-
Notifications
You must be signed in to change notification settings - Fork 5
/
faest_param.c.in
107 lines (85 loc) · 3.29 KB
/
faest_param.c.in
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
/*
* SPDX-License-Identifier: MIT
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include "faest_@[email protected]"
#include "compat.h"
#include "randomness.h"
#include "owf.h"
#include "instances.h"
#include "faest.h"
#include "parameters.h"
#include <stdlib.h>
#include <string.h>
// memory layout of the public key: OWF input || OWF output
#define PK_INPUT(pk) (pk)
#define PK_OUTPUT(pk) (&pk[@PK_SIZE@ / 2])
// memory layout of the secret key: OWF input || OWF key
#define SK_INPUT(sk) (sk)
#define SK_KEY(sk) (&sk[@PK_SIZE@ / 2])
int FAEST_CALLING_CONVENTION faest_@PARAM_L@_keygen(uint8_t* pk, uint8_t* sk) {
if (!pk || !sk) {
return -1;
}
bool done = false;
while (!done) {
rand_bytes(sk, @SK_SIZE@);
// declassify OWF input
faest_declassify(SK_INPUT(sk), @PK_SIZE@ / 2);
done = faest_@PARAM_L@_owf(SK_KEY(sk), SK_INPUT(sk), PK_OUTPUT(pk));
faest_declassify(&done, sizeof(done));
}
memcpy(PK_INPUT(pk), SK_INPUT(sk), @PK_SIZE@ / 2);
// declassify public key
faest_declassify(pk, @PK_SIZE@);
return 0;
}
int FAEST_CALLING_CONVENTION faest_@PARAM_L@_validate_keypair(const uint8_t* pk, const uint8_t* sk) {
if (!sk || !pk) {
return -1;
}
uint8_t pk_check[@PK_SIZE@];
if (!faest_@PARAM_L@_owf(SK_KEY(sk), SK_INPUT(sk), PK_OUTPUT(pk_check))) {
// zero bytes in SubBytes input
return 1;
}
memcpy(PK_INPUT(pk_check), SK_INPUT(sk), @PK_SIZE@ / 2);
return faest_timingsafe_bcmp(pk_check, pk, sizeof(pk_check)) == 0 ? 0 : 2;
}
int FAEST_CALLING_CONVENTION faest_@PARAM_L@_sign_with_randomness(const uint8_t* sk, const uint8_t* message, size_t message_len, const uint8_t* rho, size_t rho_len, uint8_t* signature, size_t* signature_len) {
if (!sk || !signature || !signature_len || *signature_len < FAEST_@PARAM@_SIGNATURE_SIZE || (!rho && rho_len)) {
return -1;
}
uint8_t owf_output[@PK_SIZE@ / 2];
if (!faest_@PARAM_L@_owf(SK_KEY(sk), SK_INPUT(sk), owf_output)) {
// invalid key
return -1;
}
// declassify OWF output
faest_declassify(owf_output, sizeof(owf_output));
const faest_paramset_t params = faest_get_paramset(FAEST_@PARAM@);
faest_sign(signature, message, message_len, SK_KEY(sk), SK_INPUT(sk), owf_output, rho, rho_len, ¶ms);
*signature_len = FAEST_@PARAM@_SIGNATURE_SIZE;
return 0;
}
int FAEST_CALLING_CONVENTION faest_@PARAM_L@_sign(const uint8_t* sk, const uint8_t* message, size_t message_len, uint8_t* signature, size_t* signature_len) {
if (!sk || !signature || !signature_len || *signature_len < FAEST_@PARAM@_SIGNATURE_SIZE) {
return -1;
}
uint8_t rho[FAEST_@PARAM@_LAMBDA / 8];
rand_bytes(rho, sizeof(rho));
return faest_@PARAM_L@_sign_with_randomness(sk, message, message_len, rho, sizeof(rho), signature, signature_len);
}
int FAEST_CALLING_CONVENTION faest_@PARAM_L@_verify(const uint8_t* pk, const uint8_t* message, size_t message_len, const uint8_t* signature, size_t signature_len) {
if (!pk || !signature || signature_len != FAEST_@PARAM@_SIGNATURE_SIZE) {
return -1;
}
const faest_paramset_t params = faest_get_paramset(FAEST_@PARAM@);
return faest_verify(message, message_len, signature, PK_INPUT(pk), PK_OUTPUT(pk), ¶ms);
}
void FAEST_CALLING_CONVENTION faest_@PARAM_L@_clear_private_key(uint8_t* key) {
faest_explicit_bzero(key, FAEST_@PARAM@_PRIVATE_KEY_SIZE);
}
// vim: ft=c