1 #include <stdint.h> 2 #include <stdlib.h> 3 #include <string.h> 4 5 #include "address.h" 6 #include "fors.h" 7 #include "hash.h" 8 #include "hashx4.h" 9 #include "thash.h" 10 #include "thashx4.h" 11 #include "utils.h" 12 #include "utilsx4.h" 13 14 static void fors_gen_skx4(unsigned char *sk0, 15 unsigned char *sk1, 16 unsigned char *sk2, 17 unsigned char *sk3, const unsigned char *sk_seed, 18 uint32_t fors_leaf_addrx4[4 * 8], 19 const hash_state *state_seeded) { 20 PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_prf_addrx4(sk0, sk1, sk2, sk3, sk_seed, fors_leaf_addrx4, state_seeded); 21 } 22 23 static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk, 24 const unsigned char *pub_seed, 25 uint32_t fors_leaf_addr[8], const hash_state *state_seeded) { 26 PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_thash_1(leaf, sk, pub_seed, fors_leaf_addr, state_seeded); 27 } 28 29 static void fors_sk_to_leafx4(unsigned char *leaf0, any(Sequence const & seq,F f)30 unsigned char *leaf1, 31 unsigned char *leaf2, 32 unsigned char *leaf3, 33 const unsigned char *sk0, 34 const unsigned char *sk1, 35 const unsigned char *sk2, 36 const unsigned char *sk3, 37 const unsigned char *pub_seed, 38 uint32_t fors_leaf_addrx4[4 * 8], 39 const hash_state *state_seeded) { 40 PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_thashx4_1(leaf0, leaf1, leaf2, leaf3, 41 sk0, sk1, sk2, sk3, pub_seed, fors_leaf_addrx4, state_seeded); 42 } 43 44 static void fors_gen_leafx4(unsigned char *leaf0, 45 unsigned char *leaf1, 46 unsigned char *leaf2, 47 unsigned char *leaf3, 48 const unsigned char *sk_seed, 49 const unsigned char *pub_seed, 50 uint32_t addr_idx0, 51 uint32_t addr_idx1, 52 uint32_t addr_idx2, 53 uint32_t addr_idx3, 54 const uint32_t fors_tree_addr[8], 55 const hash_state *state_seeded) { 56 uint32_t fors_leaf_addrx4[4 * 8] = {0}; 57 unsigned int j; 58 59 /* Only copy the parts that must be kept in fors_leaf_addrx4. */ 60 for (j = 0; j < 4; j++) { 61 PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_copy_keypair_addr(fors_leaf_addrx4 + j * 8, fors_tree_addr); 62 PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_type(fors_leaf_addrx4 + j * 8, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_TYPE_FORSTREE); 63 } 64 65 PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_tree_index(fors_leaf_addrx4 + 0 * 8, addr_idx0); 66 PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_tree_index(fors_leaf_addrx4 + 1 * 8, addr_idx1); 67 PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_tree_index(fors_leaf_addrx4 + 2 * 8, addr_idx2); 68 PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_tree_index(fors_leaf_addrx4 + 3 * 8, addr_idx3); 69 70 fors_gen_skx4(leaf0, leaf1, leaf2, leaf3, sk_seed, fors_leaf_addrx4, state_seeded); 71 fors_sk_to_leafx4(leaf0, leaf1, leaf2, leaf3, 72 leaf0, leaf1, leaf2, leaf3, pub_seed, fors_leaf_addrx4, state_seeded); 73 } 74 75 /** 76 * Interprets m as PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT-bit unsigned integers. 77 * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_TREES bits. 78 * Assumes indices has space for PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_TREES integers. 79 */ 80 static void message_to_indices(uint32_t *indices, const unsigned char *m) { 81 unsigned int i, j; 82 unsigned int offset = 0; 83 84 for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_TREES; i++) { 85 indices[i] = 0; 86 for (j = 0; j < PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT; j++) { 87 indices[i] ^= (((uint32_t)m[offset >> 3] >> (offset & 0x7)) & 0x1) << j; 88 offset++; 89 } 90 } 91 } 92 93 /** 94 * Signs a message m, deriving the secret key from sk_seed and the FTS address. 95 * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_TREES bits. 96 */ 97 void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_fors_sign(unsigned char *sig, unsigned char *pk, 98 const unsigned char *m, 99 const unsigned char *sk_seed, const unsigned char *pub_seed, 100 const uint32_t fors_addr[8], const hash_state *state_seeded) { 101 /* Round up to multiple of 4 to prevent out-of-bounds for x4 parallelism */ 102 uint32_t indices[(PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_TREES + 3) & ~3] = {0}; 103 unsigned char roots[((PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_TREES + 3) & ~3) * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N]; 104 /* Sign to a buffer, since we may not have a nice multiple of 4 and would 105 otherwise overrun the signature. */ 106 unsigned char sigbufx4[4 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N * (1 + PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT)]; 107 uint32_t fors_tree_addrx4[4 * 8] = {0}; 108 uint32_t fors_pk_addr[8] = {0}; 109 uint32_t idx_offset[4] = {0}; 110 unsigned int i, j; 111 112 for (j = 0; j < 4; j++) { 113 PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_copy_keypair_addr(fors_tree_addrx4 + j * 8, fors_addr); 114 PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_type(fors_tree_addrx4 + j * 8, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_TYPE_FORSTREE); 115 } 116 117 PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_copy_keypair_addr(fors_pk_addr, fors_addr); 118 PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_TYPE_FORSPK); 119 120 message_to_indices(indices, m); 121 122 for (i = 0; i < ((PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_TREES + 3) & ~0x3); i += 4) { 123 for (j = 0; j < 4; j++) { 124 if (i + j < PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_TREES) { 125 idx_offset[j] = (i + j) * (1 << PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT); 126 127 PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_tree_height(fors_tree_addrx4 + j * 8, 0); 128 PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_tree_index(fors_tree_addrx4 + j * 8, 129 indices[i + j] + idx_offset[j]); 130 } 131 } 132 133 /* Include the secret key part that produces the selected leaf nodes. */ 134 fors_gen_skx4(sigbufx4 + 0 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, 135 sigbufx4 + 1 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, 136 sigbufx4 + 2 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, 137 sigbufx4 + 3 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, 138 sk_seed, fors_tree_addrx4, state_seeded); 139 140 PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_treehashx4_FORS_HEIGHT(roots + i * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, sigbufx4 + 4 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, sk_seed, pub_seed, 141 &indices[i], idx_offset, fors_gen_leafx4, fors_tree_addrx4, 142 state_seeded); 143 144 for (j = 0; j < 4; j++) { 145 if (i + j < PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_TREES) { 146 memcpy(sig, sigbufx4 + j * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N); 147 memcpy(sig + PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, 148 sigbufx4 + 4 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N + j * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT, 149 PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT); 150 sig += PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N * (1 + PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT); 151 } 152 } 153 } 154 155 /* Hash horizontally across all tree roots to derive the public key. */ 156 PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, state_seeded); 157 } 158 159 /** 160 * Derives the FORS public key from a signature. 161 * This can be used for verification by comparing to a known public key, or to 162 * subsequently verify a signature on the derived public key. The latter is the 163 * typical use-case when used as an FTS below an OTS in a hypertree. 164 * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_TREES bits. 165 */ 166 void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_fors_pk_from_sig(unsigned char *pk, 167 const unsigned char *sig, const unsigned char *m, 168 const unsigned char *pub_seed, 169 const uint32_t fors_addr[8], 170 const hash_state *state_seeded) { 171 uint32_t indices[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_TREES]; 172 unsigned char roots[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N]; 173 unsigned char leaf[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N]; 174 uint32_t fors_tree_addr[8] = {0}; 175 uint32_t fors_pk_addr[8] = {0}; 176 uint32_t idx_offset; 177 unsigned int i; 178 179 PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_copy_keypair_addr(fors_tree_addr, fors_addr); 180 PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_copy_keypair_addr(fors_pk_addr, fors_addr); 181 182 PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_type(fors_tree_addr, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_TYPE_FORSTREE); 183 PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_TYPE_FORSPK); 184 185 message_to_indices(indices, m); 186 187 for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_TREES; i++) { 188 idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT); 189 190 PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_tree_height(fors_tree_addr, 0); 191 PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_tree_index(fors_tree_addr, indices[i] + idx_offset); 192 193 /* Derive the leaf from the included secret key part. */ 194 fors_sk_to_leaf(leaf, sig, pub_seed, fors_tree_addr, state_seeded); 195 sig += PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N; 196 197 /* Derive the corresponding root node of this tree. */ 198 PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_compute_root(roots + i * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, leaf, indices[i], idx_offset, 199 sig, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT, pub_seed, fors_tree_addr, 200 state_seeded); 201 sig += PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT; 202 } 203 204 /* Hash horizontally across all tree roots to derive the public key. */ 205 PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, state_seeded); 206 } 207