|
||||
xmss_sm3_digest_t root;
|
||||
} XMSSMT_PUBLIC_KEY;
|
||||
|
||||
#define XMSSMT_PUBLIC_KEY_SIZE (4 + sizeof(xmss_hash256_t) + sizeof(xmss_hash256_t)) // = 68 bytes
|
||||
#define XMSSMT_PUBLIC_KEY_SIZE (4 + sizeof(xmss_sm3_digest_t) + sizeof(xmss_sm3_digest_t)) // = 68 bytes
|
||||
|
||||
typedef struct XMSSMT_KEY_st XMSSMT_KEY;
|
||||
|
||||
@@ -363,9 +280,9 @@ typedef int (*xmssmt_key_update_callback)(XMSSMT_KEY *key);
|
||||
typedef struct XMSSMT_KEY_st {
|
||||
XMSSMT_PUBLIC_KEY public_key;
|
||||
uint64_t index; // in [0, 2^60 - 1]
|
||||
xmss_hash256_t secret;
|
||||
xmss_hash256_t sk_prf;
|
||||
xmss_hash256_t *trees;
|
||||
xmss_sm3_digest_t secret;
|
||||
xmss_sm3_digest_t sk_prf;
|
||||
xmss_sm3_digest_t *trees;
|
||||
xmss_wots_sig_t wots_sigs[XMSSMT_MAX_LAYERS - 1];
|
||||
xmssmt_key_update_callback update_callback;
|
||||
void *update_param;
|
||||
@@ -382,7 +299,7 @@ typedef struct XMSSMT_KEY_st {
|
||||
XMSSMT_SM3_60_12_256: 47,916 bytes
|
||||
*/
|
||||
int xmssmt_private_key_size(uint32_t xmssmt_type, size_t *len);
|
||||
int xmssmt_build_auth_path(const xmss_hash256_t *tree, size_t height, size_t layers, uint64_t index, xmss_hash256_t *auth_path);
|
||||
int xmssmt_build_auth_path(const xmss_sm3_digest_t *tree, size_t height, size_t layers, uint64_t index, xmss_sm3_digest_t *auth_path);
|
||||
|
||||
int xmssmt_key_generate(XMSSMT_KEY *key, uint32_t xmssmt_type);
|
||||
int xmssmt_key_set_update_callback(XMSSMT_KEY *key, xmssmt_key_update_callback update_cb, void *param);
|
||||
@@ -399,9 +316,9 @@ void xmssmt_key_cleanup(XMSSMT_KEY *key);
|
||||
|
||||
typedef struct {
|
||||
uint64_t index;
|
||||
xmss_hash256_t random;
|
||||
xmss_sm3_digest_t random;
|
||||
xmss_wots_sig_t wots_sigs[XMSSMT_MAX_LAYERS];
|
||||
xmss_hash256_t auth_path[XMSSMT_MAX_HEIGHT];
|
||||
xmss_sm3_digest_t auth_path[XMSSMT_MAX_HEIGHT];
|
||||
} XMSSMT_SIGNATURE;
|
||||
|
||||
int xmssmt_index_to_bytes(uint64_t index, uint32_t xmssmt_type, uint8_t **out, size_t *outlen);
|
||||
@@ -420,7 +337,7 @@ int xmssmt_signature_print(FILE *fp, int fmt, int ind, const char *label, const
|
||||
typedef struct {
|
||||
XMSSMT_PUBLIC_KEY xmssmt_public_key;
|
||||
XMSSMT_SIGNATURE xmssmt_sig;
|
||||
XMSS_HASH256_CTX hash256_ctx;
|
||||
SM3_CTX sm3_ctx;
|
||||
} XMSSMT_SIGN_CTX;
|
||||
|
||||
int xmssmt_sign_init(XMSSMT_SIGN_CTX *ctx, XMSSMT_KEY *key);
|
||||
|
||||
20
src/ecdh.c
20
src/ecdh.c
@@ -26,9 +26,13 @@ int secp256r1_do_ecdh(const SECP256R1_KEY *key, const SECP256R1_KEY *peer_key, u
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
secp256r1_point_mul(&point, key->private_key, &peer_key->public_key);
|
||||
secp256r1_point_get_xy(&point, x, y);
|
||||
secp256r1_to_32bytes(x, out);
|
||||
if (secp256r1_point_mul(&point, key->private_key, &peer_key->public_key) != 1
|
||||
|| secp256r1_point_get_xy(&point, x, y) != 1
|
||||
|| secp256r1_to_32bytes(x, out) != 1) {
|
||||
error_print();
|
||||
gmssl_secure_clear(&point, sizeof(SECP256R1_POINT));
|
||||
return -1;
|
||||
}
|
||||
|
||||
gmssl_secure_clear(&point, sizeof(SECP256R1_POINT));
|
||||
gmssl_secure_clear(x, sizeof(secp256r1_t));
|
||||
@@ -50,9 +54,13 @@ int secp256r1_ecdh(const SECP256R1_KEY *key, const uint8_t uncompressed_point[65
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
secp256r1_point_mul(&point, key->private_key, &point);
|
||||
secp256r1_point_get_xy(&point, x,y);
|
||||
secp256r1_to_32bytes(x, out);
|
||||
if (secp256r1_point_mul(&point, key->private_key, &point) != 1
|
||||
|| secp256r1_point_get_xy(&point, x,y) != 1
|
||||
|| secp256r1_to_32bytes(x, out) != 1) {
|
||||
error_print();
|
||||
gmssl_secure_clear(&point, sizeof(SECP256R1_POINT));
|
||||
return -1;
|
||||
}
|
||||
|
||||
gmssl_secure_clear(&point, sizeof(SECP256R1_POINT));
|
||||
gmssl_secure_clear(x, sizeof(secp256r1_t));
|
||||
|
||||
91
src/ecdsa.c
91
src/ecdsa.c
@@ -23,8 +23,11 @@ int ecdsa_signature_print_ex(FILE *fp, int fmt, int ind, const char *label, cons
|
||||
{
|
||||
format_print(fp, fmt, ind, "%s\n", label);
|
||||
ind += 4;
|
||||
secp256r1_print(fp, fmt, ind, "r", sig->r);
|
||||
secp256r1_print(fp, fmt, ind, "s", sig->s);
|
||||
if (secp256r1_print(fp, fmt, ind, "r", sig->r) != 1
|
||||
|| secp256r1_print(fp, fmt, ind, "s", sig->s) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
@@ -53,21 +56,33 @@ int ecdsa_do_sign_ex(const SECP256R1_KEY *key, const secp256r1_t k, const uint8_
|
||||
SECP256R1_POINT P;
|
||||
|
||||
// e = hash(m)
|
||||
secp256r1_from_32bytes(e, dgst);
|
||||
secp256r1_modn(e, e);
|
||||
if (secp256r1_from_32bytes(e, dgst) != 1
|
||||
|| secp256r1_modn(e, e) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
// (x1, y1) = k*G
|
||||
secp256r1_point_mul_generator(&P, k);
|
||||
secp256r1_point_get_xy(&P, x1, y1);
|
||||
if (secp256r1_point_mul_generator(&P, k) != 1
|
||||
|| secp256r1_point_get_xy(&P, x1, y1) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
// r = x1 mod n
|
||||
secp256r1_modn(sig->r, x1);
|
||||
if (secp256r1_modn(sig->r, x1) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
// s = k^-1 * (e + d * r) mod n
|
||||
secp256r1_modn_inv(k_inv, k);
|
||||
secp256r1_modn_mul(sig->s, key->private_key, sig->r);
|
||||
secp256r1_modn_add(sig->s, sig->s, e);
|
||||
secp256r1_modn_mul(sig->s, sig->s, k_inv);
|
||||
if (secp256r1_modn_inv(k_inv, k) != 1
|
||||
|| secp256r1_modn_mul(sig->s, key->private_key, sig->r) != 1
|
||||
|| secp256r1_modn_add(sig->s, sig->s, e) != 1
|
||||
|| secp256r1_modn_mul(sig->s, sig->s, k_inv) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
||||
@@ -114,26 +129,46 @@ int ecdsa_do_verify(const SECP256R1_KEY *key, const uint8_t dgst[32], const ECDS
|
||||
}
|
||||
|
||||
// e = hash(m)
|
||||
secp256r1_from_32bytes(e, dgst);
|
||||
secp256r1_modn(e, e);
|
||||
if (secp256r1_from_32bytes(e, dgst) != 1
|
||||
|| secp256r1_modn(e, e) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
// w = s^-1 (mod n)
|
||||
secp256r1_modn_inv(w, sig->s);
|
||||
if (secp256r1_modn_inv(w, sig->s) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
// u1 = e * w (mod n)
|
||||
secp256r1_modn_mul(u1, e, w);
|
||||
if (secp256r1_modn_mul(u1, e, w) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
// u2 = r * w (mod n)
|
||||
secp256r1_modn_mul(u2, sig->r, w);
|
||||
if (secp256r1_modn_mul(u2, sig->r, w) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
// (x1, y1) = u1*G + u2*Q
|
||||
secp256r1_point_mul_generator(&P, u1);
|
||||
secp256r1_point_mul(&Q, u2, &key->public_key);
|
||||
secp256r1_point_add(&R, &P, &Q);
|
||||
secp256r1_point_get_xy(&R, x1, y1);
|
||||
if (secp256r1_point_mul_generator(&P, u1) != 1
|
||||
|| secp256r1_point_mul(&Q, u2, &key->public_key) != 1
|
||||
|| secp256r1_point_add(&R, &P, &Q) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (secp256r1_point_get_xy(&R, x1, y1) != 1) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
// x1 = x1 mod n
|
||||
secp256r1_modn(x1, x1);
|
||||
if (secp256r1_modn(x1, x1) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (secp256r1_cmp(x1, sig->r) != 0) {
|
||||
return 0;
|
||||
@@ -151,8 +186,11 @@ int ecdsa_signature_to_der(const ECDSA_SIGNATURE *sig, uint8_t **out, size_t *ou
|
||||
return 0;
|
||||
}
|
||||
|
||||
secp256r1_to_32bytes(sig->r, r);
|
||||
secp256r1_to_32bytes(sig->s, s);
|
||||
if (secp256r1_to_32bytes(sig->r, r) != 1
|
||||
|| secp256r1_to_32bytes(sig->s, s) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (asn1_integer_to_der(r, 32, NULL, &len) != 1
|
||||
|| asn1_integer_to_der(s, 32, NULL, &len) != 1
|
||||
@@ -186,8 +224,11 @@ int ecdsa_signature_from_der(ECDSA_SIGNATURE *sig, const uint8_t **in, size_t *i
|
||||
return -1;
|
||||
}
|
||||
|
||||
secp256r1_from_32bytes(sig->r, r);
|
||||
secp256r1_from_32bytes(sig->s, s);
|
||||
if (secp256r1_from_32bytes(sig->r, r) != 1
|
||||
|| secp256r1_from_32bytes(sig->s, s) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
324
src/secp256r1.c
324
src/secp256r1.c
@@ -256,11 +256,15 @@ const SECP256R1_POINT *secp256r1_generator(void)
|
||||
return &secp256r1_generator_point;
|
||||
}
|
||||
|
||||
void secp256r1_point_set_infinity(SECP256R1_POINT *R)
|
||||
int secp256r1_point_set_infinity(SECP256R1_POINT *R)
|
||||
{
|
||||
secp256r1_set_one(R->X);
|
||||
secp256r1_set_one(R->Y);
|
||||
secp256r1_set_zero(R->Z);
|
||||
if (secp256r1_set_one(R->X) != 1
|
||||
|| secp256r1_set_one(R->Y) != 1
|
||||
|| secp256r1_set_zero(R->Z) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
int secp256r1_point_is_at_infinity(const SECP256R1_POINT *P)
|
||||
@@ -284,48 +288,55 @@ int secp256r1_point_is_on_curve(const SECP256R1_POINT *P)
|
||||
// check Y^2 + 3 * X * Z^4 == X^3 + b * Z^6
|
||||
|
||||
// t0 = Y^2
|
||||
secp256r1_modp_sqr(t0, P->Y);
|
||||
if (secp256r1_modp_sqr(t0, P->Y) != 1) goto err;
|
||||
|
||||
// t1 = Z^2
|
||||
secp256r1_modp_sqr(t1, P->Z);
|
||||
if (secp256r1_modp_sqr(t1, P->Z) != 1) goto err;
|
||||
|
||||
// t2 = Z^4
|
||||
secp256r1_modp_sqr(t2, t1);
|
||||
if (secp256r1_modp_sqr(t2, t1) != 1) goto err;
|
||||
|
||||
// t1 = Z^6
|
||||
secp256r1_modp_mul(t1, t1, t2);
|
||||
if (secp256r1_modp_mul(t1, t1, t2) != 1) goto err;
|
||||
|
||||
// t1 = b * Z^6
|
||||
secp256r1_modp_mul(t1, t1, SECP256R1_B);
|
||||
if (secp256r1_modp_mul(t1, t1, SECP256R1_B) != 1) goto err;
|
||||
|
||||
// t2 = X * Z^4
|
||||
secp256r1_modp_mul(t2, t2, P->X);
|
||||
if (secp256r1_modp_mul(t2, t2, P->X) != 1) goto err;
|
||||
|
||||
// t0 = Y^2 + 3 * X * Z^4
|
||||
secp256r1_modp_add(t0, t0, t2);
|
||||
secp256r1_modp_add(t0, t0, t2);
|
||||
secp256r1_modp_add(t0, t0, t2);
|
||||
if (secp256r1_modp_add(t0, t0, t2) != 1
|
||||
|| secp256r1_modp_add(t0, t0, t2) != 1
|
||||
|| secp256r1_modp_add(t0, t0, t2) != 1) goto err;
|
||||
|
||||
// t2 = X^2
|
||||
secp256r1_modp_sqr(t2, P->X);
|
||||
if (secp256r1_modp_sqr(t2, P->X) != 1) goto err;
|
||||
|
||||
// t2 = X^3
|
||||
secp256r1_modp_mul(t2, t2, P->X);
|
||||
if (secp256r1_modp_mul(t2, t2, P->X) != 1) goto err;
|
||||
|
||||
// t1 = b * Z^6 + X^3
|
||||
secp256r1_modp_add(t1, t1, t2);
|
||||
if (secp256r1_modp_add(t1, t1, t2) != 1) goto err;
|
||||
|
||||
if (secp256r1_cmp(t0, t1) != 0) {
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
err:
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
void secp256r1_point_copy(SECP256R1_POINT *R, const SECP256R1_POINT *P)
|
||||
int secp256r1_point_copy(SECP256R1_POINT *R, const SECP256R1_POINT *P)
|
||||
{
|
||||
secp256r1_copy(R->X, P->X);
|
||||
secp256r1_copy(R->Y, P->Y);
|
||||
secp256r1_copy(R->Z, P->Z);
|
||||
if (secp256r1_copy(R->X, P->X) != 1
|
||||
|| secp256r1_copy(R->Y, P->Y) != 1
|
||||
|| secp256r1_copy(R->Z, P->Z) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
int secp256r1_point_set_xy(SECP256R1_POINT *R, const secp256r1_t x, const secp256r1_t y)
|
||||
@@ -338,12 +349,15 @@ int secp256r1_point_set_xy(SECP256R1_POINT *R, const secp256r1_t x, const secp25
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
secp256r1_copy(R->X, x);
|
||||
secp256r1_copy(R->Y, y);
|
||||
secp256r1_set_one(R->Z);
|
||||
if (secp256r1_copy(R->X, x) != 1
|
||||
|| secp256r1_copy(R->Y, y) != 1
|
||||
|| secp256r1_set_one(R->Z) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
||||
if (!secp256r1_point_is_on_curve(R)) {
|
||||
if (secp256r1_point_is_on_curve(R) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
@@ -355,17 +369,21 @@ int secp256r1_point_get_xy(const SECP256R1_POINT *P, secp256r1_t x, secp256r1_t
|
||||
secp256r1_t Z_inv;
|
||||
|
||||
if (secp256r1_point_is_at_infinity(P)) {
|
||||
return 0;
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (secp256r1_modp_inv(Z_inv, P->Z) != 1
|
||||
|| secp256r1_modp_mul(y, P->Y, Z_inv) != 1
|
||||
|| secp256r1_modp_sqr(Z_inv, Z_inv) != 1
|
||||
|| secp256r1_modp_mul(x, P->X, Z_inv) != 1
|
||||
|| secp256r1_modp_mul(y, y, Z_inv) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
secp256r1_modp_inv(Z_inv, P->Z);
|
||||
secp256r1_modp_mul(y, P->Y, Z_inv);
|
||||
secp256r1_modp_sqr(Z_inv, Z_inv);
|
||||
secp256r1_modp_mul(x, P->X, Z_inv);
|
||||
secp256r1_modp_mul(y, y, Z_inv);
|
||||
return 1;
|
||||
}
|
||||
|
||||
void secp256r1_point_dbl(SECP256R1_POINT *R, const SECP256R1_POINT *P)
|
||||
int secp256r1_point_dbl(SECP256R1_POINT *R, const SECP256R1_POINT *P)
|
||||
{
|
||||
/*
|
||||
secp256r1_t T_0;
|
||||
@@ -413,62 +431,71 @@ void secp256r1_point_dbl(SECP256R1_POINT *R, const SECP256R1_POINT *P)
|
||||
secp256r1_t Zsqr;
|
||||
secp256r1_t tmp0;
|
||||
|
||||
if (secp256r1_point_is_at_infinity(P)) {
|
||||
return secp256r1_point_set_infinity(R);
|
||||
}
|
||||
|
||||
// 1. S = 2Y
|
||||
secp256r1_modp_dbl(S, Y1);
|
||||
if (secp256r1_modp_dbl(S, Y1) != 1) goto err;
|
||||
|
||||
// 2. Zsqr = Z^2
|
||||
secp256r1_modp_sqr(Zsqr, Z1);
|
||||
if (secp256r1_modp_sqr(Zsqr, Z1) != 1) goto err;
|
||||
|
||||
// 3. S = S^2 = 4Y^2
|
||||
secp256r1_modp_sqr(S, S);
|
||||
if (secp256r1_modp_sqr(S, S) != 1) goto err;
|
||||
|
||||
// 4. Z = Z*Y
|
||||
secp256r1_modp_mul(Z3, Z1, Y1);
|
||||
if (secp256r1_modp_mul(Z3, Z1, Y1) != 1) goto err;
|
||||
|
||||
// 5. Z = 2*Z = 2*Y*Z ===> Z3
|
||||
secp256r1_modp_dbl(Z3, Z3);
|
||||
if (secp256r1_modp_dbl(Z3, Z3) != 1) goto err;
|
||||
|
||||
// 6. M = X + Zsqr = X + Z^2
|
||||
secp256r1_modp_add(M, X1, Zsqr);
|
||||
if (secp256r1_modp_add(M, X1, Zsqr) != 1) goto err;
|
||||
|
||||
// 7. Zsqr = X - Zsqr = X - Z^2
|
||||
secp256r1_modp_sub(Zsqr, X1, Zsqr);
|
||||
if (secp256r1_modp_sub(Zsqr, X1, Zsqr) != 1) goto err;
|
||||
|
||||
// 8. Y = S^2 = 16Y^4
|
||||
secp256r1_modp_sqr(Y3, S);
|
||||
if (secp256r1_modp_sqr(Y3, S) != 1) goto err;
|
||||
|
||||
// 9. Y = Y/2 = 8Y^4
|
||||
secp256r1_modp_haf(Y3, Y3);
|
||||
if (secp256r1_modp_haf(Y3, Y3) != 1) goto err;
|
||||
|
||||
// 10. M = M * Zsqr = (X + Z^2)*(X - Z^2) = X^2 - Z^4
|
||||
secp256r1_modp_mul(M, M, Zsqr);
|
||||
if (secp256r1_modp_mul(M, M, Zsqr) != 1) goto err;
|
||||
|
||||
// 11. M = 3M = 3X^2 - 3Z^4
|
||||
secp256r1_modp_tri(M, M);
|
||||
if (secp256r1_modp_tri(M, M) != 1) goto err;
|
||||
|
||||
// 12. S = S * X = 4X*Y^2
|
||||
secp256r1_modp_mul(S, S, X1);
|
||||
if (secp256r1_modp_mul(S, S, X1) != 1) goto err;
|
||||
|
||||
// 13. tmp0 = 2 * S = 8X*Y^2
|
||||
secp256r1_modp_dbl(tmp0, S);
|
||||
if (secp256r1_modp_dbl(tmp0, S) != 1) goto err;
|
||||
|
||||
// 14. X = M^2 = (3X^2 - 3Z^4)^2
|
||||
secp256r1_modp_sqr(X3, M);
|
||||
if (secp256r1_modp_sqr(X3, M) != 1) goto err;
|
||||
|
||||
// 15. X = X - tmp0 = (3X^2 - 3Z^4)^2 - 8X*Y^2 ===> X3
|
||||
secp256r1_modp_sub(X3, X3, tmp0);
|
||||
if (secp256r1_modp_sub(X3, X3, tmp0) != 1) goto err;
|
||||
|
||||
// 16. S = S - X3 = 4X*Y^2 - X3
|
||||
secp256r1_modp_sub(S, S, X3);
|
||||
if (secp256r1_modp_sub(S, S, X3) != 1) goto err;
|
||||
|
||||
// 17. S = S * M = (3X^2 - 3Z^4)*(4X*Y^2 - X3)
|
||||
secp256r1_modp_mul(S, S, M);
|
||||
if (secp256r1_modp_mul(S, S, M) != 1) goto err;
|
||||
|
||||
// 18. Y = S - Y = (3X^2 - 3Z^4)*(4X*Y^2 - X3) - 8Y^4 ===> Y3
|
||||
secp256r1_modp_sub(Y3, S, Y3);
|
||||
if (secp256r1_modp_sub(Y3, S, Y3) != 1) goto err;
|
||||
|
||||
return 1;
|
||||
err:
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
void secp256r1_point_add(SECP256R1_POINT *R, const SECP256R1_POINT *P, const SECP256R1_POINT *Q)
|
||||
int secp256r1_point_add(SECP256R1_POINT *R, const SECP256R1_POINT *P, const SECP256R1_POINT *Q)
|
||||
{
|
||||
secp256r1_t T_1;
|
||||
secp256r1_t T_2;
|
||||
@@ -480,101 +507,126 @@ void secp256r1_point_add(SECP256R1_POINT *R, const SECP256R1_POINT *P, const SEC
|
||||
secp256r1_t T_8;
|
||||
|
||||
if (secp256r1_point_is_at_infinity(P)) {
|
||||
*R = *Q;
|
||||
return;
|
||||
return secp256r1_point_copy(R, Q);
|
||||
}
|
||||
if (secp256r1_point_is_at_infinity(Q)) {
|
||||
*R = *P;
|
||||
return;
|
||||
return secp256r1_point_copy(R, P);
|
||||
}
|
||||
|
||||
// 这里的代码是来自zkrypt的,不确定是否有问题
|
||||
secp256r1_modp_sqr(T_1, P->Z); // T_1 = Z_1^2
|
||||
secp256r1_modp_sqr(T_2, Q->Z); // T_2 = Z_2^2
|
||||
secp256r1_modp_mul(T_3, Q->X, T_1); // T_3 = X_2 * Z_1^2
|
||||
secp256r1_modp_mul(T_4, P->X, T_2); // T_4 = X_1 * Z_2^2
|
||||
secp256r1_modp_add(T_5, T_3, T_4); // T_5 = X_2 * Z_1^2 + X_1 * Z_2^2 = C
|
||||
secp256r1_modp_sub(T_3, T_3, T_4); // T_3 = X_2 * Z_1^2 - X_1 * Z_2^2 = B
|
||||
secp256r1_modp_mul(T_1, T_1, P->Z); // T_1 = Z_1^3
|
||||
secp256r1_modp_mul(T_1, T_1, Q->Y); // T_1 = Y_2 * Z_1^3
|
||||
secp256r1_modp_mul(T_2, T_2, Q->Z); // T_2 = Z_2^3
|
||||
secp256r1_modp_mul(T_2, T_2, P->Y); // T_2 = Y_1 * Z_2^3
|
||||
secp256r1_modp_add(T_6, T_1, T_2); // T_6 = Y_2 * Z_1^3 + Y_1 * Z_2^3 = D
|
||||
secp256r1_modp_sub(T_1, T_1, T_2); // T_1 = Y_2 * Z_1^3 - Y_1 * Z_2^3 = A
|
||||
if (secp256r1_modp_sqr(T_1, P->Z) != 1 // T_1 = Z_1^2
|
||||
|| secp256r1_modp_sqr(T_2, Q->Z) != 1 // T_2 = Z_2^2
|
||||
|| secp256r1_modp_mul(T_3, Q->X, T_1) != 1 // T_3 = X_2 * Z_1^2
|
||||
|| secp256r1_modp_mul(T_4, P->X, T_2) != 1 // T_4 = X_1 * Z_2^2
|
||||
|| secp256r1_modp_add(T_5, T_3, T_4) != 1 // T_5 = X_2 * Z_1^2 + X_1 * Z_2^2 = C
|
||||
|| secp256r1_modp_sub(T_3, T_3, T_4) != 1 // T_3 = X_2 * Z_1^2 - X_1 * Z_2^2 = B
|
||||
|| secp256r1_modp_mul(T_1, T_1, P->Z) != 1 // T_1 = Z_1^3
|
||||
|| secp256r1_modp_mul(T_1, T_1, Q->Y) != 1 // T_1 = Y_2 * Z_1^3
|
||||
|| secp256r1_modp_mul(T_2, T_2, Q->Z) != 1 // T_2 = Z_2^3
|
||||
|| secp256r1_modp_mul(T_2, T_2, P->Y) != 1 // T_2 = Y_1 * Z_2^3
|
||||
|| secp256r1_modp_add(T_6, T_1, T_2) != 1 // T_6 = Y_2 * Z_1^3 + Y_1 * Z_2^3 = D
|
||||
|| secp256r1_modp_sub(T_1, T_1, T_2) != 1) { // T_1 = Y_2 * Z_1^3 - Y_1 * Z_2^3 = A
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (secp256r1_is_zero(T_1) && secp256r1_is_zero(T_3)) {
|
||||
secp256r1_point_dbl(R, P);
|
||||
return;
|
||||
return secp256r1_point_dbl(R, P);
|
||||
}
|
||||
|
||||
if (secp256r1_is_one(T_1) && secp256r1_is_zero(T_6)) {
|
||||
secp256r1_point_set_infinity(R);
|
||||
return;
|
||||
if (secp256r1_is_zero(T_3) && secp256r1_is_zero(T_6)) {
|
||||
return secp256r1_point_set_infinity(R);
|
||||
}
|
||||
|
||||
secp256r1_modp_sqr(T_6, T_1); // T_6 = A^2
|
||||
secp256r1_modp_mul(T_7, T_3, P->Z); // T_7 = B * Z_1
|
||||
secp256r1_modp_mul(T_7, T_7, Q->Z); // T_7 = B * Z_1 * Z_2 = Z_3
|
||||
secp256r1_modp_sqr(T_8, T_3); // T_8 = B^2
|
||||
secp256r1_modp_mul(T_5, T_5, T_8); // T_5 = B^2 * C
|
||||
secp256r1_modp_mul(T_3, T_3, T_8); // T_3 = B^3
|
||||
secp256r1_modp_mul(T_4, T_4, T_8); // T_4 = B^2 * X_1 * Z_2^2
|
||||
secp256r1_modp_sub(T_6, T_6, T_5); // T_6 = A^2 - B^2 * C = X_3
|
||||
secp256r1_modp_sub(T_4, T_4, T_6); // T_4 = B^2 * X_1 * Z_2^2 - X_3
|
||||
secp256r1_modp_mul(T_1, T_1, T_4); // T_1 = A * (B^2 * X_1 * Z_2^2 - X_3)
|
||||
secp256r1_modp_mul(T_2, T_2, T_3); // T_2 = B^3 * Y_1 * Z_1^3
|
||||
secp256r1_modp_sub(T_1, T_1, T_2); // T_1 = A * (B^2 * X_1 * Z_2^2 - X_3) - B^3 * Y_1 * Z_1^3 = Y_3
|
||||
if (secp256r1_modp_sqr(T_6, T_1) != 1 // T_6 = A^2
|
||||
|| secp256r1_modp_mul(T_7, T_3, P->Z) != 1 // T_7 = B * Z_1
|
||||
|| secp256r1_modp_mul(T_7, T_7, Q->Z) != 1 // T_7 = B * Z_1 * Z_2 = Z_3
|
||||
|| secp256r1_modp_sqr(T_8, T_3) != 1 // T_8 = B^2
|
||||
|| secp256r1_modp_mul(T_5, T_5, T_8) != 1 // T_5 = B^2 * C
|
||||
|| secp256r1_modp_mul(T_3, T_3, T_8) != 1 // T_3 = B^3
|
||||
|| secp256r1_modp_mul(T_4, T_4, T_8) != 1 // T_4 = B^2 * X_1 * Z_2^2
|
||||
|| secp256r1_modp_sub(T_6, T_6, T_5) != 1 // T_6 = A^2 - B^2 * C = X_3
|
||||
|| secp256r1_modp_sub(T_4, T_4, T_6) != 1 // T_4 = B^2 * X_1 * Z_2^2 - X_3
|
||||
|| secp256r1_modp_mul(T_1, T_1, T_4) != 1 // T_1 = A * (B^2 * X_1 * Z_2^2 - X_3)
|
||||
|| secp256r1_modp_mul(T_2, T_2, T_3) != 1 // T_2 = B^3 * Y_1 * Z_1^3
|
||||
|| secp256r1_modp_sub(T_1, T_1, T_2) != 1) { // T_1 = A * (B^2 * X_1 * Z_2^2 - X_3) - B^3 * Y_1 * Z_1^3 = Y_3
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
secp256r1_copy(R->X, T_6);
|
||||
secp256r1_copy(R->Y, T_1);
|
||||
secp256r1_copy(R->Z, T_7);
|
||||
if (secp256r1_copy(R->X, T_6) != 1
|
||||
|| secp256r1_copy(R->Y, T_1) != 1
|
||||
|| secp256r1_copy(R->Z, T_7) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
void secp256r1_point_neg(SECP256R1_POINT *R, const SECP256R1_POINT *P)
|
||||
int secp256r1_point_neg(SECP256R1_POINT *R, const SECP256R1_POINT *P)
|
||||
{
|
||||
if (secp256r1_point_is_at_infinity(P)) {
|
||||
secp256r1_point_set_infinity(R);
|
||||
return;
|
||||
return secp256r1_point_set_infinity(R);
|
||||
}
|
||||
secp256r1_copy(R->X, P->X);
|
||||
secp256r1_modp_neg(R->Y, P->Y);
|
||||
secp256r1_copy(R->Z, P->Z);
|
||||
if (secp256r1_copy(R->X, P->X) != 1
|
||||
|| secp256r1_modp_neg(R->Y, P->Y) != 1
|
||||
|| secp256r1_copy(R->Z, P->Z) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
void secp256r1_point_sub(SECP256R1_POINT *R, const SECP256R1_POINT *P, const SECP256R1_POINT *Q)
|
||||
int secp256r1_point_sub(SECP256R1_POINT *R, const SECP256R1_POINT *P, const SECP256R1_POINT *Q)
|
||||
{
|
||||
SECP256R1_POINT T;
|
||||
secp256r1_point_neg(&T, Q);
|
||||
secp256r1_point_add(R, P, &T);
|
||||
if (secp256r1_point_neg(&T, Q) != 1
|
||||
|| secp256r1_point_add(R, P, &T) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
void secp256r1_point_mul(SECP256R1_POINT *R, const secp256r1_t k, const SECP256R1_POINT *P)
|
||||
int secp256r1_point_mul(SECP256R1_POINT *R, const secp256r1_t k, const SECP256R1_POINT *P)
|
||||
{
|
||||
SECP256R1_POINT T;
|
||||
uint32_t bits;
|
||||
int nbits;
|
||||
int i;
|
||||
|
||||
secp256r1_point_set_infinity(&T);
|
||||
if (secp256r1_point_set_infinity(&T) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
for (i = 7; i >= 0; i--) {
|
||||
bits = k[i];
|
||||
nbits = 32;
|
||||
while (nbits-- > 0) {
|
||||
secp256r1_point_dbl(&T, &T);
|
||||
if (secp256r1_point_dbl(&T, &T) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (bits & 0x80000000) {
|
||||
secp256r1_point_add(&T, &T, P);
|
||||
if (secp256r1_point_add(&T, &T, P) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
bits <<= 1;
|
||||
}
|
||||
}
|
||||
|
||||
secp256r1_point_copy(R, &T);
|
||||
if (secp256r1_point_copy(R, &T) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
void secp256r1_point_mul_generator(SECP256R1_POINT *R, const secp256r1_t k)
|
||||
int secp256r1_point_mul_generator(SECP256R1_POINT *R, const secp256r1_t k)
|
||||
{
|
||||
secp256r1_point_mul(R, k, secp256r1_generator());
|
||||
return secp256r1_point_mul(R, k, secp256r1_generator());
|
||||
}
|
||||
|
||||
int secp256r1_point_print(FILE *fp, int fmt, int ind, const char *label, const SECP256R1_POINT *P)
|
||||
@@ -583,11 +635,20 @@ int secp256r1_point_print(FILE *fp, int fmt, int ind, const char *label, const S
|
||||
|
||||
format_print(fp, fmt, ind, "%s\n", label);
|
||||
ind += 4;
|
||||
secp256r1_to_32bytes(P->X, bytes);
|
||||
if (secp256r1_to_32bytes(P->X, bytes) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
format_bytes(fp, fmt, ind, "X", bytes, 32);
|
||||
secp256r1_to_32bytes(P->Y, bytes);
|
||||
if (secp256r1_to_32bytes(P->Y, bytes) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
format_bytes(fp, fmt, ind, "Y", bytes, 32);
|
||||
secp256r1_to_32bytes(P->Z, bytes);
|
||||
if (secp256r1_to_32bytes(P->Z, bytes) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
format_bytes(fp, fmt, ind, "Z", bytes, 32);
|
||||
return 1;
|
||||
}
|
||||
@@ -602,8 +663,11 @@ int secp256r1_point_to_uncompressed_octets(const SECP256R1_POINT *P, uint8_t oct
|
||||
return -1;
|
||||
}
|
||||
octets[0] = 0x04;
|
||||
secp256r1_to_32bytes(x, octets + 1);
|
||||
secp256r1_to_32bytes(y, octets + 33);
|
||||
if (secp256r1_to_32bytes(x, octets + 1) != 1
|
||||
|| secp256r1_to_32bytes(y, octets + 33) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
@@ -616,8 +680,11 @@ int secp256r1_point_from_uncompressed_octets(SECP256R1_POINT *P, const uint8_t o
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
secp256r1_from_32bytes(x, octets + 1);
|
||||
secp256r1_from_32bytes(y, octets + 33);
|
||||
if (secp256r1_from_32bytes(x, octets + 1) != 1
|
||||
|| secp256r1_from_32bytes(y, octets + 33) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (secp256r1_point_set_xy(P, x, y) != 1) {
|
||||
error_print();
|
||||
@@ -628,15 +695,36 @@ int secp256r1_point_from_uncompressed_octets(SECP256R1_POINT *P, const uint8_t o
|
||||
|
||||
int secp256r1_point_equ(const SECP256R1_POINT *P, const SECP256R1_POINT *Q)
|
||||
{
|
||||
uint8_t p_octets[65];
|
||||
uint8_t q_octets[65];
|
||||
secp256r1_t t0;
|
||||
secp256r1_t t1;
|
||||
secp256r1_t t2;
|
||||
secp256r1_t t3;
|
||||
|
||||
(void)secp256r1_point_to_uncompressed_octets(P, p_octets);
|
||||
(void)secp256r1_point_to_uncompressed_octets(Q, q_octets);
|
||||
|
||||
if (memcmp(p_octets, q_octets, 65) == 0) {
|
||||
return 1;
|
||||
} else {
|
||||
if (secp256r1_point_is_at_infinity(P)) {
|
||||
return secp256r1_point_is_at_infinity(Q);
|
||||
}
|
||||
if (secp256r1_point_is_at_infinity(Q)) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (secp256r1_modp_sqr(t0, P->Z) != 1 // t0 = Z1^2
|
||||
|| secp256r1_modp_sqr(t1, Q->Z) != 1 // t1 = Z2^2
|
||||
|| secp256r1_modp_mul(t2, Q->X, t0) != 1 // t2 = X2 * Z1^2
|
||||
|| secp256r1_modp_mul(t3, P->X, t1) != 1) { // t3 = X1 * Z2^2
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (secp256r1_cmp(t2, t3) != 0) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (secp256r1_modp_mul(t0, t0, P->Z) != 1 // t0 = Z1^3
|
||||
|| secp256r1_modp_mul(t0, t0, Q->Y) != 1 // t0 = Y2 * Z1^3
|
||||
|| secp256r1_modp_mul(t1, t1, Q->Z) != 1 // t1 = Z2^3
|
||||
|| secp256r1_modp_mul(t1, t1, P->Y) != 1) { // t1 = Y1 * Z2^3
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
return secp256r1_cmp(t0, t1) == 0;
|
||||
}
|
||||
|
||||
@@ -34,7 +34,10 @@ int secp256r1_key_generate(SECP256R1_KEY *key)
|
||||
}
|
||||
} while (secp256r1_is_zero(key->private_key) || secp256r1_cmp(key->private_key, SECP256R1_N) >= 0);
|
||||
|
||||
secp256r1_point_mul_generator(&key->public_key, key->private_key);
|
||||
if (secp256r1_point_mul_generator(&key->public_key, key->private_key) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
||||
@@ -51,8 +54,11 @@ int secp256r1_key_set_private_key(SECP256R1_KEY *key, const secp256r1_t private_
|
||||
}
|
||||
memset(key, 0, sizeof(SECP256R1_KEY));
|
||||
|
||||
secp256r1_copy(key->private_key, private_key);
|
||||
secp256r1_point_mul_generator(&key->public_key, key->private_key);
|
||||
if (secp256r1_copy(key->private_key, private_key) != 1
|
||||
|| secp256r1_point_mul_generator(&key->public_key, key->private_key) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
@@ -114,13 +120,19 @@ int secp256r1_public_key_print(FILE *fp, int fmt, int ind, const char *label, co
|
||||
format_print(fp, fmt, ind, "%s\n", label);
|
||||
ind += 4;
|
||||
|
||||
secp256r1_print(fp, fmt, ind, "X", key->public_key.X);
|
||||
secp256r1_print(fp, fmt, ind, "Y", key->public_key.Y);
|
||||
secp256r1_print(fp, fmt, ind, "Z", key->public_key.Z);
|
||||
if (secp256r1_print(fp, fmt, ind, "X", key->public_key.X) != 1
|
||||
|| secp256r1_print(fp, fmt, ind, "Y", key->public_key.Y) != 1
|
||||
|| secp256r1_print(fp, fmt, ind, "Z", key->public_key.Z) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
secp256r1_point_get_xy(&key->public_key, x, y);
|
||||
secp256r1_print(fp, fmt, ind, "x", x);
|
||||
secp256r1_print(fp, fmt, ind, "y", y);
|
||||
if (secp256r1_point_get_xy(&key->public_key, x, y) != 1
|
||||
|| secp256r1_print(fp, fmt, ind, "x", x) != 1
|
||||
|| secp256r1_print(fp, fmt, ind, "y", y) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
@@ -128,7 +140,10 @@ int secp256r1_private_key_print(FILE *fp, int fmt, int ind, const char *label, c
|
||||
{
|
||||
uint8_t buf[32];
|
||||
|
||||
secp256r1_to_32bytes(key->private_key, buf);
|
||||
if (secp256r1_to_32bytes(key->private_key, buf) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
format_print(fp, fmt, ind, "%s\n", label);
|
||||
ind += 4;
|
||||
@@ -229,7 +244,10 @@ int secp256r1_private_key_to_der(const SECP256R1_KEY *key, uint8_t **out, size_t
|
||||
}
|
||||
// fprintf(stderr, "%s %d: params_len = %zu\n", params_len);
|
||||
// fprintf(stderr, "%s %d: pubkey_len = %zu\n", pubkey_len);
|
||||
secp256r1_to_32bytes(key->private_key, prikey);
|
||||
if (secp256r1_to_32bytes(key->private_key, prikey) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (asn1_int_to_der(EC_private_key_version, NULL, &len) != 1
|
||||
|| asn1_octet_string_to_der(prikey, 32, NULL, &len) != 1
|
||||
|| asn1_explicit_to_der(0, params, params_len, NULL, &len) != 1
|
||||
@@ -297,7 +315,10 @@ int secp256r1_private_key_from_der(SECP256R1_KEY *key, const uint8_t **in, size_
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
secp256r1_from_32bytes(private_key, prikey);
|
||||
if (secp256r1_from_32bytes(private_key, prikey) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (secp256r1_key_set_private_key(key, private_key) != 1) {
|
||||
gmssl_secure_clear(private_key, 32);
|
||||
error_print();
|
||||
|
||||
230
src/sphincs.c
230
src/sphincs.c
@@ -267,11 +267,11 @@ void sphincs_wots_derive_sk(const sphincs_hash128_t secret,
|
||||
const sphincs_hash128_t seed, const sphincs_adrs_t in_adrs,
|
||||
sphincs_wots_key_t sk)
|
||||
{
|
||||
uint8_t block[SPHINCS_HASH256_BLOCK_SIZE] = {0};
|
||||
uint8_t block[SM3_BLOCK_SIZE] = {0};
|
||||
sphincs_adrs_t adrs;
|
||||
sphincs_adrsc_t adrsc;
|
||||
SPHINCS_HASH256_CTX ctx;
|
||||
sphincs_hash256_t dgst;
|
||||
SM3_CTX ctx;
|
||||
sphincs_sm3_digest_t dgst;
|
||||
int i;
|
||||
|
||||
memcpy(block, seed, sizeof(sphincs_hash128_t));
|
||||
@@ -287,11 +287,11 @@ void sphincs_wots_derive_sk(const sphincs_hash128_t secret,
|
||||
sphincs_adrs_compress(adrs, adrsc);
|
||||
|
||||
// sk[i] = prf(secret, adrs)
|
||||
sphincs_hash256_init(&ctx);
|
||||
sphincs_hash256_update(&ctx, block, sizeof(block));
|
||||
sphincs_hash256_update(&ctx, adrsc, sizeof(adrsc));
|
||||
sphincs_hash256_update(&ctx, secret, sizeof(sphincs_hash128_t));
|
||||
sphincs_hash256_finish(&ctx, dgst);
|
||||
sm3_init(&ctx);
|
||||
sm3_update(&ctx, block, sizeof(block));
|
||||
sm3_update(&ctx, adrsc, sizeof(adrsc));
|
||||
sm3_update(&ctx, secret, sizeof(sphincs_hash128_t));
|
||||
sm3_finish(&ctx, dgst);
|
||||
|
||||
memcpy(sk[i], dgst, sizeof(sphincs_hash128_t));
|
||||
}
|
||||
@@ -303,11 +303,11 @@ void sphincs_wots_chain(const sphincs_hash128_t x,
|
||||
int start, int steps, sphincs_hash128_t y)
|
||||
{
|
||||
const uint8_t uint32_zero[4] = {0};
|
||||
uint8_t block[SPHINCS_HASH256_BLOCK_SIZE] = {0};
|
||||
uint8_t block[SM3_BLOCK_SIZE] = {0};
|
||||
sphincs_adrs_t adrs;
|
||||
sphincs_adrsc_t adrsc;
|
||||
SPHINCS_HASH256_CTX ctx;
|
||||
sphincs_hash256_t dgst;
|
||||
SM3_CTX ctx;
|
||||
sphincs_sm3_digest_t dgst;
|
||||
int i;
|
||||
|
||||
memcpy(block, seed, sizeof(sphincs_hash128_t));
|
||||
@@ -324,12 +324,12 @@ void sphincs_wots_chain(const sphincs_hash128_t x,
|
||||
sphincs_adrs_set_hash_address(adrs, start + i);
|
||||
sphincs_adrs_compress(adrs, adrsc);
|
||||
|
||||
// y = hash256(blockpad(seed) || adrsc || y)
|
||||
sphincs_hash256_init(&ctx);
|
||||
sphincs_hash256_update(&ctx, block, sizeof(block));
|
||||
sphincs_hash256_update(&ctx, adrsc, sizeof(sphincs_adrsc_t));
|
||||
sphincs_hash256_update(&ctx, y, sizeof(sphincs_hash128_t));
|
||||
sphincs_hash256_finish(&ctx, dgst);
|
||||
// y = block_hash(blockpad(seed) || adrsc || y)
|
||||
sm3_init(&ctx);
|
||||
sm3_update(&ctx, block, sizeof(block));
|
||||
sm3_update(&ctx, adrsc, sizeof(sphincs_adrsc_t));
|
||||
sm3_update(&ctx, y, sizeof(sphincs_hash128_t));
|
||||
sm3_finish(&ctx, dgst);
|
||||
|
||||
memcpy(y, dgst, sizeof(sphincs_hash128_t));
|
||||
}
|
||||
@@ -438,11 +438,11 @@ void sphincs_wots_pk_to_root(const sphincs_wots_key_t pk,
|
||||
const sphincs_hash128_t seed, const sphincs_adrs_t in_adrs,
|
||||
sphincs_hash128_t root)
|
||||
{
|
||||
uint8_t block[SPHINCS_HASH256_BLOCK_SIZE] = {0};
|
||||
uint8_t block[SM3_BLOCK_SIZE] = {0};
|
||||
sphincs_adrs_t adrs = {0};
|
||||
sphincs_adrsc_t adrsc;
|
||||
SPHINCS_HASH256_CTX ctx;
|
||||
sphincs_hash256_t dgst;
|
||||
SM3_CTX ctx;
|
||||
sphincs_sm3_digest_t dgst;
|
||||
|
||||
memcpy(block, seed, sizeof(sphincs_hash128_t));
|
||||
|
||||
@@ -452,11 +452,11 @@ void sphincs_wots_pk_to_root(const sphincs_wots_key_t pk,
|
||||
sphincs_adrs_copy_keypair_address(adrs, in_adrs);
|
||||
sphincs_adrs_compress(adrs, adrsc);
|
||||
|
||||
sphincs_hash256_init(&ctx);
|
||||
sphincs_hash256_update(&ctx, block, sizeof(block));
|
||||
sphincs_hash256_update(&ctx, adrsc, sizeof(adrsc));
|
||||
sphincs_hash256_update(&ctx, pk[0], sizeof(sphincs_wots_key_t));
|
||||
sphincs_hash256_finish(&ctx, dgst);
|
||||
sm3_init(&ctx);
|
||||
sm3_update(&ctx, block, sizeof(block));
|
||||
sm3_update(&ctx, adrsc, sizeof(adrsc));
|
||||
sm3_update(&ctx, pk[0], sizeof(sphincs_wots_key_t));
|
||||
sm3_finish(&ctx, dgst);
|
||||
|
||||
memcpy(root, dgst, sizeof(sphincs_hash128_t));
|
||||
}
|
||||
@@ -465,15 +465,15 @@ void sphincs_tree_hash(const sphincs_hash128_t left_child, const sphincs_hash128
|
||||
const sphincs_hash128_t seed, const sphincs_adrs_t adrs,
|
||||
sphincs_hash128_t parent)
|
||||
{
|
||||
SPHINCS_HASH256_CTX ctx;
|
||||
sphincs_hash256_t dgst;
|
||||
SM3_CTX ctx;
|
||||
sphincs_sm3_digest_t dgst;
|
||||
|
||||
sphincs_hash256_init(&ctx);
|
||||
sphincs_hash256_update(&ctx, seed, sizeof(sphincs_hash128_t));
|
||||
sphincs_hash256_update(&ctx, adrs, sizeof(sphincs_adrs_t));
|
||||
sphincs_hash256_update(&ctx, left_child, sizeof(sphincs_hash128_t));
|
||||
sphincs_hash256_update(&ctx, right_child, sizeof(sphincs_hash128_t));
|
||||
sphincs_hash256_finish(&ctx, dgst);
|
||||
sm3_init(&ctx);
|
||||
sm3_update(&ctx, seed, sizeof(sphincs_hash128_t));
|
||||
sm3_update(&ctx, adrs, sizeof(sphincs_adrs_t));
|
||||
sm3_update(&ctx, left_child, sizeof(sphincs_hash128_t));
|
||||
sm3_update(&ctx, right_child, sizeof(sphincs_hash128_t));
|
||||
sm3_finish(&ctx, dgst);
|
||||
|
||||
memcpy(parent, dgst, sizeof(sphincs_hash128_t));
|
||||
}
|
||||
@@ -801,11 +801,11 @@ void sphincs_fors_derive_sk(const sphincs_hash128_t secret,
|
||||
const sphincs_hash128_t seed, const sphincs_adrs_t in_adrs,
|
||||
uint32_t fors_index, sphincs_hash128_t sk)
|
||||
{
|
||||
uint8_t block[SPHINCS_HASH256_BLOCK_SIZE] = {0};
|
||||
uint8_t block[SM3_BLOCK_SIZE] = {0};
|
||||
sphincs_adrs_t adrs;
|
||||
sphincs_adrsc_t adrsc;
|
||||
SPHINCS_HASH256_CTX ctx;
|
||||
sphincs_hash256_t dgst;
|
||||
SM3_CTX ctx;
|
||||
sphincs_sm3_digest_t dgst;
|
||||
|
||||
// blockpad(seed)
|
||||
memcpy(block, seed, sizeof(sphincs_hash128_t));
|
||||
@@ -820,12 +820,12 @@ void sphincs_fors_derive_sk(const sphincs_hash128_t secret,
|
||||
// compress adrs
|
||||
sphincs_adrs_compress(adrs, adrsc);
|
||||
|
||||
// sk = prf(seed, secret, adrs) = hash256(blockpad(seed)||adrsc||secret)
|
||||
sphincs_hash256_init(&ctx);
|
||||
sphincs_hash256_update(&ctx, block, sizeof(block));
|
||||
sphincs_hash256_update(&ctx, adrsc, sizeof(adrsc));
|
||||
sphincs_hash256_update(&ctx, secret, sizeof(sphincs_hash128_t));
|
||||
sphincs_hash256_finish(&ctx, dgst);
|
||||
// sk = prf(seed, secret, adrs) = block_hash(blockpad(seed)||adrsc||secret)
|
||||
sm3_init(&ctx);
|
||||
sm3_update(&ctx, block, sizeof(block));
|
||||
sm3_update(&ctx, adrsc, sizeof(adrsc));
|
||||
sm3_update(&ctx, secret, sizeof(sphincs_hash128_t));
|
||||
sm3_finish(&ctx, dgst);
|
||||
|
||||
memcpy(sk, dgst, sizeof(sphincs_hash128_t));
|
||||
gmssl_secure_clear(dgst, sizeof(dgst));
|
||||
@@ -840,8 +840,8 @@ void sphincs_fors_build_tree(const sphincs_hash128_t secret,
|
||||
sphincs_adrsc_t adrsc;
|
||||
uint32_t n = 1 << SPHINCS_FORS_TREE_HEIGHT;
|
||||
uint32_t tree_index;
|
||||
SPHINCS_HASH256_CTX ctx;
|
||||
sphincs_hash256_t dgst;
|
||||
SM3_CTX ctx;
|
||||
sphincs_sm3_digest_t dgst;
|
||||
sphincs_hash128_t *children;
|
||||
sphincs_hash128_t *parents;
|
||||
uint32_t h;
|
||||
@@ -864,11 +864,11 @@ void sphincs_fors_build_tree(const sphincs_hash128_t secret,
|
||||
sphincs_adrs_compress(adrs, adrsc);
|
||||
|
||||
|
||||
sphincs_hash256_init(&ctx);
|
||||
sphincs_hash256_update(&ctx, block, sizeof(block));
|
||||
sphincs_hash256_update(&ctx, adrsc, sizeof(adrsc));
|
||||
sphincs_hash256_update(&ctx, tree[i], sizeof(sphincs_hash128_t));
|
||||
sphincs_hash256_finish(&ctx, dgst);
|
||||
sm3_init(&ctx);
|
||||
sm3_update(&ctx, block, sizeof(block));
|
||||
sm3_update(&ctx, adrsc, sizeof(adrsc));
|
||||
sm3_update(&ctx, tree[i], sizeof(sphincs_hash128_t));
|
||||
sm3_finish(&ctx, dgst);
|
||||
|
||||
memcpy(tree[i], dgst, sizeof(sphincs_hash128_t));
|
||||
}
|
||||
@@ -898,8 +898,8 @@ void sphincs_fors_derive_root(const sphincs_hash128_t secret,
|
||||
sphincs_adrsc_t adrsc;
|
||||
sphincs_hash128_t tree[SPHINCS_FORS_TREE_NUM_NODES];
|
||||
sphincs_hash128_t roots[SPHINCS_FORS_NUM_TREES];
|
||||
SPHINCS_HASH256_CTX ctx;
|
||||
sphincs_hash256_t dgst;
|
||||
SM3_CTX ctx;
|
||||
sphincs_sm3_digest_t dgst;
|
||||
int i;
|
||||
|
||||
memcpy(block, seed, sizeof(sphincs_hash128_t));
|
||||
@@ -917,11 +917,11 @@ void sphincs_fors_derive_root(const sphincs_hash128_t secret,
|
||||
memcpy(roots[i], tree[SPHINCS_FORS_TREE_NUM_NODES - 1], sizeof(sphincs_hash128_t));
|
||||
}
|
||||
|
||||
sphincs_hash256_init(&ctx);
|
||||
sphincs_hash256_update(&ctx, block, sizeof(block));
|
||||
sphincs_hash256_update(&ctx, adrsc, sizeof(adrsc));
|
||||
sphincs_hash256_update(&ctx, roots[0], sizeof(roots));
|
||||
sphincs_hash256_finish(&ctx, dgst);
|
||||
sm3_init(&ctx);
|
||||
sm3_update(&ctx, block, sizeof(block));
|
||||
sm3_update(&ctx, adrsc, sizeof(adrsc));
|
||||
sm3_update(&ctx, roots[0], sizeof(roots));
|
||||
sm3_finish(&ctx, dgst);
|
||||
|
||||
memcpy(root, dgst, sizeof(sphincs_hash128_t));
|
||||
}
|
||||
@@ -1013,8 +1013,8 @@ void sphincs_fors_sign(const sphincs_hash128_t secret,
|
||||
uint8_t block[64] = {0};
|
||||
sphincs_adrs_t adrs;
|
||||
sphincs_adrsc_t adrsc;
|
||||
SPHINCS_HASH256_CTX ctx;
|
||||
sphincs_hash256_t root;
|
||||
SM3_CTX ctx;
|
||||
sphincs_sm3_digest_t root;
|
||||
|
||||
tree_index = index[0];
|
||||
|
||||
@@ -1027,11 +1027,11 @@ void sphincs_fors_sign(const sphincs_hash128_t secret,
|
||||
|
||||
sphincs_adrs_compress(adrs, adrsc);
|
||||
|
||||
sphincs_hash256_init(&ctx);
|
||||
sphincs_hash256_update(&ctx, block, sizeof(block));
|
||||
sphincs_hash256_update(&ctx, adrsc, sizeof(adrsc));
|
||||
sphincs_hash256_update(&ctx, sig->fors_sk[0], sizeof(sphincs_hash128_t));
|
||||
sphincs_hash256_finish(&ctx, root);
|
||||
sm3_init(&ctx);
|
||||
sm3_update(&ctx, block, sizeof(block));
|
||||
sm3_update(&ctx, adrsc, sizeof(adrsc));
|
||||
sm3_update(&ctx, sig->fors_sk[0], sizeof(sphincs_hash128_t));
|
||||
sm3_finish(&ctx, root);
|
||||
|
||||
format_bytes(stderr, 0, 4, "fors_tree[0]", root, 16);
|
||||
|
||||
@@ -1072,8 +1072,8 @@ void sphincs_fors_sig_to_root(const SPHINCS_FORS_SIGNATURE *sig,
|
||||
uint8_t block[64] = {0};
|
||||
sphincs_adrs_t adrs;
|
||||
sphincs_adrsc_t adrsc;
|
||||
SPHINCS_HASH256_CTX ctx;
|
||||
sphincs_hash256_t dgst;
|
||||
SM3_CTX ctx;
|
||||
sphincs_sm3_digest_t dgst;
|
||||
|
||||
uint32_t index[14];
|
||||
uint32_t tree_index;
|
||||
@@ -1103,11 +1103,11 @@ void sphincs_fors_sig_to_root(const SPHINCS_FORS_SIGNATURE *sig,
|
||||
sphincs_adrs_compress(adrs, adrsc);
|
||||
|
||||
|
||||
sphincs_hash256_init(&ctx);
|
||||
sphincs_hash256_update(&ctx, block, sizeof(block));
|
||||
sphincs_hash256_update(&ctx, adrsc, sizeof(adrsc));
|
||||
sphincs_hash256_update(&ctx, sig->fors_sk[i], sizeof(sphincs_hash128_t));
|
||||
sphincs_hash256_finish(&ctx, dgst);
|
||||
sm3_init(&ctx);
|
||||
sm3_update(&ctx, block, sizeof(block));
|
||||
sm3_update(&ctx, adrsc, sizeof(adrsc));
|
||||
sm3_update(&ctx, sig->fors_sk[i], sizeof(sphincs_hash128_t));
|
||||
sm3_finish(&ctx, dgst);
|
||||
|
||||
memcpy(root, dgst, 16);
|
||||
|
||||
@@ -1148,11 +1148,11 @@ void sphincs_fors_sig_to_root(const SPHINCS_FORS_SIGNATURE *sig,
|
||||
sphincs_adrs_compress(adrs, adrsc);
|
||||
|
||||
|
||||
sphincs_hash256_init(&ctx);
|
||||
sphincs_hash256_update(&ctx, block, sizeof(block));
|
||||
sphincs_hash256_update(&ctx, adrsc, sizeof(adrsc));
|
||||
sphincs_hash256_update(&ctx, fors_tree_roots[0], sizeof(fors_tree_roots));
|
||||
sphincs_hash256_finish(&ctx, dgst);
|
||||
sm3_init(&ctx);
|
||||
sm3_update(&ctx, block, sizeof(block));
|
||||
sm3_update(&ctx, adrsc, sizeof(adrsc));
|
||||
sm3_update(&ctx, fors_tree_roots[0], sizeof(fors_tree_roots));
|
||||
sm3_finish(&ctx, dgst);
|
||||
|
||||
memcpy(root, dgst, 16);
|
||||
|
||||
@@ -1419,10 +1419,10 @@ int sphincs_sign_init_ex(SPHINCS_SIGN_CTX *ctx, const SPHINCS_KEY *key, const sp
|
||||
ctx->key = *key;
|
||||
|
||||
// R = PRF_msg(sk_prf, optrand, M) = HMAC(sk_prf, opt_rand|M)
|
||||
sphincs_hmac256_init(&ctx->hmac_ctx, key->sk_prf, sizeof(sphincs_hash128_t));
|
||||
sm3_hmac_init(&ctx->hmac_ctx, key->sk_prf, sizeof(sphincs_hash128_t));
|
||||
if (opt_rand)
|
||||
sphincs_hmac256_update(&ctx->hmac_ctx, opt_rand, sizeof(sphincs_hash128_t));
|
||||
else sphincs_hmac256_update(&ctx->hmac_ctx, key->public_key.seed, sizeof(sphincs_hash128_t));
|
||||
sm3_hmac_update(&ctx->hmac_ctx, opt_rand, sizeof(sphincs_hash128_t));
|
||||
else sm3_hmac_update(&ctx->hmac_ctx, key->public_key.seed, sizeof(sphincs_hash128_t));
|
||||
|
||||
// state
|
||||
ctx->state = 1;
|
||||
@@ -1463,7 +1463,7 @@ int sphincs_sign_prepare(SPHINCS_SIGN_CTX *ctx, const uint8_t *data, size_t data
|
||||
|
||||
if (data && datalen) {
|
||||
// R = PRF_msg(sk_prf, optrand, M) = HMAC(sk_prf, opt_rand|M...)
|
||||
sphincs_hmac256_update(&ctx->hmac_ctx, data, datalen);
|
||||
sm3_hmac_update(&ctx->hmac_ctx, data, datalen);
|
||||
// sum datalen
|
||||
ctx->round1_msglen += datalen;
|
||||
}
|
||||
@@ -1480,17 +1480,17 @@ int sphincs_sign_update(SPHINCS_SIGN_CTX *ctx, const uint8_t *data, size_t datal
|
||||
|
||||
// state
|
||||
if (ctx->state == 2) {
|
||||
sphincs_hash256_t dgst;
|
||||
sphincs_sm3_digest_t dgst;
|
||||
|
||||
// R = PRF_msg(sk_prf, optrand, M) = HMAC(sk_prf, opt_rand|M)
|
||||
sphincs_hmac256_finish(&ctx->hmac_ctx, dgst);
|
||||
sm3_hmac_finish(&ctx->hmac_ctx, dgst);
|
||||
memcpy(ctx->sig.random, dgst, sizeof(sphincs_hash128_t));
|
||||
|
||||
// dgst = HASH256(R|seed|root|M...)
|
||||
sphincs_hash256_init(&ctx->hash_ctx);
|
||||
sphincs_hash256_update(&ctx->hash_ctx, ctx->sig.random, sizeof(sphincs_hash128_t));
|
||||
sphincs_hash256_update(&ctx->hash_ctx, ctx->key.public_key.seed, sizeof(sphincs_hash128_t));
|
||||
sphincs_hash256_update(&ctx->hash_ctx, ctx->key.public_key.root, sizeof(sphincs_hash128_t));
|
||||
// dgst = SM3(R|seed|root|M...)
|
||||
sm3_init(&ctx->hash_ctx);
|
||||
sm3_update(&ctx->hash_ctx, ctx->sig.random, sizeof(sphincs_hash128_t));
|
||||
sm3_update(&ctx->hash_ctx, ctx->key.public_key.seed, sizeof(sphincs_hash128_t));
|
||||
sm3_update(&ctx->hash_ctx, ctx->key.public_key.root, sizeof(sphincs_hash128_t));
|
||||
|
||||
ctx->state = 3;
|
||||
}
|
||||
@@ -1500,8 +1500,8 @@ int sphincs_sign_update(SPHINCS_SIGN_CTX *ctx, const uint8_t *data, size_t datal
|
||||
}
|
||||
|
||||
if (data && datalen) {
|
||||
// dgst = HASH256(R|seed|root|M...)
|
||||
sphincs_hash256_update(&ctx->hash_ctx, data, datalen);
|
||||
// dgst = SM3(R|seed|root|M...)
|
||||
sm3_update(&ctx->hash_ctx, data, datalen);
|
||||
// sum datalen
|
||||
ctx->round2_msglen += datalen;
|
||||
}
|
||||
@@ -1511,7 +1511,7 @@ int sphincs_sign_update(SPHINCS_SIGN_CTX *ctx, const uint8_t *data, size_t datal
|
||||
|
||||
int sphincs_sign_finish_ex(SPHINCS_SIGN_CTX *ctx, SPHINCS_SIGNATURE *sig)
|
||||
{
|
||||
sphincs_hash256_t dgst;
|
||||
sphincs_sm3_digest_t dgst;
|
||||
uint8_t tbs[SPHINCS_TBS_SIZE];
|
||||
uint32_t i;
|
||||
uint8_t tree_address_buf[8] = {0};
|
||||
@@ -1534,22 +1534,22 @@ int sphincs_sign_finish_ex(SPHINCS_SIGN_CTX *ctx, SPHINCS_SIGNATURE *sig)
|
||||
return -1;
|
||||
}
|
||||
|
||||
// dgst = HASH256(R|seed|root|M)
|
||||
sphincs_hash256_finish(&ctx->hash_ctx, dgst);
|
||||
// dgst = SM3(R|seed|root|M)
|
||||
sm3_finish(&ctx->hash_ctx, dgst);
|
||||
|
||||
// tbs = H_msg(R, seed, root, M) = MGF1(R|seed|dgst, tbs_len)
|
||||
for (i = 0; i < (SPHINCS_TBS_SIZE + 31)/32; i++) {
|
||||
uint8_t count[4];
|
||||
sphincs_hash256_t h_msg;
|
||||
sphincs_sm3_digest_t h_msg;
|
||||
size_t left;
|
||||
|
||||
PUTU32(count, i);
|
||||
sphincs_hash256_init(&ctx->hash_ctx);
|
||||
sphincs_hash256_update(&ctx->hash_ctx, ctx->sig.random, sizeof(sphincs_hash128_t));
|
||||
sphincs_hash256_update(&ctx->hash_ctx, ctx->key.public_key.seed, sizeof(sphincs_hash128_t));
|
||||
sphincs_hash256_update(&ctx->hash_ctx, dgst, sizeof(dgst));
|
||||
sphincs_hash256_update(&ctx->hash_ctx, count, sizeof(count));
|
||||
sphincs_hash256_finish(&ctx->hash_ctx, h_msg);
|
||||
sm3_init(&ctx->hash_ctx);
|
||||
sm3_update(&ctx->hash_ctx, ctx->sig.random, sizeof(sphincs_hash128_t));
|
||||
sm3_update(&ctx->hash_ctx, ctx->key.public_key.seed, sizeof(sphincs_hash128_t));
|
||||
sm3_update(&ctx->hash_ctx, dgst, sizeof(dgst));
|
||||
sm3_update(&ctx->hash_ctx, count, sizeof(count));
|
||||
sm3_finish(&ctx->hash_ctx, h_msg);
|
||||
|
||||
left = SPHINCS_TBS_SIZE - sizeof(dgst) * i;
|
||||
left = left < sizeof(dgst) ? left : sizeof(dgst);
|
||||
@@ -1626,11 +1626,11 @@ int sphincs_verify_init_ex(SPHINCS_SIGN_CTX *ctx, const SPHINCS_KEY *key, const
|
||||
ctx->sig = *sig;
|
||||
}
|
||||
|
||||
// dgst = HASH256(R|seed|root|M)
|
||||
sphincs_hash256_init(&ctx->hash_ctx);
|
||||
sphincs_hash256_update(&ctx->hash_ctx, sig->random, sizeof(sphincs_hash128_t));
|
||||
sphincs_hash256_update(&ctx->hash_ctx, key->public_key.seed, sizeof(sphincs_hash128_t));
|
||||
sphincs_hash256_update(&ctx->hash_ctx, key->public_key.root, sizeof(sphincs_hash128_t));
|
||||
// dgst = SM3(R|seed|root|M)
|
||||
sm3_init(&ctx->hash_ctx);
|
||||
sm3_update(&ctx->hash_ctx, sig->random, sizeof(sphincs_hash128_t));
|
||||
sm3_update(&ctx->hash_ctx, key->public_key.seed, sizeof(sphincs_hash128_t));
|
||||
sm3_update(&ctx->hash_ctx, key->public_key.root, sizeof(sphincs_hash128_t));
|
||||
|
||||
return 1;
|
||||
}
|
||||
@@ -1661,8 +1661,8 @@ int sphincs_verify_update(SPHINCS_SIGN_CTX *ctx, const uint8_t *data, size_t dat
|
||||
}
|
||||
|
||||
if (data && datalen) {
|
||||
// dgst = HASH256(R|seed|root|M)
|
||||
sphincs_hash256_update(&ctx->hash_ctx, data, datalen);
|
||||
// dgst = SM3(R|seed|root|M)
|
||||
sm3_update(&ctx->hash_ctx, data, datalen);
|
||||
ctx->round1_msglen += datalen;
|
||||
}
|
||||
|
||||
@@ -1671,7 +1671,7 @@ int sphincs_verify_update(SPHINCS_SIGN_CTX *ctx, const uint8_t *data, size_t dat
|
||||
|
||||
int sphincs_verify_finish(SPHINCS_SIGN_CTX *ctx)
|
||||
{
|
||||
sphincs_hash256_t dgst;
|
||||
sphincs_sm3_digest_t dgst;
|
||||
uint8_t tbs[SPHINCS_TBS_SIZE];
|
||||
uint8_t tree_address_buf[8] = {0};
|
||||
uint8_t keypair_address_buf[4] = {0};
|
||||
@@ -1686,22 +1686,22 @@ int sphincs_verify_finish(SPHINCS_SIGN_CTX *ctx)
|
||||
return -1;
|
||||
}
|
||||
|
||||
// dgst = HASH256(R|seed|root|M)
|
||||
sphincs_hash256_finish(&ctx->hash_ctx, dgst);
|
||||
// dgst = SM3(R|seed|root|M)
|
||||
sm3_finish(&ctx->hash_ctx, dgst);
|
||||
|
||||
// tbs = H_msg(R, seed, root, M) = MGF1(R|seed|dgst, tbs_len)
|
||||
for (i = 0; i < (SPHINCS_TBS_SIZE + 31)/32; i++) {
|
||||
uint8_t count[4];
|
||||
sphincs_hash256_t h_msg;
|
||||
sphincs_sm3_digest_t h_msg;
|
||||
size_t left;
|
||||
|
||||
PUTU32(count, i);
|
||||
sphincs_hash256_init(&ctx->hash_ctx);
|
||||
sphincs_hash256_update(&ctx->hash_ctx, ctx->sig.random, sizeof(sphincs_hash128_t));
|
||||
sphincs_hash256_update(&ctx->hash_ctx, ctx->key.public_key.seed, sizeof(sphincs_hash128_t));
|
||||
sphincs_hash256_update(&ctx->hash_ctx, dgst, sizeof(dgst));
|
||||
sphincs_hash256_update(&ctx->hash_ctx, count, sizeof(count));
|
||||
sphincs_hash256_finish(&ctx->hash_ctx, h_msg);
|
||||
sm3_init(&ctx->hash_ctx);
|
||||
sm3_update(&ctx->hash_ctx, ctx->sig.random, sizeof(sphincs_hash128_t));
|
||||
sm3_update(&ctx->hash_ctx, ctx->key.public_key.seed, sizeof(sphincs_hash128_t));
|
||||
sm3_update(&ctx->hash_ctx, dgst, sizeof(dgst));
|
||||
sm3_update(&ctx->hash_ctx, count, sizeof(count));
|
||||
sm3_finish(&ctx->hash_ctx, h_msg);
|
||||
|
||||
left = SPHINCS_TBS_SIZE - sizeof(dgst) * i;
|
||||
left = left < sizeof(dgst) ? left : sizeof(dgst);
|
||||
|
||||
@@ -1049,7 +1049,10 @@ int ec_private_key_to_der(const X509_KEY *key, int encode_params, int encode_pub
|
||||
}
|
||||
pubkey = pubkey_buf;
|
||||
}
|
||||
secp256r1_to_32bytes(key->u.secp256r1_key.private_key, prikey);
|
||||
if (secp256r1_to_32bytes(key->u.secp256r1_key.private_key, prikey) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
@@ -1159,7 +1162,10 @@ int ec_private_key_from_der(X509_KEY *key, int opt_curve, const uint8_t **in, si
|
||||
secp256r1_t p256_private;
|
||||
SECP256R1_KEY p256_pub;
|
||||
|
||||
secp256r1_from_32bytes(p256_private, prikey);
|
||||
if (secp256r1_from_32bytes(p256_private, prikey) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (secp256r1_key_set_private_key(&key->u.secp256r1_key, p256_private) != 1) {
|
||||
gmssl_secure_clear(p256_private, sizeof(secp256r1_t));
|
||||
error_print();
|
||||
|
||||
640
src/xmss.c
640
src/xmss.c
File diff suppressed because it is too large
Load Diff
@@ -80,9 +80,42 @@ static int test_ecdsa(void)
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int test_ecdsa_verify_infinity(void)
|
||||
{
|
||||
SECP256R1_KEY key;
|
||||
ECDSA_SIGNATURE sig;
|
||||
secp256r1_t d;
|
||||
uint8_t dgst[32];
|
||||
size_t dgstlen;
|
||||
|
||||
if (secp256r1_set_one(d) != 1
|
||||
|| secp256r1_key_set_private_key(&key, d) != 1
|
||||
|| secp256r1_set_one(sig.r) != 1
|
||||
|| secp256r1_set_one(sig.s) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
// e = n - 1, so u1 * G + u2 * Q = (n - 1)G + G = O for Q = G
|
||||
if (hex_to_bytes("FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632550",
|
||||
64, dgst, &dgstlen) != 1
|
||||
|| dgstlen != sizeof(dgst)) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (ecdsa_do_verify(&key, dgst, &sig) != 0) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
printf("%s() ok\n", __FUNCTION__);
|
||||
return 1;
|
||||
}
|
||||
|
||||
int main(void)
|
||||
{
|
||||
if (test_ecdsa() != 1) goto err;
|
||||
if (test_ecdsa_verify_infinity() != 1) goto err;
|
||||
|
||||
printf("%s all tests passed\n", __FILE__);
|
||||
return 0;
|
||||
|
||||
@@ -165,6 +165,36 @@ static int test_secp256r1_modp(void)
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int test_secp256r1_mod_zero(void)
|
||||
{
|
||||
secp256r1_t zero;
|
||||
secp256r1_t r;
|
||||
|
||||
if (secp256r1_set_zero(zero) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (secp256r1_modp_neg(r, zero) != 1 || !secp256r1_is_zero(r)) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (secp256r1_modn_neg(r, zero) != 1 || !secp256r1_is_zero(r)) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (secp256r1_modp_inv(r, zero) != -1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (secp256r1_modn_inv(r, zero) != -1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
printf("%s() ok\n", __FUNCTION__);
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
||||
static int test_secp256r1_modn(void)
|
||||
{
|
||||
@@ -278,7 +308,10 @@ static int test_secp256r1_modn(void)
|
||||
static int test_secp256r1_point_at_infinity(void)
|
||||
{
|
||||
SECP256R1_POINT P;
|
||||
secp256r1_point_set_infinity(&P);
|
||||
if (secp256r1_point_set_infinity(&P) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (!secp256r1_point_is_at_infinity(&P)) {
|
||||
error_print();
|
||||
@@ -316,7 +349,10 @@ static int test_secp256r1_point_set_xy(void)
|
||||
return -1;
|
||||
}
|
||||
|
||||
secp256r1_point_get_xy(&P, x1, y1);
|
||||
if (secp256r1_point_get_xy(&P, x1, y1) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (secp256r1_cmp(x, x1) != 0
|
||||
|| secp256r1_cmp(y, y1) != 0) {
|
||||
@@ -353,8 +389,11 @@ static int test_secp256r1_point_dbl_add(void)
|
||||
size_t len;
|
||||
|
||||
// test 2*G
|
||||
secp256r1_point_dbl(&P, &SECP256R1_POINT_G);
|
||||
secp256r1_point_get_xy(&P, x, y);
|
||||
if (secp256r1_point_dbl(&P, &SECP256R1_POINT_G) != 1
|
||||
|| secp256r1_point_get_xy(&P, x, y) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
secp256r1_point_print(stderr, 0, 4, "2*G", &P);
|
||||
|
||||
@@ -369,8 +408,11 @@ static int test_secp256r1_point_dbl_add(void)
|
||||
}
|
||||
|
||||
// test 2*G + G
|
||||
secp256r1_point_add(&Q, &P, &SECP256R1_POINT_G);
|
||||
secp256r1_point_get_xy(&Q, x, y);
|
||||
if (secp256r1_point_add(&Q, &P, &SECP256R1_POINT_G) != 1
|
||||
|| secp256r1_point_get_xy(&Q, x, y) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
hex_to_bytes("5ecbe4d1a6330a44c8f7ef951d4bf165e6c6b721efada985fb41661bc6e7fd6c", 64, bytes, &len);
|
||||
secp256r1_from_32bytes(x1, bytes);
|
||||
@@ -407,8 +449,11 @@ static int test_secp256r1_point_mul(void)
|
||||
bytes[31] = 3;
|
||||
secp256r1_from_32bytes(k, bytes);
|
||||
|
||||
secp256r1_point_mul_generator(&P, k);
|
||||
secp256r1_point_get_xy(&P, x, y); // 这个必须返回错误啊,否则没办法判断是否为无穷远点呢!
|
||||
if (secp256r1_point_mul_generator(&P, k) != 1
|
||||
|| secp256r1_point_get_xy(&P, x, y) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
hex_to_bytes(secp256r1_x_3G, 64, bytes, &len);
|
||||
secp256r1_from_32bytes(x1, bytes);
|
||||
@@ -424,7 +469,10 @@ static int test_secp256r1_point_mul(void)
|
||||
hex_to_bytes(secp256r1_n, 64, bytes, &len);
|
||||
secp256r1_from_32bytes(k, bytes);
|
||||
|
||||
secp256r1_point_mul_generator(&P, k);
|
||||
if (secp256r1_point_mul_generator(&P, k) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (secp256r1_point_is_at_infinity(&P) != 1) {
|
||||
error_print();
|
||||
@@ -442,7 +490,10 @@ static int test_secp256r1_point_to_uncompressed_octets(void)
|
||||
uint8_t octets[65];
|
||||
|
||||
|
||||
secp256r1_point_copy(&P, &SECP256R1_POINT_G);
|
||||
if (secp256r1_point_copy(&P, &SECP256R1_POINT_G) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (secp256r1_point_to_uncompressed_octets(&P, octets) != 1) {
|
||||
error_print();
|
||||
@@ -458,18 +509,58 @@ static int test_secp256r1_point_to_uncompressed_octets(void)
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int test_secp256r1_point_infinity_edges(void)
|
||||
{
|
||||
SECP256R1_POINT P;
|
||||
SECP256R1_POINT Q;
|
||||
SECP256R1_POINT R;
|
||||
secp256r1_t x;
|
||||
secp256r1_t y;
|
||||
uint8_t octets[65];
|
||||
|
||||
if (secp256r1_point_neg(&Q, &SECP256R1_POINT_G) != 1
|
||||
|| secp256r1_point_add(&R, &SECP256R1_POINT_G, &Q) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (secp256r1_point_is_at_infinity(&R) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (secp256r1_point_get_xy(&R, x, y) != -1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (secp256r1_point_to_uncompressed_octets(&R, octets) != -1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (secp256r1_point_set_infinity(&P) != 1
|
||||
|| secp256r1_point_equ(&P, &R) != 1
|
||||
|| secp256r1_point_equ(&P, &SECP256R1_POINT_G) != 0) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
printf("%s() ok\n", __FUNCTION__);
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
||||
int main(void)
|
||||
{
|
||||
if (test_secp256r1() != 1) goto err;
|
||||
if (test_secp256r1_modp() != 1) goto err;
|
||||
if (test_secp256r1_modn() != 1) goto err;
|
||||
if (test_secp256r1_mod_zero() != 1) goto err;
|
||||
if (test_secp256r1_point_at_infinity() != 1) goto err;
|
||||
if (test_secp256r1_point_is_on_curve() != 1) goto err;
|
||||
if (test_secp256r1_point_set_xy() != 1) goto err;
|
||||
if (test_secp256r1_point_dbl_add() != 1) goto err;
|
||||
if (test_secp256r1_point_mul() != 1) goto err;
|
||||
if (test_secp256r1_point_to_uncompressed_octets() != 1) goto err;
|
||||
if (test_secp256r1_point_infinity_edges() != 1) goto err;
|
||||
|
||||
|
||||
printf("%s all tests passed\n", __FILE__);
|
||||
|
||||
@@ -512,9 +512,9 @@ static int test_sphincs_sign(void)
|
||||
uint8_t msg[100] = {1, 2, 3, 0};
|
||||
SPHINCS_SIGNATURE _sig;
|
||||
SPHINCS_SIGNATURE *sig = &_sig;
|
||||
SPHINCS_HASH256_CTX hash_ctx;
|
||||
SPHINCS_HMAC256_CTX hmac_ctx;
|
||||
sphincs_hash256_t dgst;
|
||||
SM3_CTX hash_ctx;
|
||||
SM3_HMAC_CTX hmac_ctx;
|
||||
sphincs_sm3_digest_t dgst;
|
||||
|
||||
|
||||
sphincs_hash128_t opt_rand;
|
||||
@@ -553,30 +553,30 @@ static int test_sphincs_sign(void)
|
||||
// 如果R是用M生成的,这意味着M要读取2遍,这就没办法用init/update范式了
|
||||
|
||||
// R = PRF_msg(sk_prf, optrand, M) = HMAC(sk_prf, opt_rand|M)
|
||||
sphincs_hmac256_init(&hmac_ctx, key->sk_prf, sizeof(sphincs_hash128_t));
|
||||
sphincs_hmac256_update(&hmac_ctx, opt_rand, sizeof(sphincs_hash128_t));
|
||||
sphincs_hmac256_update(&hmac_ctx, msg, sizeof(msg));
|
||||
sphincs_hmac256_finish(&hmac_ctx, dgst);
|
||||
sm3_hmac_init(&hmac_ctx, key->sk_prf, sizeof(sphincs_hash128_t));
|
||||
sm3_hmac_update(&hmac_ctx, opt_rand, sizeof(sphincs_hash128_t));
|
||||
sm3_hmac_update(&hmac_ctx, msg, sizeof(msg));
|
||||
sm3_hmac_finish(&hmac_ctx, dgst);
|
||||
memcpy(sig->random, dgst, sizeof(sphincs_hash128_t));
|
||||
|
||||
// dgst = HASH256(R|seed|root|M)
|
||||
sphincs_hash256_init(&hash_ctx);
|
||||
sphincs_hash256_update(&hash_ctx, sig->random, sizeof(sphincs_hash128_t));
|
||||
sphincs_hash256_update(&hash_ctx, key->public_key.seed, sizeof(sphincs_hash128_t));
|
||||
sphincs_hash256_update(&hash_ctx, key->public_key.root, sizeof(sphincs_hash128_t));
|
||||
sphincs_hash256_update(&hash_ctx, msg, sizeof(msg));
|
||||
sphincs_hash256_finish(&hash_ctx, dgst);
|
||||
// dgst = SM3(R|seed|root|M)
|
||||
sm3_init(&hash_ctx);
|
||||
sm3_update(&hash_ctx, sig->random, sizeof(sphincs_hash128_t));
|
||||
sm3_update(&hash_ctx, key->public_key.seed, sizeof(sphincs_hash128_t));
|
||||
sm3_update(&hash_ctx, key->public_key.root, sizeof(sphincs_hash128_t));
|
||||
sm3_update(&hash_ctx, msg, sizeof(msg));
|
||||
sm3_finish(&hash_ctx, dgst);
|
||||
|
||||
// tbs = H_msg(R, seed, root, M) = MGF1(R|seed|dgst, tbs_len)
|
||||
for (i = 0; i < (SPHINCS_TBS_SIZE + 31)/32; i++) {
|
||||
uint8_t count[4];
|
||||
PUTU32(count, i);
|
||||
sphincs_hash256_init(&hash_ctx);
|
||||
sphincs_hash256_update(&hash_ctx, sig->random, sizeof(sphincs_hash128_t));
|
||||
sphincs_hash256_update(&hash_ctx, key->public_key.seed, sizeof(sphincs_hash128_t));
|
||||
sphincs_hash256_update(&hash_ctx, dgst, sizeof(dgst));
|
||||
sphincs_hash256_update(&hash_ctx, count, sizeof(count));
|
||||
sphincs_hash256_finish(&hash_ctx, tbs + sizeof(dgst) * i);
|
||||
sm3_init(&hash_ctx);
|
||||
sm3_update(&hash_ctx, sig->random, sizeof(sphincs_hash128_t));
|
||||
sm3_update(&hash_ctx, key->public_key.seed, sizeof(sphincs_hash128_t));
|
||||
sm3_update(&hash_ctx, dgst, sizeof(dgst));
|
||||
sm3_update(&hash_ctx, count, sizeof(count));
|
||||
sm3_finish(&hash_ctx, tbs + sizeof(dgst) * i);
|
||||
}
|
||||
|
||||
|
||||
|
||||
@@ -21,9 +21,9 @@
|
||||
|
||||
#ifdef ENABLE_LMS
|
||||
static int lms_types[] = {
|
||||
LMS_HASH256_M32_H5,
|
||||
LMS_HASH256_M32_H5,
|
||||
LMS_HASH256_M32_H5,
|
||||
LMS_SM3_M32_H5,
|
||||
LMS_SM3_M32_H5,
|
||||
LMS_SM3_M32_H5,
|
||||
};
|
||||
#endif
|
||||
|
||||
@@ -36,12 +36,12 @@ struct {
|
||||
{ OID_ec_public_key, OID_secp256r1 },
|
||||
#endif
|
||||
#ifdef ENABLE_LMS
|
||||
{ OID_lms_hashsig, LMS_HASH256_M32_H5 },
|
||||
{ OID_lms_hashsig, LMS_SM3_M32_H5 },
|
||||
{ OID_hss_lms_hashsig, OID_undef }, // use lms_types[]
|
||||
#endif
|
||||
#ifdef ENABLE_XMSS
|
||||
{ OID_xmss_hashsig, XMSS_HASH256_10_256 },
|
||||
{ OID_xmssmt_hashsig, XMSSMT_HASH256_20_4_256 },
|
||||
{ OID_xmss_hashsig, XMSS_SM3_10_256 },
|
||||
{ OID_xmssmt_hashsig, XMSSMT_SM3_20_4_256 },
|
||||
#endif
|
||||
#ifdef ENABLE_SPHINCS
|
||||
{ OID_sphincs_hashsig, OID_undef },
|
||||
|
||||
417
tests/xmsstest.c
417
tests/xmsstest.c
@@ -45,237 +45,31 @@ static int test_xmss_adrs(void)
|
||||
}
|
||||
|
||||
|
||||
#if defined(ENABLE_XMSS_CROSSCHECK) && defined(ENABLE_SHA2)
|
||||
static int test_wots_derive_sk(void)
|
||||
{
|
||||
xmss_hash256_t secret = {0};
|
||||
xmss_hash256_t seed = {0};
|
||||
xmss_adrs_t adrs = {0};
|
||||
xmss_wots_key_t wots_sk;
|
||||
xmss_wots_key_t test_sk;
|
||||
size_t len;
|
||||
|
||||
// sha256 test 1
|
||||
memset(secret, 0, sizeof(secret));
|
||||
memset(seed, 0, sizeof(seed));
|
||||
memset(adrs, 0, sizeof(adrs));
|
||||
hex_to_bytes("0cb52ea67abd5da0328099db02de310e4ab01ac39d0bbeb71e97eb7e83c467b5", 64, test_sk[0], &len);
|
||||
hex_to_bytes("382c16f94b77905d4a6f78e1f38faf5ef914ac42324e356aeede056d356a5eeb", 64, test_sk[1], &len);
|
||||
hex_to_bytes("ab08e768529903e533c9bf8b3ea8c69d36aedcee5ac78801f92d23ef758cfe03", 64, test_sk[66], &len);
|
||||
|
||||
xmss_wots_derive_sk(secret, seed, adrs, wots_sk);
|
||||
|
||||
if (memcmp(wots_sk[0], test_sk[0], 32)
|
||||
|| memcmp(wots_sk[1], test_sk[1], 32)
|
||||
|| memcmp(wots_sk[66], test_sk[66], 32)) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
// sha256 test 2
|
||||
memset(secret, 0x12, sizeof(secret));
|
||||
memset(seed, 0xab, sizeof(seed));
|
||||
memset(adrs, 0, sizeof(adrs));
|
||||
hex_to_bytes("1a50a39a53e6ef2480db612cef9456d0f33222f934c58bcba9d04fa91108faf6", 64, test_sk[0], &len);
|
||||
hex_to_bytes("e45dad76c1b23975e898a365b8c73d13695a887ba2ba2377f840d3a3b7bf806c", 64, test_sk[1], &len);
|
||||
hex_to_bytes("aaad735aa51662b8a48258561fb857b3f2b12a5802593522145b3b68355abf3b", 64, test_sk[66], &len);
|
||||
|
||||
xmss_wots_derive_sk(secret, seed, adrs, wots_sk);
|
||||
|
||||
if (memcmp(wots_sk[0], test_sk[0], 32)
|
||||
|| memcmp(wots_sk[1], test_sk[1], 32)
|
||||
|| memcmp(wots_sk[66], test_sk[66], 32)) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
printf("%s() ok\n", __FUNCTION__);
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int test_wots_sk_to_pk(void)
|
||||
{
|
||||
xmss_hash256_t secret = {0};
|
||||
xmss_hash256_t seed = {0};
|
||||
xmss_adrs_t adrs = {0};
|
||||
xmss_wots_key_t wots_sk;
|
||||
xmss_wots_key_t wots_pk;
|
||||
xmss_wots_key_t test_pk;
|
||||
size_t len;
|
||||
|
||||
// sha256 test 2
|
||||
memset(secret, 0x12, sizeof(secret));
|
||||
memset(seed, 0xab, sizeof(seed));
|
||||
memset(adrs, 0, sizeof(adrs));
|
||||
hex_to_bytes("0c74a626695831994961641c487b70da83cd2aba2ba5c63c38ce72479b8a0ab9", 64, test_pk[0], &len);
|
||||
hex_to_bytes("acf6be724d4b074d67330559ec24b3d42c9b9d87fa103e7f6be402ec3a2d41c1", 64, test_pk[1], &len);
|
||||
hex_to_bytes("98691d83a657840d4b6f410e25fcd9a6480670ac9c090d3b79bc904ba7e131aa", 64, test_pk[66], &len);
|
||||
|
||||
xmss_wots_derive_sk(secret, seed, adrs, wots_sk);
|
||||
|
||||
xmss_wots_sk_to_pk(wots_sk, seed, adrs, wots_pk);
|
||||
|
||||
if (memcmp(wots_pk[0], test_pk[0], 32)
|
||||
|| memcmp(wots_pk[1], test_pk[1], 32)
|
||||
|| memcmp(wots_pk[66], test_pk[66], 32)) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
printf("%s() ok\n", __FUNCTION__);
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int test_wots_sign(void)
|
||||
{
|
||||
xmss_hash256_t secret = {0};
|
||||
xmss_hash256_t seed = {0};
|
||||
xmss_adrs_t adrs = {0};
|
||||
xmss_hash256_t dgst = {0};
|
||||
xmss_wots_key_t wots_sk;
|
||||
xmss_wots_key_t wots_pk;
|
||||
xmss_wots_sig_t wots_sig;
|
||||
xmss_wots_sig_t test_sig;
|
||||
xmss_wots_key_t sig_pk;
|
||||
size_t len;
|
||||
int i;
|
||||
clock_t start = clock();
|
||||
|
||||
memset(secret, 0x12, sizeof(secret));
|
||||
memset(seed, 0xab, sizeof(seed));
|
||||
memset(adrs, 0, sizeof(adrs));
|
||||
for (i = 0; i < 32; i++) {
|
||||
dgst[i] = i; // try different dgst, check base_w and checksum
|
||||
}
|
||||
hex_to_bytes("1a50a39a53e6ef2480db612cef9456d0f33222f934c58bcba9d04fa91108faf6", 64, test_sig[0], &len);
|
||||
hex_to_bytes("e45dad76c1b23975e898a365b8c73d13695a887ba2ba2377f840d3a3b7bf806c", 64, test_sig[1], &len);
|
||||
hex_to_bytes("75d2cfddd6ca9773fb9d0d17efe5c731c1a44f4b31352e26767623abf52911f9", 64, test_sig[15], &len);
|
||||
hex_to_bytes("aaad735aa51662b8a48258561fb857b3f2b12a5802593522145b3b68355abf3b", 64, test_sig[66], &len);
|
||||
|
||||
xmss_wots_derive_sk(secret, seed, adrs, wots_sk);
|
||||
|
||||
xmss_wots_sk_to_pk(wots_sk, seed, adrs, wots_pk);
|
||||
|
||||
xmss_wots_sign(wots_sk, seed, adrs, dgst, wots_sig);
|
||||
|
||||
if (memcmp(wots_sig[0], test_sig[0], sizeof(xmss_hash256_t))
|
||||
|| memcmp(wots_sig[1], test_sig[1], sizeof(xmss_hash256_t))
|
||||
|| memcmp(wots_sig[15], test_sig[15], sizeof(xmss_hash256_t))
|
||||
|| memcmp(wots_sig[66], test_sig[66], sizeof(xmss_hash256_t))) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
xmss_wots_sig_to_pk(wots_sig, seed, adrs, dgst, sig_pk);
|
||||
|
||||
if (memcmp(sig_pk ,wots_pk, sizeof(xmss_wots_key_t))) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
test_print_elapsed(__FUNCTION__, start);
|
||||
printf("%s() ok\n", __FUNCTION__);
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int test_wots_derive_root(void)
|
||||
{
|
||||
xmss_hash256_t secret;
|
||||
xmss_hash256_t seed;
|
||||
xmss_adrs_t adrs;
|
||||
xmss_hash256_t root;
|
||||
xmss_hash256_t wots_0_root;
|
||||
xmss_hash256_t wots_1023_root;
|
||||
size_t len;
|
||||
|
||||
memset(secret, 0x12, sizeof(xmss_hash256_t));
|
||||
memset(seed, 0xab, sizeof(xmss_hash256_t));
|
||||
hex_to_bytes("7A968C5F9AE4D2B781872B4E6EE851D55CC02F0AB9196701580D6F503D35DB68", 64, wots_0_root, &len);
|
||||
hex_to_bytes("939E10CD44769D4D9853F7CF5612D6D83B3AA140A8867CCF34A1DBCC66FC4333", 64, wots_1023_root, &len);
|
||||
|
||||
// wots index is 0
|
||||
xmss_adrs_set_layer_address(adrs, 0);
|
||||
xmss_adrs_set_tree_address(adrs, 0);
|
||||
xmss_adrs_set_ots_address(adrs, 0);
|
||||
|
||||
xmss_wots_derive_root(secret, seed, adrs, root);
|
||||
|
||||
if (memcmp(root, wots_0_root, sizeof(xmss_hash256_t)) != 0) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
// wots index is 1023
|
||||
xmss_adrs_set_layer_address(adrs, 0);
|
||||
xmss_adrs_set_tree_address(adrs, 0);
|
||||
xmss_adrs_set_ots_address(adrs, 1023);
|
||||
|
||||
xmss_wots_derive_root(secret, seed, adrs, root);
|
||||
|
||||
if (memcmp(root, wots_1023_root, sizeof(xmss_hash256_t)) != 0) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
printf("%s() ok\n", __FUNCTION__);
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int test_wots_verify(void)
|
||||
{
|
||||
uint32_t index = 0;
|
||||
xmss_hash256_t secret;
|
||||
xmss_hash256_t seed;
|
||||
xmss_adrs_t adrs;
|
||||
xmss_wots_key_t sk;
|
||||
xmss_hash256_t dgst;
|
||||
xmss_wots_sig_t sig;
|
||||
xmss_hash256_t root;
|
||||
|
||||
|
||||
xmss_adrs_set_layer_address(adrs, 0);
|
||||
xmss_adrs_set_tree_address(adrs, 0);
|
||||
xmss_adrs_set_type(adrs, XMSS_ADRS_TYPE_OTS);
|
||||
xmss_adrs_set_ots_address(adrs, index);
|
||||
|
||||
xmss_wots_derive_sk(secret, seed, adrs, sk);
|
||||
xmss_wots_sign(sk, seed, adrs, dgst, sig);
|
||||
xmss_wots_derive_root(secret, seed, adrs, root);
|
||||
|
||||
if (xmss_wots_verify(root, seed, adrs, dgst, sig) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
printf("%s() ok\n", __FUNCTION__);
|
||||
return 1;
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
|
||||
static int test_xmss_build_tree(void)
|
||||
{
|
||||
xmss_hash256_t xmss_secret;
|
||||
xmss_hash256_t seed;
|
||||
xmss_sm3_digest_t xmss_secret;
|
||||
xmss_sm3_digest_t seed;
|
||||
xmss_adrs_t adrs;
|
||||
int height = 10;
|
||||
xmss_hash256_t *tree = malloc(32 * (1<<height) * 2);
|
||||
xmss_hash256_t xmss_root;
|
||||
xmss_hash256_t test_root;
|
||||
xmss_sm3_digest_t *tree = malloc(32 * (1<<height) * 2);
|
||||
xmss_sm3_digest_t xmss_root;
|
||||
xmss_sm3_digest_t test_root;
|
||||
size_t len;
|
||||
|
||||
memset(xmss_secret, 0x12, sizeof(xmss_hash256_t));
|
||||
memset(seed, 0xab, sizeof(xmss_hash256_t));
|
||||
memset(xmss_secret, 0x12, sizeof(xmss_sm3_digest_t));
|
||||
memset(seed, 0xab, sizeof(xmss_sm3_digest_t));
|
||||
hex_to_bytes("f0415ed807c8f8c2ee8ca3a00178bff37e1ccb2836e02607d06131c9341e52ca", 64, test_root, &len);
|
||||
|
||||
xmss_adrs_set_layer_address(adrs, 0);
|
||||
xmss_adrs_set_tree_address(adrs, 0);
|
||||
xmss_build_tree(xmss_secret, seed, adrs, height, tree);
|
||||
|
||||
memcpy(xmss_root, tree[(1 << (height + 1)) - 2], sizeof(xmss_hash256_t));
|
||||
memcpy(xmss_root, tree[(1 << (height + 1)) - 2], sizeof(xmss_sm3_digest_t));
|
||||
/*
|
||||
if (memcmp(xmss_root, test_root, sizeof(xmss_hash256_t))) {
|
||||
if (memcmp(xmss_root, test_root, sizeof(xmss_sm3_digest_t))) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
@@ -287,13 +81,13 @@ static int test_xmss_build_tree(void)
|
||||
|
||||
static int test_xmss_build_root(void)
|
||||
{
|
||||
xmss_hash256_t secret;
|
||||
xmss_hash256_t seed;
|
||||
xmss_sm3_digest_t secret;
|
||||
xmss_sm3_digest_t seed;
|
||||
xmss_adrs_t adrs;
|
||||
size_t height = 4;
|
||||
xmss_hash256_t tree[(1 << (4+1)) - 1];
|
||||
xmss_hash256_t auth_path[4];
|
||||
xmss_hash256_t root;
|
||||
xmss_sm3_digest_t tree[(1 << (4+1)) - 1];
|
||||
xmss_sm3_digest_t auth_path[4];
|
||||
xmss_sm3_digest_t root;
|
||||
uint32_t index;
|
||||
|
||||
rand_bytes(secret, sizeof(secret));
|
||||
@@ -305,7 +99,7 @@ static int test_xmss_build_root(void)
|
||||
for (index = 0; index < (1 << height); index++) {
|
||||
xmss_build_auth_path(tree, height, index, auth_path);
|
||||
xmss_build_root(tree[index], index, seed, adrs, auth_path, height, root);
|
||||
if (memcmp(root, tree[sizeof(tree)/sizeof(tree[0]) - 1], sizeof(xmss_hash256_t)) != 0) {
|
||||
if (memcmp(root, tree[sizeof(tree)/sizeof(tree[0]) - 1], sizeof(xmss_sm3_digest_t)) != 0) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
@@ -321,9 +115,9 @@ static int test_xmss_private_key_size(void)
|
||||
uint32_t xmss_type;
|
||||
size_t keylen;
|
||||
} tests[] = {
|
||||
{ XMSS_HASH256_10_256, 65640 },
|
||||
{ XMSS_HASH256_16_256, 4194408 },
|
||||
{ XMSS_HASH256_20_256, 67108968 },
|
||||
{ XMSS_SM3_10_256, 65640 },
|
||||
{ XMSS_SM3_16_256, 4194408 },
|
||||
{ XMSS_SM3_20_256, 67108968 },
|
||||
};
|
||||
size_t keylen;
|
||||
size_t i;
|
||||
@@ -347,7 +141,7 @@ static int test_xmss_private_key_size(void)
|
||||
|
||||
static int test_xmss_key_generate(void)
|
||||
{
|
||||
uint32_t xmss_type = XMSS_HASH256_10_256;
|
||||
uint32_t xmss_type = XMSS_SM3_10_256;
|
||||
XMSS_KEY key;
|
||||
size_t count;
|
||||
size_t i;
|
||||
@@ -385,7 +179,7 @@ static int test_xmss_key_generate(void)
|
||||
|
||||
static int test_xmss_public_key_to_bytes(void)
|
||||
{
|
||||
uint32_t xmss_type = XMSS_HASH256_10_256;
|
||||
uint32_t xmss_type = XMSS_SM3_10_256;
|
||||
XMSS_KEY key;
|
||||
XMSS_KEY pub;
|
||||
uint8_t buf[XMSS_PUBLIC_KEY_SIZE];
|
||||
@@ -431,9 +225,9 @@ struct {
|
||||
uint32_t xmss_type;
|
||||
size_t siglen;
|
||||
} xmss_siglens[] = {
|
||||
{ XMSS_HASH256_10_256, 2500 },
|
||||
{ XMSS_HASH256_16_256, 2692 },
|
||||
{ XMSS_HASH256_20_256, 2820 },
|
||||
{ XMSS_SM3_10_256, 2500 },
|
||||
{ XMSS_SM3_16_256, 2692 },
|
||||
{ XMSS_SM3_20_256, 2820 },
|
||||
};
|
||||
|
||||
static int test_xmss_signature_size(void)
|
||||
@@ -457,23 +251,23 @@ static int test_xmss_signature_size(void)
|
||||
|
||||
static int test_xmss_sign(void)
|
||||
{
|
||||
static const uint8_t xmss_hash256_two[] = {
|
||||
static const uint8_t xmss_sm3_digest_two[] = {
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
|
||||
};
|
||||
uint8_t msg[100] = {0};
|
||||
uint32_t xmss_type = XMSS_HASH256_10_256;
|
||||
uint32_t xmss_type = XMSS_SM3_10_256;
|
||||
size_t height = 10;
|
||||
uint32_t index = 1011;
|
||||
xmss_hash256_t hash256_index = {0};
|
||||
xmss_sm3_digest_t sm3_digest_index = {0};
|
||||
XMSS_KEY key;
|
||||
XMSS_SIGNATURE sig;
|
||||
xmss_adrs_t adrs;
|
||||
xmss_hash256_t root;
|
||||
XMSS_HASH256_CTX ctx;
|
||||
xmss_hash256_t dgst;
|
||||
xmss_sm3_digest_t root;
|
||||
SM3_CTX ctx;
|
||||
xmss_sm3_digest_t dgst;
|
||||
size_t h;
|
||||
clock_t start = clock();
|
||||
|
||||
@@ -501,7 +295,7 @@ static int test_xmss_sign(void)
|
||||
|
||||
// check wots_root
|
||||
xmss_wots_derive_root(key.secret, key.public_key.seed, adrs, root);
|
||||
if (memcmp(root, key.tree[index], sizeof(xmss_hash256_t)) != 0) {
|
||||
if (memcmp(root, key.tree[index], sizeof(xmss_sm3_digest_t)) != 0) {
|
||||
xmss_key_cleanup(&key);
|
||||
error_print();
|
||||
return -1;
|
||||
@@ -511,14 +305,14 @@ static int test_xmss_sign(void)
|
||||
|
||||
|
||||
|
||||
PUTU32(hash256_index + 28, index);
|
||||
xmss_hash256_init(&ctx);
|
||||
xmss_hash256_update(&ctx, xmss_hash256_two, sizeof(xmss_hash256_t));
|
||||
xmss_hash256_update(&ctx, sig.random, sizeof(xmss_hash256_t));
|
||||
xmss_hash256_update(&ctx, key.public_key.root, sizeof(xmss_hash256_t));
|
||||
xmss_hash256_update(&ctx, hash256_index, sizeof(xmss_hash256_t));
|
||||
xmss_hash256_update(&ctx, msg, sizeof(msg));
|
||||
xmss_hash256_finish(&ctx, dgst);
|
||||
PUTU32(sm3_digest_index + 28, index);
|
||||
sm3_init(&ctx);
|
||||
sm3_update(&ctx, xmss_sm3_digest_two, sizeof(xmss_sm3_digest_t));
|
||||
sm3_update(&ctx, sig.random, sizeof(xmss_sm3_digest_t));
|
||||
sm3_update(&ctx, key.public_key.root, sizeof(xmss_sm3_digest_t));
|
||||
sm3_update(&ctx, sm3_digest_index, sizeof(xmss_sm3_digest_t));
|
||||
sm3_update(&ctx, msg, sizeof(msg));
|
||||
sm3_finish(&ctx, dgst);
|
||||
|
||||
xmss_wots_sign(sig.wots_sig, key.public_key.seed, adrs, dgst, sig.wots_sig);
|
||||
|
||||
@@ -551,7 +345,7 @@ static int test_xmss_sign(void)
|
||||
|
||||
xmss_build_root(root, index, key.public_key.seed, adrs, sig.auth_path, height, root);
|
||||
|
||||
if (memcmp(root, key.public_key.root, sizeof(xmss_hash256_t)) != 0) {
|
||||
if (memcmp(root, key.public_key.root, sizeof(xmss_sm3_digest_t)) != 0) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
@@ -564,7 +358,7 @@ static int test_xmss_sign(void)
|
||||
|
||||
static int test_xmss_sign_update(void)
|
||||
{
|
||||
uint32_t xmss_type = XMSS_HASH256_10_256;
|
||||
uint32_t xmss_type = XMSS_SM3_10_256;
|
||||
XMSS_KEY key;
|
||||
XMSS_SIGN_CTX sign_ctx;
|
||||
XMSS_SIGNATURE signature;
|
||||
@@ -620,14 +414,14 @@ struct {
|
||||
size_t indexlen;
|
||||
size_t siglen;
|
||||
} xmssmt_consts[] = {
|
||||
{ XMSSMT_HASH256_20_2_256, 3, 4963 },
|
||||
{ XMSSMT_HASH256_20_4_256, 3, 9251 },
|
||||
{ XMSSMT_HASH256_40_2_256, 5, 5605 },
|
||||
{ XMSSMT_HASH256_40_4_256, 5, 9893 },
|
||||
{ XMSSMT_HASH256_40_8_256, 5, 18469 },
|
||||
{ XMSSMT_HASH256_60_3_256, 8, 8392 },
|
||||
{ XMSSMT_HASH256_60_6_256, 8, 14824 },
|
||||
{ XMSSMT_HASH256_60_12_256, 8, 27688 },
|
||||
{ XMSSMT_SM3_20_2_256, 3, 4963 },
|
||||
{ XMSSMT_SM3_20_4_256, 3, 9251 },
|
||||
{ XMSSMT_SM3_40_2_256, 5, 5605 },
|
||||
{ XMSSMT_SM3_40_4_256, 5, 9893 },
|
||||
{ XMSSMT_SM3_40_8_256, 5, 18469 },
|
||||
{ XMSSMT_SM3_60_3_256, 8, 8392 },
|
||||
{ XMSSMT_SM3_60_6_256, 8, 14824 },
|
||||
{ XMSSMT_SM3_60_12_256, 8, 27688 },
|
||||
};
|
||||
|
||||
static int test_xmssmt_index_to_bytes(void)
|
||||
@@ -654,7 +448,7 @@ static int test_xmssmt_index_to_bytes(void)
|
||||
|
||||
static int test_xmssmt_key_generate(void)
|
||||
{
|
||||
uint32_t xmssmt_index = XMSSMT_HASH256_20_4_256;
|
||||
uint32_t xmssmt_index = XMSSMT_SM3_20_4_256;
|
||||
XMSSMT_KEY key;
|
||||
clock_t start = clock();
|
||||
|
||||
@@ -726,7 +520,7 @@ static int test_xmssmt_signature_print(void)
|
||||
|
||||
static int test_xmssmt_signature_to_bytes(void)
|
||||
{
|
||||
uint32_t xmssmt_type = XMSSMT_HASH256_20_2_256;
|
||||
uint32_t xmssmt_type = XMSSMT_SM3_20_2_256;
|
||||
XMSSMT_SIGNATURE xmssmt_sig;
|
||||
uint8_t buf[XMSSMT_SIGNATURE_MAX_SIZE];
|
||||
uint8_t *p = buf;
|
||||
@@ -756,26 +550,26 @@ static int test_xmssmt_signature_to_bytes(void)
|
||||
}
|
||||
|
||||
/*
|
||||
XMSSMT_SHA2_20_2_256: 133287 133KB
|
||||
XMSSMT_SHA2_20_4_256: 14631 14KB
|
||||
XMSSMT_SHA2_40_2_256: 134219945 134MB
|
||||
XMSSMT_SHA2_40_4_256: 268585 268KB
|
||||
XMSSMT_SHA2_40_8_256: 31273 31KB
|
||||
XMSSMT_SHA2_60_3_256: 201330924 201MB
|
||||
XMSSMT_SHA2_60_6_256: 403884 403KB
|
||||
XMSSMT_SHA2_60_12_256: 47916 47KB
|
||||
XMSSMT_SM3_20_2_256: 133287 133KB
|
||||
XMSSMT_SM3_20_4_256: 14631 14KB
|
||||
XMSSMT_SM3_40_2_256: 134219945 134MB
|
||||
XMSSMT_SM3_40_4_256: 268585 268KB
|
||||
XMSSMT_SM3_40_8_256: 31273 31KB
|
||||
XMSSMT_SM3_60_3_256: 201330924 201MB
|
||||
XMSSMT_SM3_60_6_256: 403884 403KB
|
||||
XMSSMT_SM3_60_12_256: 47916 47KB
|
||||
*/
|
||||
static int test_xmssmt_private_key_size(void)
|
||||
{
|
||||
uint32_t xmssmt_types[] = {
|
||||
XMSSMT_HASH256_20_2_256,
|
||||
XMSSMT_HASH256_20_4_256,
|
||||
XMSSMT_HASH256_40_2_256,
|
||||
XMSSMT_HASH256_40_4_256,
|
||||
XMSSMT_HASH256_40_8_256,
|
||||
XMSSMT_HASH256_60_3_256,
|
||||
XMSSMT_HASH256_60_6_256,
|
||||
XMSSMT_HASH256_60_12_256,
|
||||
XMSSMT_SM3_20_2_256,
|
||||
XMSSMT_SM3_20_4_256,
|
||||
XMSSMT_SM3_40_2_256,
|
||||
XMSSMT_SM3_40_4_256,
|
||||
XMSSMT_SM3_40_8_256,
|
||||
XMSSMT_SM3_60_3_256,
|
||||
XMSSMT_SM3_60_6_256,
|
||||
XMSSMT_SM3_60_12_256,
|
||||
};
|
||||
size_t len;
|
||||
size_t i;
|
||||
@@ -796,14 +590,14 @@ static int test_xmssmt_private_key_size(void)
|
||||
static int test_xmssmt_public_key_to_bytes(void)
|
||||
{
|
||||
uint32_t xmssmt_types[] = {
|
||||
XMSSMT_HASH256_20_2_256,
|
||||
XMSSMT_HASH256_20_4_256,
|
||||
XMSSMT_HASH256_40_2_256,
|
||||
XMSSMT_HASH256_40_4_256,
|
||||
XMSSMT_HASH256_40_8_256,
|
||||
XMSSMT_HASH256_60_3_256,
|
||||
XMSSMT_HASH256_60_6_256,
|
||||
XMSSMT_HASH256_60_12_256,
|
||||
XMSSMT_SM3_20_2_256,
|
||||
XMSSMT_SM3_20_4_256,
|
||||
XMSSMT_SM3_40_2_256,
|
||||
XMSSMT_SM3_40_4_256,
|
||||
XMSSMT_SM3_40_8_256,
|
||||
XMSSMT_SM3_60_3_256,
|
||||
XMSSMT_SM3_60_6_256,
|
||||
XMSSMT_SM3_60_12_256,
|
||||
};
|
||||
XMSSMT_KEY key;
|
||||
uint8_t buf[XMSSMT_PUBLIC_KEY_SIZE];
|
||||
@@ -816,7 +610,7 @@ static int test_xmssmt_public_key_to_bytes(void)
|
||||
|
||||
memset(&key, 0, sizeof(key));
|
||||
|
||||
key.public_key.xmssmt_type = XMSSMT_HASH256_20_2_256;
|
||||
key.public_key.xmssmt_type = XMSSMT_SM3_20_2_256;
|
||||
|
||||
|
||||
|
||||
@@ -845,7 +639,7 @@ static int test_xmssmt_public_key_to_bytes(void)
|
||||
|
||||
static int test_xmssmt_private_key_to_bytes(void)
|
||||
{
|
||||
uint32_t xmssmt_type = XMSSMT_HASH256_20_4_256;
|
||||
uint32_t xmssmt_type = XMSSMT_SM3_20_4_256;
|
||||
XMSSMT_KEY key;
|
||||
size_t buflen;
|
||||
uint8_t *buf = NULL;
|
||||
@@ -912,20 +706,20 @@ static uint64_t xmssmt_tree_index(uint64_t index, size_t height, size_t layers,
|
||||
// reference implementation of xmss^mt sign/verify
|
||||
static int test_xmssmt_sign(void)
|
||||
{
|
||||
static const uint8_t xmss_hash256_two[] = {
|
||||
static const uint8_t xmss_sm3_digest_two[] = {
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
|
||||
};
|
||||
static const uint8_t xmss_hash256_three[] = {
|
||||
static const uint8_t xmss_sm3_digest_three[] = {
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03,
|
||||
};
|
||||
|
||||
uint32_t xmssmt_type = XMSSMT_HASH256_20_4_256;
|
||||
uint32_t xmssmt_type = XMSSMT_SM3_20_4_256;
|
||||
size_t height = 0;
|
||||
size_t layers = 0;
|
||||
|
||||
@@ -936,9 +730,9 @@ static int test_xmssmt_sign(void)
|
||||
XMSSMT_KEY *key = &xmssmt_key;
|
||||
XMSSMT_SIGN_CTX xmssmt_ctx;
|
||||
XMSSMT_SIGN_CTX *ctx = &xmssmt_ctx;
|
||||
xmss_hash256_t dgst;
|
||||
xmss_sm3_digest_t dgst;
|
||||
|
||||
xmss_hash256_t hash256_index;
|
||||
xmss_sm3_digest_t sm3_digest_index;
|
||||
xmss_adrs_t adrs;
|
||||
|
||||
uint64_t tree_address;
|
||||
@@ -971,9 +765,9 @@ static int test_xmssmt_sign(void)
|
||||
|
||||
// XMSSMT_SIGNATURE:
|
||||
// uint64_t index
|
||||
// xmss_hash256_t random
|
||||
// xmss_sm3_digest_t random
|
||||
// wots_sig_t wots_sigs[layers];
|
||||
// xmss_hash256_t auth_path[height/layers]
|
||||
// xmss_sm3_digest_t auth_path[height/layers]
|
||||
|
||||
// copy index
|
||||
ctx->xmssmt_sig.index = key->index;
|
||||
@@ -986,19 +780,19 @@ static int test_xmssmt_sign(void)
|
||||
// build auth_path
|
||||
for (layer = 0; layer < layers; layer++) {
|
||||
uint32_t tree_index = xmssmt_tree_index(ctx->xmssmt_sig.index, height, layers, layer);
|
||||
xmss_hash256_t *tree = key->trees + xmss_num_tree_nodes(height/layers) * layer;
|
||||
xmss_hash256_t *auth_path = ctx->xmssmt_sig.auth_path + (height/layers) * layer;
|
||||
xmss_sm3_digest_t *tree = key->trees + xmss_num_tree_nodes(height/layers) * layer;
|
||||
xmss_sm3_digest_t *auth_path = ctx->xmssmt_sig.auth_path + (height/layers) * layer;
|
||||
xmss_build_auth_path(tree, height/layers, tree_index, auth_path);
|
||||
}
|
||||
|
||||
// derive ctx->xmssmt_sig.random
|
||||
memset(hash256_index, 0, 24);
|
||||
PUTU64(hash256_index + 24, ctx->xmssmt_sig.index);
|
||||
xmss_hash256_init(&ctx->hash256_ctx);
|
||||
xmss_hash256_update(&ctx->hash256_ctx, xmss_hash256_three, sizeof(xmss_hash256_t));
|
||||
xmss_hash256_update(&ctx->hash256_ctx, key->sk_prf, sizeof(xmss_hash256_t));
|
||||
xmss_hash256_update(&ctx->hash256_ctx, hash256_index, sizeof(xmss_hash256_t));
|
||||
xmss_hash256_finish(&ctx->hash256_ctx, ctx->xmssmt_sig.random);
|
||||
memset(sm3_digest_index, 0, 24);
|
||||
PUTU64(sm3_digest_index + 24, ctx->xmssmt_sig.index);
|
||||
sm3_init(&ctx->sm3_ctx);
|
||||
sm3_update(&ctx->sm3_ctx, xmss_sm3_digest_three, sizeof(xmss_sm3_digest_t));
|
||||
sm3_update(&ctx->sm3_ctx, key->sk_prf, sizeof(xmss_sm3_digest_t));
|
||||
sm3_update(&ctx->sm3_ctx, sm3_digest_index, sizeof(xmss_sm3_digest_t));
|
||||
sm3_finish(&ctx->sm3_ctx, ctx->xmssmt_sig.random);
|
||||
|
||||
// derive wots_sk and save to wots_sigs[0]
|
||||
layer = 0;
|
||||
@@ -1010,14 +804,14 @@ static int test_xmssmt_sign(void)
|
||||
xmss_adrs_set_ots_address(adrs, tree_index);
|
||||
xmss_wots_derive_sk(key->secret, key->public_key.seed, adrs, ctx->xmssmt_sig.wots_sigs[0]);
|
||||
|
||||
// H_msg(M) := HASH256(toByte(2, 32) || r || XMSS_ROOT || toByte(idx_sig, 32) || M)
|
||||
xmss_hash256_init(&ctx->hash256_ctx);
|
||||
xmss_hash256_update(&ctx->hash256_ctx, xmss_hash256_two, sizeof(xmss_hash256_t));
|
||||
xmss_hash256_update(&ctx->hash256_ctx, ctx->xmssmt_sig.random, sizeof(xmss_hash256_t));
|
||||
xmss_hash256_update(&ctx->hash256_ctx, key->public_key.root, sizeof(xmss_hash256_t));
|
||||
xmss_hash256_update(&ctx->hash256_ctx, hash256_index, sizeof(xmss_hash256_t));
|
||||
xmss_hash256_update(&ctx->hash256_ctx, msg, sizeof(msg));
|
||||
xmss_hash256_finish(&ctx->hash256_ctx, dgst);
|
||||
// H_msg(M) := SM3(toByte(2, 32) || r || XMSS_ROOT || toByte(idx_sig, 32) || M)
|
||||
sm3_init(&ctx->sm3_ctx);
|
||||
sm3_update(&ctx->sm3_ctx, xmss_sm3_digest_two, sizeof(xmss_sm3_digest_t));
|
||||
sm3_update(&ctx->sm3_ctx, ctx->xmssmt_sig.random, sizeof(xmss_sm3_digest_t));
|
||||
sm3_update(&ctx->sm3_ctx, key->public_key.root, sizeof(xmss_sm3_digest_t));
|
||||
sm3_update(&ctx->sm3_ctx, sm3_digest_index, sizeof(xmss_sm3_digest_t));
|
||||
sm3_update(&ctx->sm3_ctx, msg, sizeof(msg));
|
||||
sm3_finish(&ctx->sm3_ctx, dgst);
|
||||
|
||||
// generate message wots_sig as wots_sigs[0]
|
||||
layer = 0;
|
||||
@@ -1061,7 +855,7 @@ static int test_xmssmt_sign(void)
|
||||
}
|
||||
|
||||
// verify xmssmt_root (save in dgst)
|
||||
if (memcmp(dgst, ctx->xmssmt_public_key.root, sizeof(xmss_hash256_t)) != 0) {
|
||||
if (memcmp(dgst, ctx->xmssmt_public_key.root, sizeof(xmss_sm3_digest_t)) != 0) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
@@ -1073,7 +867,7 @@ static int test_xmssmt_sign(void)
|
||||
|
||||
static int test_xmssmt_sign_update(void)
|
||||
{
|
||||
uint32_t xmssmt_type = XMSSMT_HASH256_20_4_256;
|
||||
uint32_t xmssmt_type = XMSSMT_SM3_20_4_256;
|
||||
XMSSMT_KEY key;
|
||||
XMSSMT_SIGN_CTX ctx;
|
||||
XMSSMT_SIGNATURE sig;
|
||||
@@ -1160,13 +954,6 @@ static int test_xmssmt_sign_update(void)
|
||||
|
||||
int main(void)
|
||||
{
|
||||
#if defined(ENABLE_LMS_CROSSCHECK) && defined(ENABLE_SHA2)
|
||||
if (test_wots_derive_sk() != 1) goto err;
|
||||
if (test_wots_sk_to_pk() != 1) goto err;
|
||||
if (test_wots_sign() != 1) goto err;
|
||||
if (test_wots_derive_root() != 1) goto err;
|
||||
if (test_wots_verify() != 1) goto err;
|
||||
#endif
|
||||
if (test_xmss_adrs() != 1) goto err;
|
||||
if (test_xmss_build_tree() != 1) goto err;
|
||||
if (test_xmss_build_root() != 1) goto err;
|
||||
|
||||
@@ -22,9 +22,9 @@ static const char *usage = "-xmss_type type -out file [-pubout file] [-verbose]\
|
||||
static const char *options =
|
||||
"Options\n"
|
||||
" -xmss_type type XMSS Algorithm Type\n"
|
||||
" "XMSS_HASH256_10_256_NAME"\n"
|
||||
" "XMSS_HASH256_16_256_NAME"\n"
|
||||
" "XMSS_HASH256_20_256_NAME"\n"
|
||||
" "XMSS_SM3_10_256_NAME"\n"
|
||||
" "XMSS_SM3_16_256_NAME"\n"
|
||||
" "XMSS_SM3_20_256_NAME"\n"
|
||||
" -out file Output private key\n"
|
||||
" -pubout file Output public key\n"
|
||||
" -verbose Print public key\n"
|
||||
|
||||
@@ -22,14 +22,14 @@ static const char *usage = "-xmssmt_type type -out file [-pubout file] [-verbose
|
||||
static const char *options =
|
||||
"Options\n"
|
||||
" -xmssmt_type type XMSSMT Algorithm Type\n"
|
||||
" "XMSSMT_HASH256_20_2_256_NAME"\n"
|
||||
" "XMSSMT_HASH256_20_4_256_NAME"\n"
|
||||
" "XMSSMT_HASH256_40_2_256_NAME"\n"
|
||||
" "XMSSMT_HASH256_40_4_256_NAME"\n"
|
||||
" "XMSSMT_HASH256_40_8_256_NAME"\n"
|
||||
" "XMSSMT_HASH256_60_3_256_NAME"\n"
|
||||
" "XMSSMT_HASH256_60_6_256_NAME"\n"
|
||||
" "XMSSMT_HASH256_60_12_256_NAME"\n"
|
||||
" "XMSSMT_SM3_20_2_256_NAME"\n"
|
||||
" "XMSSMT_SM3_20_4_256_NAME"\n"
|
||||
" "XMSSMT_SM3_40_2_256_NAME"\n"
|
||||
" "XMSSMT_SM3_40_4_256_NAME"\n"
|
||||
" "XMSSMT_SM3_40_8_256_NAME"\n"
|
||||
" "XMSSMT_SM3_60_3_256_NAME"\n"
|
||||
" "XMSSMT_SM3_60_6_256_NAME"\n"
|
||||
" "XMSSMT_SM3_60_12_256_NAME"\n"
|
||||
" -out file Output private key\n"
|
||||
" -pubout file Output public key\n"
|
||||
" -verbose Print public key\n"
|
||||
|
||||
Reference in New Issue
Block a user