sfluhrer
diff --git a/‎Makefile
Lines changed: 13 additions & 0 deletions b/‎Makefile
Lines changed: 13 additions & 0 deletions
diff --git a/‎README
Lines changed: 4 additions & 0 deletions b/‎README
Lines changed: 4 additions & 0 deletions
diff --git a/‎adr.c
Lines changed: 79 additions & 0 deletions b/‎adr.c
Lines changed: 79 additions & 0 deletions
diff --git a/‎adr.h
Lines changed: 29 additions & 0 deletions b/‎adr.h
Lines changed: 29 additions & 0 deletions
diff --git a/‎build_merkle.c
Lines changed: 175 additions & 0 deletions b/‎build_merkle.c
Lines changed: 175 additions & 0 deletions
diff --git a/‎build_merkle.h
Lines changed: 50 additions & 0 deletions b/‎build_merkle.h
Lines changed: 50 additions & 0 deletions
diff --git a/‎endian.c
Lines changed: 24 additions & 0 deletions b/‎endian.c
Lines changed: 24 additions & 0 deletions
diff --git a/‎endian.h
Lines changed: 10 additions & 0 deletions b/‎endian.h
Lines changed: 10 additions & 0 deletions
@@ -0,0 +1,13 @@
+AR = /usr/bin/ar
+CC = /usr/bin/gcc
+CFLAGS = -Wall -O3
+
+test: test.c adr.c endian.c keygen.c private_key_gen.c    \
+      build_merkle.c sphincs_hash.c hmac.c hmac_drbg.c lms_compute.c \
+      lm_ots_common.c lm_ots_sign.c load.c param.c sha256.c \
+      sign.c step.c verify.c wots.c zeroize.c tune.h
+	$(CC) $(CFLAGS) -o test test.c adr.c endian.c keygen.c \
+		private_key_gen.c build_merkle.c sphincs_hash.c hmac.c \
+                hmac_drbg.c lms_compute.c lm_ots_common.c \
+                lm_ots_sign.c load.c param.c sha256.c sign.c \
+                step.c verify.c wots.c zeroize.c -lcrypto
@@ -0,0 +1,4 @@
+This is a hybrid hash based signature scheme, based on Sphincs+.
+
+Its goals are to preserve the security of Sphincs+, while drastically speeding
+up how fast we can generate signatures
@@ -0,0 +1,79 @@
+#include "adr.h"
+#include "endian.h"
+#include <string.h>
+
+/*
+ * Here's the layout of the compressed ADRS structure
+ * (The Sphincs+ specification doesn't give it explicitly)
+ */
+#define LAYER_ADDRESS   0   /* 1 byte */
+#define TREE_ADDRESS    1   /* 8 bytes */
+#define TYPE            9   /* 1 byte */
+#define KEY_PAIR       10   /* 4 bytes */
+#define CHAIN_ADDRESS  14   /* 4 bytes */
+#define HASH_ADDRESS   18   /* 4 bytes */
+#define TREE_HEIGHT    14   /* 4 bytes */
+#define TREE_INDEX     18   /* 4 bytes */
+
+/* This sets which layer of Merkle trees within the hypertree we are */
+/* working on; 0 is the bottom most */
+void set_layer_address( adr_t adr, unsigned layer_address ) {
+    adr[LAYER_ADDRESS] = layer_address;
+}
+
+/* This sets which tree within a layer we are working on */
+/* 0 is the leftmost */
+void set_tree_address( adr_t adr, uint_fast64_t tree_address ) {
+    put_bigendian( adr+TREE_ADDRESS, tree_address, 8 );
+}
+
+/* This sets the type of hash we're doing */
+/* See enum adr_type for the various possible types */
+/* This also implicitly clears out the remaining values (the ones other */
+/* than layer address and tree address) */
+void set_type( adr_t adr, enum adr_type type ) {
+    adr[TYPE] = type;
+    memset( &adr[TYPE+1], 0, LEN_ADR-(TYPE+1) );
+}
+
+/* This sets which WOTS leaf within the tree we're working on */
+/* 0 is the leftmost */
+/* This assumes that we've already called set_type */
+void set_key_pair_address( adr_t adr, unsigned key_pair_address ) {
+    adr[KEY_PAIR+3] = key_pair_address;
+}
+
+/* This sets which WOTS digit we're working on */
+/* 0 is the leftmost */
+/* This assumes that we've already called set_type */
+void set_chain_address( adr_t adr, unsigned chain_address ) {
+    adr[CHAIN_ADDRESS+3] = chain_address; /* We never have 256 digits in */
+                                          /* a WOTS */
+}
+
+/* This sets where in the WOTS chain we're working on */
+/* 0 is the lowest */
+/* This assumes that we've already called set_type */
+void set_hash_address( adr_t adr, unsigned hash_address ) {
+    adr[HASH_ADDRESS+1] = adr[HASH_ADDRESS+2] = 0; /* We might have called */
+                                                  /* set_tree_index earler */
+    adr[HASH_ADDRESS+3] = hash_address; /* We never have W > 8 */
+}
+
+/* This sets the height of the Merkle node within the tree */
+/* 0 is the leaf, 1 is the lowest binary node in the tree */
+/* This assumes that we've already called set_type */
+void set_tree_height( adr_t adr, unsigned tree_height ) {
+    adr[TREE_HEIGHT+3] = tree_height; /* We never have more than 8 levels */
+                                      /* within a tree */
+}
+
+/* This sets the index of the FORS node or the Merkle node within the tree */
+/* For FORS, the higher order bits indicate the FORS tree # */
+/* 0 is the leftmost */
+/* This assumes that we've already called set_type */
+void set_tree_index( adr_t adr, uint_fast32_t tree_index ) {
+    adr[TREE_INDEX+1] = tree_index >> 16;
+    adr[TREE_INDEX+2] = tree_index >> 8;
+    adr[TREE_INDEX+3] = tree_index;
+}
@@ -0,0 +1,29 @@
+#if !defined(ADR_H_)
+#define ADR_H_
+#include <stdint.h>
+
+typedef unsigned char *adr_t;
+#define LEN_ADR 22            /* The lenght of a compressed ADR structure */
+
+#define ADR_CONST_FOR_TREE 9  /* The first 9 bytes of the ADR are constant */
+                              /* for all ADRs for a specific Merkle tree */
+
+/* The various type of hashes that Sphincs+ computes */
+enum adr_type {
+   WOTS_HASH_ADDRESS = 0,
+   WOTS_KEY_COMPRESSION = 1,
+   HASH_TREE_ADDRESS = 2,
+   FORS_TREE_ADDRESS = 3,
+   FORS_TREE_ROOT_COMPRESS = 4
+};
+
+void set_layer_address( adr_t adr, unsigned layer_address );
+void set_tree_address( adr_t adr, uint_fast64_t tree_address );
+void set_type( adr_t adr, enum adr_type type );
+void set_key_pair_address( adr_t adr, unsigned key_pair_address );
+void set_chain_address( adr_t adr, unsigned chain_address );
+void set_hash_address( adr_t adr, unsigned hash_address );
+void set_tree_height( adr_t adr, unsigned tree_height );
+void set_tree_index( adr_t adr, uint_fast32_t tree_index );
+
+#endif /* ADR_H_ */
@@ -0,0 +1,175 @@
+#include "build_merkle.h"
+#include "sphincs_hash.h"
+#include "adr.h"
+#include "private_key_gen.h"
+#include "zeroize.h"
+
+/*
+ * This is the object that incrementally builds a Merkle tree, and produces
+ * the authentication path to the specified node (target_node) and the
+ * root value
+ * This does it incrementally, because we want to be able to spread the work
+ * over a number of signature generation requests
+ * This is split out of the full step procedure because the public key
+ * generation process also uses this (and also to limit the size of the
+ * step function, which is already too huge)
+ *
+ * The point of this object is to place the results into auth_path and root
+ * If auth_path is non-NULL, then the authentication path for target_node
+ *   is placed there
+ * If root is non-NULL, then the root node value is placed there
+ */
+
+bool init_build_merkle( struct build_merkle_state *state,
+        const void *sk_seed, const void *pk_seed,
+        hash_t hash, int tree_height,
+        unsigned layer, uint_fast64_t tree,
+        int target_node, unsigned char *auth_path,
+        unsigned char *root) {
+    state->sk_seed = sk_seed;
+    state->pk_seed = pk_seed;
+    SHA256_set_first_block(&state->pk_seed_pre, pk_seed, hash_len(hash));
+    state->hash = hash;
+    state->n = hash_len(hash);
+    switch (hash_len( hash )) {
+    case 16: state->wots_digits = 32 + 3; break;
+    case 24: state->wots_digits = 48 + 3; break;
+    case 32: state->wots_digits = 64 + 3; break;
+    default: return false;
+    }
+    state->tree_height = tree_height;
+    state->target_node = target_node;
+    set_layer_address( state->adr, layer );
+    set_tree_address( state->adr, tree );
+    /* The rest of adr will be initialized later */
+    state->auth_path = auth_path;
+    state->root = root;
+    state->current_node = 0;
+
+    return true;
+}
+
+/* 
+ * This performs the next step in producing the authentication path and/or
+ * the root 
+ * This returns TRUE if we're done
+ * If ret_hc is non-NULL, we place the number of hash compression operations
+ * we've done there
+ */
+bool step_build_merkle(struct build_merkle_state *state,
+                       int *ret_hc) {
+
+    int hc_done_so_far = 0; /* Count of the number of hash */
+                            /* computations we've done */
+
+#if SPEED_SETTING
+#define MERKLE_CHAINS_PER_ITER 1   /* generating 1 OTS public key takes */
+                               /* about as long as the LMS step with W=2 */
+#else
+#define MERKLE_CHAINS_PER_ITER 2   /* generating 2 OTS public keys takes */
+                               /* about as long as the LMS step with W=4 */
+#endif
+    int m;
+    struct private_key_generator gen;
+    bool all_done_flag = false;
+
+    for (m=0; m<MERKLE_CHAINS_PER_ITER; m++) {
+        int current_node = state->current_node;
+        if (current_node >= (1 << state->tree_height)) {
+            /* We're done */
+            all_done_flag = true;
+            break;
+        }
+
+        /* Fire up the engine that'll produce private WOTS keys */
+        init_private_key_gen( &gen, state->sk_seed, state->n, state->adr,
+                              ADR_CONST_FOR_TREE );
+        hc_done_so_far += 1; /* This does about 1 hash compression operation */
+    
+        /* Build a WOTS public key */
+        int i;
+        set_type( state->adr, WOTS_HASH_ADDRESS );
+        set_key_pair_address( state->adr, current_node );
+        int n = state->n;
+    
+        uint32_t wots_buffer[MAX_HASH_LEN/4 * MAX_WOTS_DIGITS]; /* We store */
+                                 /* the tops of the WOTS+ chains here */
+        for (i = 0; i < 51; i++) {
+            set_chain_address( state->adr, i );
+    
+            /* Create the private WOTS+ key */
+            set_hash_address( state->adr, 0 );
+            void *digit = &wots_buffer[ (n/4)*i ];
+            do_private_key_gen( digit, n, &gen, &state->adr[LEN_ADR-16] );
+    
+            /* Now, advance it to the top of the WOTS+ chain */
+            int j;
+            for (j=0; j<15; j++) {
+                set_hash_address( state->adr, j );
+                do_F(digit, state->hash, &state->pk_seed_pre, state->adr,
+                                                                     digit);
+            }
+        }
+            /* The number of hash compression operations we've done in the */
+            /* above loop */
+        hc_done_so_far += 51 * (1 + 15);
+    
+        /* We've computing all the public WOTS digits */
+        /* Now, compress the hashes into a single value */
+        set_type( state->adr, WOTS_KEY_COMPRESSION );
+        set_key_pair_address( state->adr, current_node );
+        unsigned char buffer[ MAX_HASH_LEN ];
+    
+        do_thash( buffer, state->hash, &state->pk_seed_pre, state->adr,
+                  wots_buffer, n * state->wots_digits );\
+            /* The approximate number of hashes in the above t-hash */
+        hc_done_so_far += (n * state->wots_digits) / 16 + 1 +
+                          (n * state->wots_digits) / 32;
+    
+        /* We've put the full WOTS public key */
+        /* Now, walk up the Merkle tree to combine it with previous computed */
+        /* WOTS public keys */
+        int h;
+        for (h = 0;; h++) {
+            if (state->auth_path) {
+                /* If this node is on the authentication path (that is, */
+                /* adjacent to the path from the root to the target node), */
+                /* write it out */
+                if ((state->target_node^current_node) >> h == 1) {
+                    memcpy( state->auth_path + h*n, buffer, n );
+                }
+            }
+            /* Check which child we are to the node immediately above us */
+            if (current_node & (1<<h)) {
+                /* We're the right child at this node */
+                /* Combine it with the corresponding left child */
+                set_type(state->adr, HASH_TREE_ADDRESS);
+                set_tree_height(state->adr, h+1 );
+                set_tree_index(state->adr, current_node >> (h+1));
+                do_H(buffer, state->hash, &state->pk_seed_pre, state->adr,
+                     state->stack + h*n, buffer );
+                hc_done_so_far += 2;  /* a do_H does 2 hash compressios */
+            } else {
+                if (h == state->tree_height) {
+                    /* Actually, there is no node above us; we're at the top */
+                    /* of the tree (aka the root) */
+                    if (state->root) memcpy( state->root, buffer, n );
+                    all_done_flag = true;  /* We built the entire tree */
+                } else {
+                    /* We're the left child at this node */
+                    /* Store it for when we have computed the right child */
+                    memcpy( state->stack + h*n, buffer, n );
+                }
+                break;
+            }
+        }
+
+        /* On the next iteration, start working on the next WOTS leaf */
+        state->current_node += 1;
+    }
+
+    zeroize( &gen, sizeof gen );  /* There's private data here */
+
+    if (ret_hc) *ret_hc = hc_done_so_far;
+    return all_done_flag;
+}
@@ -0,0 +1,50 @@
+#if !defined( BUILD_MERKLE_H_ )
+#define BUILD_MERKLE_H_
+
+#include <stdbool.h>
+#include <stdint.h>
+#include "sphincs_hash.h"
+#include "adr.h"
+#include "sha256.h"
+
+#define MAX_WOTS_DIGITS 51   /* Need to move this somewhere else */
+#define MAX_XMSS_HEIGHT 8    /* The maximum height of a single XMSS tree */
+
+struct build_merkle_state {
+    const void *sk_seed, *pk_seed;
+    SHA256_FIRSTBLOCK pk_seed_pre;
+
+    hash_t hash; int n;
+    int wots_digits;         /* Number of digits we compute for each leaf */
+    int tree_height;         /* The height of the XMSS tree */
+    int target_node;         /* If we're generating an authentication path */
+                             /* then this is node the auth path is for */
+    unsigned char adr[LEN_ADR];
+    unsigned char *auth_path; /* Where to place the authentication path */
+    unsigned char *root;     /* Where to place the computed root */
+    int current_node;        /* Which XMSS leaf we're working on */
+    unsigned char stack[MAX_HASH_LEN * MAX_XMSS_HEIGHT]; /* Stack used to */
+                             /* compute the internal XMSS tree nodes */
+};
+
+/*
+ * Initialize the computation of the Merkle tree, including where to
+ * return the authentication path and the computed root
+ */
+bool init_build_merkle( struct build_merkle_state *state,
+        const void *sk_seed, const void *pk_seed,
+        hash_t hash, int tree_height,
+        unsigned layer, uint_fast64_t tree,
+        int target_node, unsigned char *auth_path,
+        unsigned char *root);
+
+/*
+ * Perform the next step in the computation of the Merkle tree.  Returns
+ * true when we have completed the computation.
+ * If ret_hc is non-NULL, the number of hash computations performed is
+ * written there
+ */
+bool step_build_merkle(struct build_merkle_state *state,
+        int *ret_hc);
+
+#endif /* BUILD_MERKLE_H_ */
@@ -0,0 +1,24 @@
+#include <stdint.h>
+#include "endian.h"
+
+void put_bigendian( void *target, uint_fast64_t value, size_t bytes ) {
+    unsigned char *b = target;
+    int i;
+
+    for (i = bytes-1; i >= 0; i--) {
+        b[i] = value & 0xff;
+        value >>= 8;
+    }
+}
+    
+uint_fast64_t get_bigendian( const void *target, size_t bytes ) {
+    const unsigned char *b = target;
+    uint_fast64_t result = 0;
+    int i;
+
+    for (i=0; i<bytes; i++) {
+        result = 256 * result + (b[i] & 0xff);
+    }
+
+    return result;
+}
@@ -0,0 +1,10 @@
+#if !defined( ENDIAN_H_ )
+#define ENDIAN_H_
+
+#include <stddef.h>
+#include <stdint.h>
+
+void put_bigendian( void *target, uint_fast64_t value, size_t bytes );
+uint_fast64_t get_bigendian( const void *target, size_t bytes );
+
+#endif /* ENDIAN_H_ */