1 /* Copyright (c) 2023, Google LLC
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <openssl/base.h>
16
17 #include <assert.h>
18 #include <stdio.h>
19 #include <string.h>
20
21 #include <openssl/sha.h>
22
23 #include "./params.h"
24 #include "./spx_util.h"
25 #include "./thash.h"
26
spx_thash(uint8_t * output,const uint8_t * input,size_t input_blocks,const uint8_t pk_seed[SPX_N],uint8_t addr[32])27 static void spx_thash(uint8_t *output, const uint8_t *input,
28 size_t input_blocks, const uint8_t pk_seed[SPX_N],
29 uint8_t addr[32]) {
30 uint8_t hash[32];
31 SHA256_CTX sha256;
32 SHA256_Init(&sha256);
33
34 // Process pubseed with padding to full block.
35 // TODO: This could be precomputed instead as it will be the same across all
36 // hash calls.
37 uint8_t padded_pk_seed[64] = {0};
38 memcpy(padded_pk_seed, pk_seed, SPX_N);
39
40 SHA256_Update(&sha256, padded_pk_seed, sizeof(padded_pk_seed));
41 SHA256_Update(&sha256, addr, SPX_SHA256_ADDR_BYTES);
42 SHA256_Update(&sha256, input, input_blocks * SPX_N);
43
44 SHA256_Final(hash, &sha256);
45 memcpy(output, hash, SPX_N);
46 }
47
spx_thash_f(uint8_t * output,const uint8_t input[SPX_N],const uint8_t pk_seed[SPX_N],uint8_t addr[32])48 void spx_thash_f(uint8_t *output, const uint8_t input[SPX_N],
49 const uint8_t pk_seed[SPX_N], uint8_t addr[32]) {
50 spx_thash(output, input, 1, pk_seed, addr);
51 }
52
spx_thash_h(uint8_t * output,const uint8_t input[2* SPX_N],const uint8_t pk_seed[SPX_N],uint8_t addr[32])53 void spx_thash_h(uint8_t *output, const uint8_t input[2 * SPX_N],
54 const uint8_t pk_seed[SPX_N], uint8_t addr[32]) {
55 spx_thash(output, input, 2, pk_seed, addr);
56 }
57
spx_thash_hmsg(uint8_t * output,const uint8_t r[SPX_N],const uint8_t pk_seed[SPX_N],const uint8_t pk_root[SPX_N],const uint8_t * msg,size_t msg_len)58 void spx_thash_hmsg(uint8_t *output, const uint8_t r[SPX_N],
59 const uint8_t pk_seed[SPX_N], const uint8_t pk_root[SPX_N],
60 const uint8_t *msg, size_t msg_len) {
61 // MGF1-SHA-256(R || PK.seed || SHA-256(R || PK.seed || PK.root || M), m)
62 // input_buffer stores R || PK_SEED || SHA256(..) || 4-byte index
63 uint8_t input_buffer[2 * SPX_N + 32 + 4] = {0};
64 memcpy(input_buffer, r, SPX_N);
65 memcpy(input_buffer + SPX_N, pk_seed, SPX_N);
66
67 // Inner hash
68 SHA256_CTX ctx;
69 SHA256_Init(&ctx);
70 SHA256_Update(&ctx, r, SPX_N);
71 SHA256_Update(&ctx, pk_seed, SPX_N);
72 SHA256_Update(&ctx, pk_root, SPX_N);
73 SHA256_Update(&ctx, msg, msg_len);
74 // Write directly into the input buffer
75 SHA256_Final(input_buffer + 2 * SPX_N, &ctx);
76
77 // MGF1-SHA-256
78 uint8_t output_buffer[3 * 32];
79 // Need to call SHA256 3 times for message digest.
80 static_assert(SPX_DIGEST_SIZE <= sizeof(output_buffer),
81 "not enough room for hashes");
82 SHA256(input_buffer, sizeof(input_buffer), output_buffer);
83 input_buffer[2 * SPX_N + 32 + 3] = 1;
84 SHA256(input_buffer, sizeof(input_buffer), output_buffer + 32);
85 input_buffer[2 * SPX_N + 32 + 3] = 2;
86 SHA256(input_buffer, sizeof(input_buffer), output_buffer + 64);
87
88 memcpy(output, output_buffer, SPX_DIGEST_SIZE);
89 }
90
spx_thash_prf(uint8_t * output,const uint8_t pk_seed[SPX_N],const uint8_t sk_seed[SPX_N],uint8_t addr[32])91 void spx_thash_prf(uint8_t *output, const uint8_t pk_seed[SPX_N],
92 const uint8_t sk_seed[SPX_N], uint8_t addr[32]) {
93 spx_thash(output, sk_seed, 1, pk_seed, addr);
94 }
95
spx_thash_prfmsg(uint8_t * output,const uint8_t sk_prf[SPX_N],const uint8_t opt_rand[SPX_N],const uint8_t * msg,size_t msg_len)96 void spx_thash_prfmsg(uint8_t *output, const uint8_t sk_prf[SPX_N],
97 const uint8_t opt_rand[SPX_N], const uint8_t *msg,
98 size_t msg_len) {
99 // Compute HMAC-SHA256(sk_prf, opt_rand || msg). We inline HMAC to avoid an
100 // allocation.
101 uint8_t hmac_key[SHA256_CBLOCK] = {0};
102 static_assert(SPX_N <= SHA256_CBLOCK, "HMAC key is larger than block size");
103 memcpy(hmac_key, sk_prf, SPX_N);
104 for (size_t i = 0; i < sizeof(hmac_key); i++) {
105 hmac_key[i] ^= 0x36;
106 }
107
108 uint8_t hash[SHA256_DIGEST_LENGTH];
109 SHA256_CTX ctx;
110 SHA256_Init(&ctx);
111 SHA256_Update(&ctx, hmac_key, sizeof(hmac_key));
112 SHA256_Update(&ctx, opt_rand, SPX_N);
113 SHA256_Update(&ctx, msg, msg_len);
114 SHA256_Final(hash, &ctx);
115
116 for (size_t i = 0; i < sizeof(hmac_key); i++) {
117 hmac_key[i] ^= 0x36 ^ 0x5c;
118 }
119 SHA256_Init(&ctx);
120 SHA256_Update(&ctx, hmac_key, sizeof(hmac_key));
121 SHA256_Update(&ctx, hash, sizeof(hash));
122 SHA256_Final(hash, &ctx);
123
124 // Truncate to SPX_N bytes
125 memcpy(output, hash, SPX_N);
126 }
127
spx_thash_tl(uint8_t * output,const uint8_t input[SPX_WOTS_BYTES],const uint8_t pk_seed[SPX_N],uint8_t addr[32])128 void spx_thash_tl(uint8_t *output, const uint8_t input[SPX_WOTS_BYTES],
129 const uint8_t pk_seed[SPX_N], uint8_t addr[32]) {
130 spx_thash(output, input, SPX_WOTS_LEN, pk_seed, addr);
131 }
132
spx_thash_tk(uint8_t * output,const uint8_t input[SPX_FORS_TREES * SPX_N],const uint8_t pk_seed[SPX_N],uint8_t addr[32])133 void spx_thash_tk(uint8_t *output, const uint8_t input[SPX_FORS_TREES * SPX_N],
134 const uint8_t pk_seed[SPX_N], uint8_t addr[32]) {
135 spx_thash(output, input, SPX_FORS_TREES, pk_seed, addr);
136 }
137