From 18dc0b9fa5a046c817d86f5975afe34912c169ee Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Thu, 31 Oct 2024 14:01:27 -0400 Subject: [PATCH 1/6] Add --delete option to copy_from_upstream Signed-off-by: Spencer Wilson --- .../copy_from_upstream/copy_from_upstream.py | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/scripts/copy_from_upstream/copy_from_upstream.py b/scripts/copy_from_upstream/copy_from_upstream.py index 85eebf96b..400ecc57a 100755 --- a/scripts/copy_from_upstream/copy_from_upstream.py +++ b/scripts/copy_from_upstream/copy_from_upstream.py @@ -23,7 +23,8 @@ parser = argparse.ArgumentParser() parser.add_argument("-v", "--verbosity", type=int) -parser.add_argument("-k", "--keep_data", action='store_true') +parser.add_argument("-k", "--keep_data", action='store_true', help='Keep upstream code in the "repos" folder') +parser.add_argument("-d", "--delete", action='store_true', help='Delete untracked files from implementation directories') parser.add_argument("operation", choices=["copy", "verify", "libjade"]) args = parser.parse_args() @@ -34,6 +35,8 @@ keepdata = True if args.keep_data else False +delete = True if args.delete else False + if 'LIBOQS_DIR' not in os.environ: print("Must set environment variable LIBOQS_DIR") exit(1) @@ -543,6 +546,20 @@ def process_families(instructions, basedir, with_kat, with_generator, with_libja try: os.makedirs(os.path.join(basedir, 'src', family['type'], family['name'])) except: + if delete: + # clear out all subdirectories + with os.scandir(os.path.join(basedir, 'src', family['type'], family['name'])) as ls: + for entry in ls: + if entry.is_dir(follow_symlinks=False): + if with_libjade: + if not entry.name.startswith('libjade'): + continue + elif entry.name.startswith('libjade'): + continue + to_rm = os.path.join(basedir, 'src', family['type'], family['name'], entry.name) + if DEBUG > 3: + print("removing %s" % to_rm) + shutil.rmtree(to_rm) pass if 'common_deps' in family: for common_dep in family['common_deps']: From 70ca706e298d2869ed64c1fa42bfc36072dca89f Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Fri, 1 Nov 2024 11:13:36 -0400 Subject: [PATCH 2/6] Use delete option in CI Signed-off-by: Spencer Wilson --- .github/workflows/basic.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/basic.yml b/.github/workflows/basic.yml index 69061e21d..fa185d0e9 100644 --- a/.github/workflows/basic.yml +++ b/.github/workflows/basic.yml @@ -49,12 +49,12 @@ jobs: - name: Verify copy_from_upstream state after copy working-directory: 'scripts/copy_from_upstream' run: | - python3 copy_from_upstream.py copy && \ + python3 copy_from_upstream.py -d copy && \ ! git status | grep -i modified - name: Verify copy_from_upstream state after libjade working-directory: 'scripts/copy_from_upstream' run: | - python3 copy_from_upstream.py libjade && \ + python3 copy_from_upstream.py -d libjade && \ ! git status | grep -i modified buildcheck: From 15728525aa9fab20bc359501262dff24b6df6d17 Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Fri, 1 Nov 2024 11:32:00 -0400 Subject: [PATCH 3/6] Use git status --porcelain in CI Signed-off-by: Spencer Wilson --- .github/workflows/basic.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/basic.yml b/.github/workflows/basic.yml index fa185d0e9..742dc848c 100644 --- a/.github/workflows/basic.yml +++ b/.github/workflows/basic.yml @@ -50,12 +50,12 @@ jobs: working-directory: 'scripts/copy_from_upstream' run: | python3 copy_from_upstream.py -d copy && \ - ! git status | grep -i modified + test -z "$(git status --porcelain)" - name: Verify copy_from_upstream state after libjade working-directory: 'scripts/copy_from_upstream' run: | python3 copy_from_upstream.py -d libjade && \ - ! git status | grep -i modified + test -z "$(git status --porcelain)" buildcheck: name: Check that code passes a basic build From 8e5d101409875b0db7aad2ecb5d6043d65ba9e46 Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Fri, 1 Nov 2024 11:43:22 -0400 Subject: [PATCH 4/6] Improve readability of output in case of failure Signed-off-by: Spencer Wilson --- .github/workflows/basic.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/basic.yml b/.github/workflows/basic.yml index 742dc848c..42c7e5403 100644 --- a/.github/workflows/basic.yml +++ b/.github/workflows/basic.yml @@ -50,11 +50,13 @@ jobs: working-directory: 'scripts/copy_from_upstream' run: | python3 copy_from_upstream.py -d copy && \ + git status && \ test -z "$(git status --porcelain)" - name: Verify copy_from_upstream state after libjade working-directory: 'scripts/copy_from_upstream' run: | python3 copy_from_upstream.py -d libjade && \ + git status && \ test -z "$(git status --porcelain)" buildcheck: From 36e52aeb361cde72335f424b4fc98b2b99845ca3 Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Fri, 1 Nov 2024 11:48:56 -0400 Subject: [PATCH 5/6] Use porcelain for output as well Signed-off-by: Spencer Wilson --- .github/workflows/basic.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/basic.yml b/.github/workflows/basic.yml index 42c7e5403..6139919b6 100644 --- a/.github/workflows/basic.yml +++ b/.github/workflows/basic.yml @@ -50,13 +50,13 @@ jobs: working-directory: 'scripts/copy_from_upstream' run: | python3 copy_from_upstream.py -d copy && \ - git status && \ + git status --porcelain && \ test -z "$(git status --porcelain)" - name: Verify copy_from_upstream state after libjade working-directory: 'scripts/copy_from_upstream' run: | python3 copy_from_upstream.py -d libjade && \ - git status && \ + git status --porcelain && \ test -z "$(git status --porcelain)" buildcheck: From 192fcd720aad1024b0253d029aba0f1149ec6c70 Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Fri, 1 Nov 2024 11:50:44 -0400 Subject: [PATCH 6/6] Remove unused SPHINCS+ aarch64 implementation Signed-off-by: Spencer Wilson --- .../LICENSE | 116 ------- .../address.c | 91 ------ .../address.h | 52 ---- .../api.h | 77 ----- .../context.h | 19 -- .../context_shake.c | 12 - .../f1600x2.h | 11 - .../f1600x2.s | 143 --------- .../f1600x2_const.c | 30 -- .../fips202x2.c | 148 --------- .../fips202x2.h | 24 -- .../fors.c | 191 ------------ .../fors.h | 32 -- .../hash.h | 28 -- .../hash_shake.c | 83 ----- .../hash_shakex2.c | 52 ---- .../hashx2.h | 14 - .../merkle.c | 64 ---- .../merkle.h | 21 -- .../nistapi.h | 87 ------ .../params.h | 56 ---- .../shake_offsets.h | 21 -- .../sign.c | 286 ------------------ .../thash.h | 13 - .../thash_shake_simplex2.c | 83 ----- .../thashx2.h | 16 - .../utils.c | 148 --------- .../utils.h | 58 ---- .../utilsx2.c | 130 -------- .../utilsx2.h | 30 -- .../wots.c | 259 ---------------- .../wots.h | 25 -- .../wotsx2.h | 40 --- .../LICENSE | 116 ------- .../address.c | 95 ------ .../address.h | 52 ---- .../api.h | 77 ----- .../context.h | 19 -- .../context_shake.c | 12 - .../f1600x2.h | 11 - .../f1600x2.s | 143 --------- .../f1600x2_const.c | 30 -- .../fips202x2.c | 148 --------- .../fips202x2.h | 24 -- .../fors.c | 191 ------------ .../fors.h | 32 -- .../hash.h | 28 -- .../hash_shake.c | 83 ----- .../hash_shakex2.c | 52 ---- .../hashx2.h | 14 - .../merkle.c | 64 ---- .../merkle.h | 21 -- .../nistapi.h | 87 ------ .../params.h | 56 ---- .../shake_offsets.h | 21 -- .../sign.c | 286 ------------------ .../thash.h | 13 - .../thash_shake_simplex2.c | 83 ----- .../thashx2.h | 16 - .../utils.c | 148 --------- .../utils.h | 58 ---- .../utilsx2.c | 130 -------- .../utilsx2.h | 30 -- .../wots.c | 259 ---------------- .../wots.h | 25 -- .../wotsx2.h | 40 --- .../LICENSE | 116 ------- .../address.c | 91 ------ .../address.h | 52 ---- .../api.h | 77 ----- .../context.h | 19 -- .../context_shake.c | 12 - .../f1600x2.h | 11 - .../f1600x2.s | 143 --------- .../f1600x2_const.c | 30 -- .../fips202x2.c | 148 --------- .../fips202x2.h | 24 -- .../fors.c | 191 ------------ .../fors.h | 32 -- .../hash.h | 28 -- .../hash_shake.c | 83 ----- .../hash_shakex2.c | 52 ---- .../hashx2.h | 14 - .../merkle.c | 64 ---- .../merkle.h | 21 -- .../nistapi.h | 87 ------ .../params.h | 56 ---- .../shake_offsets.h | 21 -- .../sign.c | 286 ------------------ .../thash.h | 13 - .../thash_shake_simplex2.c | 83 ----- .../thashx2.h | 16 - .../utils.c | 148 --------- .../utils.h | 58 ---- .../utilsx2.c | 130 -------- .../utilsx2.h | 30 -- .../wots.c | 259 ---------------- .../wots.h | 25 -- .../wotsx2.h | 40 --- .../LICENSE | 116 ------- .../address.c | 95 ------ .../address.h | 52 ---- .../api.h | 77 ----- .../context.h | 19 -- .../context_shake.c | 12 - .../f1600x2.h | 11 - .../f1600x2.s | 143 --------- .../f1600x2_const.c | 30 -- .../fips202x2.c | 148 --------- .../fips202x2.h | 24 -- .../fors.c | 191 ------------ .../fors.h | 32 -- .../hash.h | 28 -- .../hash_shake.c | 83 ----- .../hash_shakex2.c | 52 ---- .../hashx2.h | 14 - .../merkle.c | 64 ---- .../merkle.h | 21 -- .../nistapi.h | 87 ------ .../params.h | 56 ---- .../shake_offsets.h | 21 -- .../sign.c | 286 ------------------ .../thash.h | 13 - .../thash_shake_simplex2.c | 83 ----- .../thashx2.h | 16 - .../utils.c | 148 --------- .../utils.h | 58 ---- .../utilsx2.c | 130 -------- .../utilsx2.h | 30 -- .../wots.c | 259 ---------------- .../wots.h | 25 -- .../wotsx2.h | 40 --- .../LICENSE | 116 ------- .../address.c | 91 ------ .../address.h | 52 ---- .../api.h | 77 ----- .../context.h | 19 -- .../context_shake.c | 12 - .../f1600x2.h | 11 - .../f1600x2.s | 143 --------- .../f1600x2_const.c | 30 -- .../fips202x2.c | 148 --------- .../fips202x2.h | 24 -- .../fors.c | 191 ------------ .../fors.h | 32 -- .../hash.h | 28 -- .../hash_shake.c | 83 ----- .../hash_shakex2.c | 52 ---- .../hashx2.h | 14 - .../merkle.c | 64 ---- .../merkle.h | 21 -- .../nistapi.h | 87 ------ .../params.h | 56 ---- .../shake_offsets.h | 21 -- .../sign.c | 286 ------------------ .../thash.h | 13 - .../thash_shake_simplex2.c | 83 ----- .../thashx2.h | 16 - .../utils.c | 148 --------- .../utils.h | 58 ---- .../utilsx2.c | 130 -------- .../utilsx2.h | 30 -- .../wots.c | 259 ---------------- .../wots.h | 25 -- .../wotsx2.h | 40 --- .../LICENSE | 116 ------- .../address.c | 91 ------ .../address.h | 52 ---- .../api.h | 77 ----- .../context.h | 19 -- .../context_shake.c | 12 - .../f1600x2.h | 11 - .../f1600x2.s | 143 --------- .../f1600x2_const.c | 30 -- .../fips202x2.c | 148 --------- .../fips202x2.h | 24 -- .../fors.c | 191 ------------ .../fors.h | 32 -- .../hash.h | 28 -- .../hash_shake.c | 83 ----- .../hash_shakex2.c | 52 ---- .../hashx2.h | 14 - .../merkle.c | 64 ---- .../merkle.h | 21 -- .../nistapi.h | 87 ------ .../params.h | 56 ---- .../shake_offsets.h | 21 -- .../sign.c | 286 ------------------ .../thash.h | 13 - .../thash_shake_simplex2.c | 83 ----- .../thashx2.h | 16 - .../utils.c | 148 --------- .../utils.h | 58 ---- .../utilsx2.c | 130 -------- .../utilsx2.h | 30 -- .../wots.c | 259 ---------------- .../wots.h | 25 -- .../wotsx2.h | 40 --- 198 files changed, 14768 deletions(-) delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/LICENSE delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/address.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/address.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/api.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/context.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/context_shake.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/f1600x2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/f1600x2.s delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/f1600x2_const.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/fips202x2.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/fips202x2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/fors.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/fors.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/hash.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/hash_shake.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/hash_shakex2.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/hashx2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/merkle.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/merkle.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/nistapi.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/params.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/shake_offsets.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/sign.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/thash.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/thash_shake_simplex2.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/thashx2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/utils.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/utils.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/utilsx2.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/utilsx2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/wots.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/wots.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/wotsx2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/LICENSE delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/address.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/address.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/api.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/context.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/context_shake.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/f1600x2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/f1600x2.s delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/f1600x2_const.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/fips202x2.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/fips202x2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/fors.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/fors.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/hash.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/hash_shake.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/hash_shakex2.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/hashx2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/merkle.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/merkle.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/nistapi.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/params.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/shake_offsets.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/sign.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/thash.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/thash_shake_simplex2.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/thashx2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/utils.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/utils.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/utilsx2.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/utilsx2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/wots.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/wots.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/wotsx2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/LICENSE delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/address.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/address.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/api.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/context.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/context_shake.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/f1600x2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/f1600x2.s delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/f1600x2_const.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/fips202x2.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/fips202x2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/fors.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/fors.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/hash.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/hash_shake.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/hash_shakex2.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/hashx2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/merkle.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/merkle.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/nistapi.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/params.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/shake_offsets.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/sign.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/thash.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/thash_shake_simplex2.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/thashx2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/utils.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/utils.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/utilsx2.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/utilsx2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/wots.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/wots.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/wotsx2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/LICENSE delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/address.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/address.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/api.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/context.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/context_shake.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/f1600x2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/f1600x2.s delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/f1600x2_const.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/fips202x2.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/fips202x2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/fors.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/fors.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/hash.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/hash_shake.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/hash_shakex2.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/hashx2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/merkle.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/merkle.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/nistapi.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/params.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/shake_offsets.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/sign.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/thash.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/thash_shake_simplex2.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/thashx2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/utils.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/utils.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/utilsx2.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/utilsx2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/wots.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/wots.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/wotsx2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/LICENSE delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/address.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/address.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/api.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/context.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/context_shake.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/f1600x2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/f1600x2.s delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/f1600x2_const.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/fips202x2.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/fips202x2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/fors.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/fors.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/hash.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/hash_shake.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/hash_shakex2.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/hashx2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/merkle.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/merkle.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/nistapi.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/params.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/shake_offsets.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/sign.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/thash.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/thash_shake_simplex2.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/thashx2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/utils.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/utils.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/utilsx2.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/utilsx2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/wots.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/wots.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/wotsx2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/LICENSE delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/address.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/address.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/api.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/context.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/context_shake.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/f1600x2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/f1600x2.s delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/f1600x2_const.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/fips202x2.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/fips202x2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/fors.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/fors.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/hash.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/hash_shake.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/hash_shakex2.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/hashx2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/merkle.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/merkle.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/nistapi.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/params.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/shake_offsets.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/sign.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/thash.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/thash_shake_simplex2.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/thashx2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/utils.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/utils.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/utilsx2.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/utilsx2.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/wots.c delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/wots.h delete mode 100644 src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/wotsx2.h diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/LICENSE b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/LICENSE deleted file mode 100644 index 670154e35..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/LICENSE +++ /dev/null @@ -1,116 +0,0 @@ -CC0 1.0 Universal - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator and -subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for the -purpose of contributing to a commons of creative, cultural and scientific -works ("Commons") that the public can reliably and without fear of later -claims of infringement build upon, modify, incorporate in other works, reuse -and redistribute as freely as possible in any form whatsoever and for any -purposes, including without limitation commercial purposes. These owners may -contribute to the Commons to promote the ideal of a free culture and the -further production of creative, cultural and scientific works, or to gain -reputation or greater distribution for their Work in part through the use and -efforts of others. - -For these and/or other purposes and motivations, and without any expectation -of additional consideration or compensation, the person associating CC0 with a -Work (the "Affirmer"), to the extent that he or she is an owner of Copyright -and Related Rights in the Work, voluntarily elects to apply CC0 to the Work -and publicly distribute the Work under its terms, with knowledge of his or her -Copyright and Related Rights in the Work and the meaning and intended legal -effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not limited -to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, communicate, - and translate a Work; - - ii. moral rights retained by the original author(s) and/or performer(s); - - iii. publicity and privacy rights pertaining to a person's image or likeness - depicted in a Work; - - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - - v. rights protecting the extraction, dissemination, use and reuse of data in - a Work; - - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation thereof, - including any amended or successor version of such directive); and - - vii. other similar, equivalent or corresponding rights throughout the world - based on applicable law or treaty, and any national implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention of, -applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and -unconditionally waives, abandons, and surrenders all of Affirmer's Copyright -and Related Rights and associated claims and causes of action, whether now -known or unknown (including existing as well as future claims and causes of -action), in the Work (i) in all territories worldwide, (ii) for the maximum -duration provided by applicable law or treaty (including future time -extensions), (iii) in any current or future medium and for any number of -copies, and (iv) for any purpose whatsoever, including without limitation -commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes -the Waiver for the benefit of each member of the public at large and to the -detriment of Affirmer's heirs and successors, fully intending that such Waiver -shall not be subject to revocation, rescission, cancellation, termination, or -any other legal or equitable action to disrupt the quiet enjoyment of the Work -by the public as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason be -judged legally invalid or ineffective under applicable law, then the Waiver -shall be preserved to the maximum extent permitted taking into account -Affirmer's express Statement of Purpose. In addition, to the extent the Waiver -is so judged Affirmer hereby grants to each affected person a royalty-free, -non transferable, non sublicensable, non exclusive, irrevocable and -unconditional license to exercise Affirmer's Copyright and Related Rights in -the Work (i) in all territories worldwide, (ii) for the maximum duration -provided by applicable law or treaty (including future time extensions), (iii) -in any current or future medium and for any number of copies, and (iv) for any -purpose whatsoever, including without limitation commercial, advertising or -promotional purposes (the "License"). The License shall be deemed effective as -of the date CC0 was applied by Affirmer to the Work. Should any part of the -License for any reason be judged legally invalid or ineffective under -applicable law, such partial invalidity or ineffectiveness shall not -invalidate the remainder of the License, and in such case Affirmer hereby -affirms that he or she will not (i) exercise any of his or her remaining -Copyright and Related Rights in the Work or (ii) assert any associated claims -and causes of action with respect to the Work, in either case contrary to -Affirmer's express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - - b. Affirmer offers the Work as-is and makes no representations or warranties - of any kind concerning the Work, express, implied, statutory or otherwise, - including without limitation warranties of title, merchantability, fitness - for a particular purpose, non infringement, or the absence of latent or - other defects, accuracy, or the present or absence of errors, whether or not - discoverable, all to the greatest extent permissible under applicable law. - - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without limitation - any person's Copyright and Related Rights in the Work. Further, Affirmer - disclaims responsibility for obtaining any necessary consents, permissions - or other rights required for any use of the Work. - - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to this - CC0 or use of the Work. - -For more information, please see - diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/address.c b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/address.c deleted file mode 100644 index b956e9cb2..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/address.c +++ /dev/null @@ -1,91 +0,0 @@ -#include -#include - -#include "address.h" -#include "params.h" -#include "utils.h" - -/* - * Specify which level of Merkle tree (the "layer") we're working on - */ -void set_layer_addr(uint32_t addr[8], uint32_t layer) { - ((unsigned char *)addr)[SPX_OFFSET_LAYER] = (unsigned char)layer; -} - -/* - * Specify which Merkle tree within the level (the "tree address") we're working on - */ -void set_tree_addr(uint32_t addr[8], uint64_t tree) { - ull_to_bytes(&((unsigned char *)addr)[SPX_OFFSET_TREE], 8, tree ); -} - -/* - * Specify the reason we'll use this address structure for, that is, what - * hash will we compute with it. This is used so that unrelated types of - * hashes don't accidentally get the same address structure. The type will be - * one of the SPX_ADDR_TYPE constants - */ -void set_type(uint32_t addr[8], uint32_t type) { - ((unsigned char *)addr)[SPX_OFFSET_TYPE] = (unsigned char)type; -} - -/* - * Copy the layer and tree fields of the address structure. This is used - * when we're doing multiple types of hashes within the same Merkle tree - */ -void copy_subtree_addr(uint32_t out[8], const uint32_t in[8]) { - memcpy( out, in, SPX_OFFSET_TREE + 8 ); -} - -/* These functions are used for OTS addresses. */ - -/* - * Specify which Merkle leaf we're working on; that is, which OTS keypair - * we're talking about. - */ -void set_keypair_addr(uint32_t addr[8], uint32_t keypair) { - ((unsigned char *)addr)[SPX_OFFSET_KP_ADDR1] = (unsigned char)keypair; -} - -/* - * Copy the layer, tree and keypair fields of the address structure. This is - * used when we're doing multiple things within the same OTS keypair - */ -void copy_keypair_addr(uint32_t out[8], const uint32_t in[8]) { - memcpy( out, in, SPX_OFFSET_TREE + 8 ); - ((unsigned char *)out)[SPX_OFFSET_KP_ADDR1] = ((unsigned char *)in)[SPX_OFFSET_KP_ADDR1]; -} - -/* - * Specify which Merkle chain within the OTS we're working with - * (the chain address) - */ -void set_chain_addr(uint32_t addr[8], uint32_t chain) { - ((unsigned char *)addr)[SPX_OFFSET_CHAIN_ADDR] = (unsigned char)chain; -} - -/* - * Specify where in the Merkle chain we are -* (the hash address) - */ -void set_hash_addr(uint32_t addr[8], uint32_t hash) { - ((unsigned char *)addr)[SPX_OFFSET_HASH_ADDR] = (unsigned char)hash; -} - -/* These functions are used for all hash tree addresses (including FORS). */ - -/* - * Specify the height of the node in the Merkle/FORS tree we are in - * (the tree height) - */ -void set_tree_height(uint32_t addr[8], uint32_t tree_height) { - ((unsigned char *)addr)[SPX_OFFSET_TREE_HGT] = (unsigned char)tree_height; -} - -/* - * Specify the distance from the left edge of the node in the Merkle/FORS tree - * (the tree index) - */ -void set_tree_index(uint32_t addr[8], uint32_t tree_index) { - u32_to_bytes(&((unsigned char *)addr)[SPX_OFFSET_TREE_INDEX], tree_index ); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/address.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/address.h deleted file mode 100644 index 24a84eb40..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/address.h +++ /dev/null @@ -1,52 +0,0 @@ -#ifndef SPX_ADDRESS_H -#define SPX_ADDRESS_H - -#include - -#include "params.h" - -/* The hash types that are passed to set_type */ -#define SPX_ADDR_TYPE_WOTS 0 -#define SPX_ADDR_TYPE_WOTSPK 1 -#define SPX_ADDR_TYPE_HASHTREE 2 -#define SPX_ADDR_TYPE_FORSTREE 3 -#define SPX_ADDR_TYPE_FORSPK 4 -#define SPX_ADDR_TYPE_WOTSPRF 5 -#define SPX_ADDR_TYPE_FORSPRF 6 - -#define set_layer_addr SPX_NAMESPACE(set_layer_addr) -void set_layer_addr(uint32_t addr[8], uint32_t layer); - -#define set_tree_addr SPX_NAMESPACE(set_tree_addr) -void set_tree_addr(uint32_t addr[8], uint64_t tree); - -#define set_type SPX_NAMESPACE(set_type) -void set_type(uint32_t addr[8], uint32_t type); - -/* Copies the layer and tree part of one address into the other */ -#define copy_subtree_addr SPX_NAMESPACE(copy_subtree_addr) -void copy_subtree_addr(uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for WOTS and FORS addresses. */ - -#define set_keypair_addr SPX_NAMESPACE(set_keypair_addr) -void set_keypair_addr(uint32_t addr[8], uint32_t keypair); - -#define set_chain_addr SPX_NAMESPACE(set_chain_addr) -void set_chain_addr(uint32_t addr[8], uint32_t chain); - -#define set_hash_addr SPX_NAMESPACE(set_hash_addr) -void set_hash_addr(uint32_t addr[8], uint32_t hash); - -#define copy_keypair_addr SPX_NAMESPACE(copy_keypair_addr) -void copy_keypair_addr(uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for all hash tree addresses (including FORS). */ - -#define set_tree_height SPX_NAMESPACE(set_tree_height) -void set_tree_height(uint32_t addr[8], uint32_t tree_height); - -#define set_tree_index SPX_NAMESPACE(set_tree_index) -void set_tree_index(uint32_t addr[8], uint32_t tree_index); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/api.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/api.h deleted file mode 100644 index 8de96f7e6..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/api.h +++ /dev/null @@ -1,77 +0,0 @@ -#ifndef PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_API_H -#define PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_API_H - -#include -#include - -#define PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_CRYPTO_ALGNAME "SPHINCS+-shake-128f-simple" - -#define PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_CRYPTO_SECRETKEYBYTES 64 -#define PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_CRYPTO_PUBLICKEYBYTES 32 -#define PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_CRYPTO_BYTES 17088 - -#define PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_CRYPTO_SEEDBYTES 48 - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk, - const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_crypto_sign_keypair(uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_crypto_sign_signature(uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_crypto_sign_verify(const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, - const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_crypto_sign(uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_crypto_sign_open(uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *pk); -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/context.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/context.h deleted file mode 100644 index 6e0a33f3b..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/context.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef SPX_CONTEXT_H -#define SPX_CONTEXT_H - -#include - -#include "params.h" - -typedef struct { - uint8_t pub_seed[SPX_N]; - uint8_t sk_seed[SPX_N]; -} spx_ctx; - -#define initialize_hash_function SPX_NAMESPACE(initialize_hash_function) -void initialize_hash_function(spx_ctx *ctx); - -#define free_hash_function SPX_NAMESPACE(free_hash_function) -void free_hash_function(spx_ctx *ctx); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/context_shake.c b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/context_shake.c deleted file mode 100644 index 9614a103d..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/context_shake.c +++ /dev/null @@ -1,12 +0,0 @@ -#include "context.h" - -/* For SHAKE256, there is no immediate reason to initialize at the start, - so this function is an empty operation. */ -void initialize_hash_function(spx_ctx *ctx) { - (void)ctx; /* Suppress an 'unused parameter' warning. */ -} - -// in case the hash function api is heap-based. -void free_hash_function(spx_ctx *ctx) { - (void)ctx; -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/f1600x2.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/f1600x2.h deleted file mode 100644 index 70d1af9f1..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/f1600x2.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef SPX_F1600X2_H -#define SPX_F1600X2_H - -#include - -extern uint64_t f1600_RC[24]; -extern void _f1600x2(uint64_t *a, uint64_t *rc); - -#define f1600x2(s) do {_f1600x2((s), f1600_RC);} while(0) - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/f1600x2.s b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/f1600x2.s deleted file mode 100644 index 640ed791e..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/f1600x2.s +++ /dev/null @@ -1,143 +0,0 @@ -# From https://github.com/bwesterb/armed-keccak - -.macro round - # Execute theta, but without xoring into the state yet. - # Compute parities p[i] = a[i] ^ a[5+i] ^ ... ^ a[20+i]. - eor3.16b v25, v0, v5, v10 - eor3.16b v26, v1, v6, v11 - eor3.16b v27, v2, v7, v12 - eor3.16b v28, v3, v8, v13 - eor3.16b v29, v4, v9, v14 - - eor3.16b v25, v25, v15, v20 - eor3.16b v26, v26, v16, v21 - eor3.16b v27, v27, v17, v22 - eor3.16b v28, v28, v18, v23 - eor3.16b v29, v29, v19, v24 - - # d[0] = rotl(p[1], 1) ^ p[4] - rax1.2d v30, v29, v26 - # d[3] = rotl(p[4], 1) ^ p[2] - rax1.2d v29, v27, v29 - # d[1] = rotl(p[2], 1) ^ p[0] - rax1.2d v27, v25, v27 - # d[4] = rotl(p[0], 1) ^ p[3] - rax1.2d v25, v28, v25 - # d[2] = rotl(p[3], 1) ^ p[1] - rax1.2d v28, v26, v28 - - # Xor parities from step theta into the state at the same time - # as executing rho and pi. - eor.16b v0, v0, v30 - mov.16b v31, v1 - xar.2d v1, v6, v27, 20 - xar.2d v6, v9, v25, 44 - xar.2d v9, v22, v28, 3 - xar.2d v22, v14, v25, 25 - xar.2d v14, v20, v30, 46 - xar.2d v20, v2, v28, 2 - xar.2d v2, v12, v28, 21 - xar.2d v12, v13, v29, 39 - xar.2d v13, v19, v25, 56 - xar.2d v19, v23, v29, 8 - xar.2d v23, v15, v30, 23 - xar.2d v15, v4, v25, 37 - xar.2d v4, v24, v25, 50 - xar.2d v24, v21, v27, 62 - xar.2d v21, v8, v29, 9 - xar.2d v8, v16, v27, 19 - xar.2d v16, v5, v30, 28 - xar.2d v5, v3, v29, 36 - xar.2d v3, v18, v29, 43 - xar.2d v18, v17, v28, 49 - xar.2d v17, v11, v27, 54 - xar.2d v11, v7, v28, 58 - xar.2d v7, v10, v30, 61 - xar.2d v10, v31, v27, 63 - - # Chi - bcax.16b v25, v0, v2, v1 - bcax.16b v26, v1, v3, v2 - bcax.16b v2, v2, v4, v3 - bcax.16b v3, v3, v0, v4 - bcax.16b v4, v4, v1, v0 - mov.16b v0, v25 - mov.16b v1, v26 - - bcax.16b v25, v5, v7, v6 - bcax.16b v26, v6, v8, v7 - bcax.16b v7, v7, v9, v8 - bcax.16b v8, v8, v5, v9 - bcax.16b v9, v9, v6, v5 - mov.16b v5, v25 - mov.16b v6, v26 - - bcax.16b v25, v10, v12, v11 - bcax.16b v26, v11, v13, v12 - bcax.16b v12, v12, v14, v13 - bcax.16b v13, v13, v10, v14 - bcax.16b v14, v14, v11, v10 - mov.16b v10, v25 - mov.16b v11, v26 - - bcax.16b v25, v15, v17, v16 - bcax.16b v26, v16, v18, v17 - bcax.16b v17, v17, v19, v18 - bcax.16b v18, v18, v15, v19 - bcax.16b v19, v19, v16, v15 - mov.16b v15, v25 - mov.16b v16, v26 - - bcax.16b v25, v20, v22, v21 - bcax.16b v26, v21, v23, v22 - bcax.16b v22, v22, v24, v23 - bcax.16b v23, v23, v20, v24 - bcax.16b v24, v24, v21, v20 - mov.16b v20, v25 - mov.16b v21, v26 - - # iota - ld1r {v25.2d}, [x1], #8 - eor.16b v0, v0, v25 -.endm - -.align 4 -.global __f1600x2 -__f1600x2: - stp d8, d9, [sp,#-16]! - stp d10, d11, [sp,#-16]! - stp d12, d13, [sp,#-16]! - stp d14, d15, [sp,#-16]! - - mov x2, x0 - mov x3, #24 - - ld1.2d {v0, v1, v2, v3}, [x0], #64 - ld1.2d {v4, v5, v6, v7}, [x0], #64 - ld1.2d {v8, v9, v10, v11}, [x0], #64 - ld1.2d {v12, v13, v14, v15}, [x0], #64 - ld1.2d {v16, v17, v18, v19}, [x0], #64 - ld1.2d {v20, v21, v22, v23}, [x0], #64 - ld1.2d {v24}, [x0] - -loop: - round - - subs x3, x3, #1 - cbnz x3, loop - - mov x0, x2 - st1.2d {v0, v1, v2, v3}, [x0], #64 - st1.2d {v4, v5, v6, v7}, [x0], #64 - st1.2d {v8, v9, v10, v11}, [x0], #64 - st1.2d {v12, v13, v14, v15}, [x0], #64 - st1.2d {v16, v17, v18, v19}, [x0], #64 - st1.2d {v20, v21, v22, v23}, [x0], #64 - st1.2d {v24}, [x0] - - ldp d14, d15, [sp], #16 - ldp d12, d13, [sp], #16 - ldp d10, d11, [sp], #16 - ldp d8, d9, [sp], #16 - - ret lr diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/f1600x2_const.c b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/f1600x2_const.c deleted file mode 100644 index e49c0ba14..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/f1600x2_const.c +++ /dev/null @@ -1,30 +0,0 @@ -#include "f1600x2.h" - -uint64_t f1600_RC[24] = { - 0x0000000000000001, - 0x0000000000008082, - 0x800000000000808A, - 0x8000000080008000, - 0x000000000000808B, - 0x0000000080000001, - 0x8000000080008081, - 0x8000000000008009, - 0x000000000000008A, - 0x0000000000000088, - 0x0000000080008009, - 0x000000008000000A, - 0x000000008000808B, - 0x800000000000008B, - 0x8000000000008089, - 0x8000000000008003, - 0x8000000000008002, - 0x8000000000000080, - 0x000000000000800A, - 0x800000008000000A, - 0x8000000080008081, - 0x8000000000008080, - 0x0000000080000001, - 0x8000000080008008, -}; - - diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/fips202x2.c b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/fips202x2.c deleted file mode 100644 index 4718c343b..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/fips202x2.c +++ /dev/null @@ -1,148 +0,0 @@ -#include -#include - -#include "fips202x2.h" -#include "f1600x2.h" -#include "fips202.h" - -uint64_t load64(const unsigned char *x) { - unsigned long long r = 0, i; - - for (i = 0; i < 8; ++i) { - r |= (unsigned long long)x[i] << 8 * i; - } - return r; -} - -void store64(uint8_t *x, uint64_t u) { - unsigned int i; - - for (i = 0; i < 8; ++i) { - x[i] = (uint8_t)u; - u >>= 8; - } -} - -static void keccak_absorb2x(uint64_t *s, - unsigned int r, - const unsigned char *m0, - const unsigned char *m1, - unsigned long long int mlen, - unsigned char p) { - unsigned long long i; - unsigned char t0[200]; - unsigned char t1[200]; - - while (mlen >= r) { - for (i = 0; i < r / 8; ++i) { - s[2 * i + 0] ^= load64(m0 + 8 * i); - s[2 * i + 1] ^= load64(m1 + 8 * i); - } - - f1600x2(s); - mlen -= r; - m0 += r; - m1 += r; - } - - for (i = 0; i < r; ++i) { - t0[i] = 0; - t1[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t0[i] = m0[i]; - t1[i] = m1[i]; - } - - t0[i] = p; - t1[i] = p; - - t0[r - 1] |= 128; - t1[r - 1] |= 128; - - for (i = 0; i < r / 8; ++i) { - s[2 * i + 0] ^= load64(t0 + 8 * i); - s[2 * i + 1] ^= load64(t1 + 8 * i); - } -} - - -static void keccak_squeezeblocks2x(unsigned char *h0, - unsigned char *h1, - unsigned long long int nblocks, - uint64_t *s, - unsigned int r) { - unsigned int i; - - while (nblocks > 0) { - f1600x2(s); - for (i = 0; i < (r >> 3); i++) { - store64(h0 + 8 * i, s[2 * i + 0]); - store64(h1 + 8 * i, s[2 * i + 1]); - } - h0 += r; - h1 += r; - nblocks--; - } -} - - - -void shake128x2(unsigned char *out0, - unsigned char *out1, - unsigned long long outlen, - unsigned char *in0, - unsigned char *in1, - unsigned long long inlen) { - uint64_t s[50] = {0}; - unsigned char t0[SHAKE128_RATE]; - unsigned char t1[SHAKE128_RATE]; - unsigned int i; - - /* absorb 4 message of identical length in parallel */ - keccak_absorb2x(s, SHAKE128_RATE, in0, in1, inlen, 0x1F); - - /* Squeeze output */ - keccak_squeezeblocks2x(out0, out1, outlen / SHAKE128_RATE, s, SHAKE128_RATE); - - out0 += (outlen / SHAKE128_RATE) * SHAKE128_RATE; - out1 += (outlen / SHAKE128_RATE) * SHAKE128_RATE; - - if (outlen % SHAKE128_RATE) { - keccak_squeezeblocks2x(t0, t1, 1, s, SHAKE128_RATE); - for (i = 0; i < outlen % SHAKE128_RATE; i++) { - out0[i] = t0[i]; - out1[i] = t1[i]; - } - } -} - - -void shake256x2(unsigned char *out0, - unsigned char *out1, - unsigned long long outlen, - unsigned char *in0, - unsigned char *in1, - unsigned long long inlen) { - uint64_t s[50] = {0}; - unsigned char t0[SHAKE256_RATE]; - unsigned char t1[SHAKE256_RATE]; - unsigned int i; - - /* absorb 2 message of identical length in parallel */ - keccak_absorb2x(s, SHAKE256_RATE, in0, in1, inlen, 0x1F); - - /* Squeeze output */ - keccak_squeezeblocks2x(out0, out1, outlen / SHAKE256_RATE, s, SHAKE256_RATE); - - out0 += (outlen / SHAKE256_RATE) * SHAKE256_RATE; - out1 += (outlen / SHAKE256_RATE) * SHAKE256_RATE; - - if (outlen % SHAKE256_RATE) { - keccak_squeezeblocks2x(t0, t1, 1, s, SHAKE256_RATE); - for (i = 0; i < outlen % SHAKE256_RATE; i++) { - out0[i] = t0[i]; - out1[i] = t1[i]; - } - } -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/fips202x2.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/fips202x2.h deleted file mode 100644 index 7ba58b35d..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/fips202x2.h +++ /dev/null @@ -1,24 +0,0 @@ -#ifndef SPX_FIPS202X2_H -#define SPX_FIPS202X2_H - -#include - -uint64_t load64(const unsigned char *x); -void store64(uint8_t *x, uint64_t u); - - -void shake128x2(unsigned char *out0, - unsigned char *out1, - unsigned long long outlen, - unsigned char *in0, - unsigned char *in1, - unsigned long long inlen); - -void shake256x2(unsigned char *out0, - unsigned char *out1, - unsigned long long outlen, - unsigned char *in0, - unsigned char *in1, - unsigned long long inlen); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/fors.c b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/fors.c deleted file mode 100644 index 39193d04e..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/fors.c +++ /dev/null @@ -1,191 +0,0 @@ -#include -#include -#include - -#include "fors.h" - -#include "address.h" -#include "hash.h" -#include "hashx2.h" -#include "thash.h" -#include "thashx2.h" -#include "utils.h" -#include "utilsx2.h" - -static void fors_gen_sk(unsigned char *sk, const spx_ctx *ctx, - uint32_t fors_leaf_addr[8]) { - prf_addr(sk, ctx, fors_leaf_addr); -} - -static void fors_gen_skx2(unsigned char *sk0, - unsigned char *sk1, - const spx_ctx *ctx, - uint32_t fors_leaf_addrx2[2 * 8]) { - prf_addrx2(sk0, sk1, - ctx, fors_leaf_addrx2); -} - -static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk, - const spx_ctx *ctx, - uint32_t fors_leaf_addr[8]) { - thash(leaf, sk, 1, ctx, fors_leaf_addr); -} - -static void fors_sk_to_leafx2(unsigned char *leaf0, - unsigned char *leaf1, - const unsigned char *sk0, - const unsigned char *sk1, - const spx_ctx *ctx, - uint32_t fors_leaf_addrx2[2 * 8]) { - thashx2(leaf0, leaf1, - sk0, sk1, - 1, ctx, fors_leaf_addrx2); -} - -struct fors_gen_leaf_info { - uint32_t leaf_addrx[2 * 8]; -}; - -static void fors_gen_leafx2(unsigned char *leaf, - const spx_ctx *ctx, - uint32_t addr_idx, void *info) { - struct fors_gen_leaf_info *fors_info = info; - uint32_t *fors_leaf_addrx2 = fors_info->leaf_addrx; - unsigned int j; - - /* Only set the parts that the caller doesn't set */ - for (j = 0; j < 2; j++) { - set_tree_index(fors_leaf_addrx2 + j * 8, addr_idx + j); - set_type(fors_leaf_addrx2 + j * 8, SPX_ADDR_TYPE_FORSPRF); - } - - fors_gen_skx2(leaf + 0 * SPX_N, - leaf + 1 * SPX_N, - ctx, fors_leaf_addrx2); - - for (j = 0; j < 2; j++) { - set_type(fors_leaf_addrx2 + j * 8, SPX_ADDR_TYPE_FORSTREE); - } - - fors_sk_to_leafx2(leaf + 0 * SPX_N, - leaf + 1 * SPX_N, - leaf + 0 * SPX_N, - leaf + 1 * SPX_N, - ctx, fors_leaf_addrx2); -} - -/** - * Interprets m as SPX_FORS_HEIGHT-bit unsigned integers. - * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits. - * Assumes indices has space for SPX_FORS_TREES integers. - */ -static void message_to_indices(uint32_t *indices, const unsigned char *m) { - unsigned int i, j; - unsigned int offset = 0; - - for (i = 0; i < SPX_FORS_TREES; i++) { - indices[i] = 0; - for (j = 0; j < SPX_FORS_HEIGHT; j++) { - indices[i] ^= (uint32_t)(((m[offset >> 3] >> (offset & 0x7)) & 0x1) << j); - offset++; - } - } -} - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits. - */ -void fors_sign(unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const spx_ctx *ctx, - const uint32_t fors_addr[8]) { - uint32_t indices[SPX_FORS_TREES]; - unsigned char roots[SPX_FORS_TREES * SPX_N]; - uint32_t fors_tree_addr[2 * 8] = {0}; - struct fors_gen_leaf_info fors_info = {0}; - uint32_t *fors_leaf_addr = fors_info.leaf_addrx; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - for (i = 0; i < 2; i++) { - copy_keypair_addr(fors_tree_addr + 8 * i, fors_addr); - set_type(fors_tree_addr + 8 * i, SPX_ADDR_TYPE_FORSTREE); - copy_keypair_addr(fors_leaf_addr + 8 * i, fors_addr); - } - copy_keypair_addr(fors_pk_addr, fors_addr); - set_type(fors_pk_addr, SPX_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < SPX_FORS_TREES; i++) { - idx_offset = i * (1 << SPX_FORS_HEIGHT); - - set_tree_height(fors_tree_addr, 0); - set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Include the secret key part that produces the selected leaf node. */ - set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSPRF); - fors_gen_sk(sig, ctx, fors_tree_addr); - set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSTREE); - sig += SPX_N; - - /* Compute the authentication path for this leaf node. */ - treehashx2(roots + i * SPX_N, sig, ctx, - indices[i], idx_offset, SPX_FORS_HEIGHT, fors_gen_leafx2, - fors_tree_addr, &fors_info); - - sig += SPX_N * SPX_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - thash(pk, roots, SPX_FORS_TREES, ctx, fors_pk_addr); -} - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits. - */ -void fors_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const spx_ctx *ctx, - const uint32_t fors_addr[8]) { - uint32_t indices[SPX_FORS_TREES]; - unsigned char roots[SPX_FORS_TREES * SPX_N]; - unsigned char leaf[SPX_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - copy_keypair_addr(fors_tree_addr, fors_addr); - copy_keypair_addr(fors_pk_addr, fors_addr); - - set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSTREE); - set_type(fors_pk_addr, SPX_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < SPX_FORS_TREES; i++) { - idx_offset = i * (1 << SPX_FORS_HEIGHT); - - set_tree_height(fors_tree_addr, 0); - set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Derive the leaf from the included secret key part. */ - fors_sk_to_leaf(leaf, sig, ctx, fors_tree_addr); - sig += SPX_N; - - /* Derive the corresponding root node of this tree. */ - compute_root(roots + i * SPX_N, leaf, indices[i], idx_offset, - sig, SPX_FORS_HEIGHT, ctx, fors_tree_addr); - sig += SPX_N * SPX_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - thash(pk, roots, SPX_FORS_TREES, ctx, fors_pk_addr); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/fors.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/fors.h deleted file mode 100644 index 509140a17..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/fors.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef SPX_FORS_H -#define SPX_FORS_H - -#include - -#include "context.h" -#include "params.h" - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits. - */ -#define fors_sign SPX_NAMESPACE(fors_sign) -void fors_sign(unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const spx_ctx *ctx, - const uint32_t fors_addr[8]); - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits. - */ -#define fors_pk_from_sig SPX_NAMESPACE(fors_pk_from_sig) -void fors_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const spx_ctx *ctx, - const uint32_t fors_addr[8]); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/hash.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/hash.h deleted file mode 100644 index f7c87d4c3..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/hash.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef SPX_HASH_H -#define SPX_HASH_H - -#include -#include - -#include "context.h" -#include "params.h" - -#define prf_addr SPX_NAMESPACE(prf_addr) -void prf_addr(unsigned char *out, const spx_ctx *ctx, - const uint32_t addr[8]); - -#define gen_message_random SPX_NAMESPACE(gen_message_random) -void gen_message_random(unsigned char *R, const unsigned char *sk_prf, - const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const spx_ctx *ctx); - -#define hash_message SPX_NAMESPACE(hash_message) -void hash_message(unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const spx_ctx *ctx); - - - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/hash_shake.c b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/hash_shake.c deleted file mode 100644 index ff5e7ec91..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/hash_shake.c +++ /dev/null @@ -1,83 +0,0 @@ -#include -#include - -#include "hash.h" - -#include "address.h" -#include "fips202.h" -#include "params.h" -#include "utils.h" - -/* - * Computes PRF(pk_seed, sk_seed, addr) - */ -void prf_addr(unsigned char *out, const spx_ctx *ctx, - const uint32_t addr[8]) { - unsigned char buf[2 * SPX_N + SPX_ADDR_BYTES]; - - memcpy(buf, ctx->pub_seed, SPX_N); - memcpy(buf + SPX_N, addr, SPX_ADDR_BYTES); - memcpy(buf + SPX_N + SPX_ADDR_BYTES, ctx->sk_seed, SPX_N); - - shake256(out, SPX_N, buf, 2 * SPX_N + SPX_ADDR_BYTES); -} - -/** - * Computes the message-dependent randomness R, using a secret seed and an - * optional randomization value as well as the message. - */ -void gen_message_random(unsigned char *R, const unsigned char *sk_prf, - const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const spx_ctx *ctx) { - (void)ctx; - shake256incctx s_inc; - - shake256_inc_init(&s_inc); - shake256_inc_absorb(&s_inc, sk_prf, SPX_N); - shake256_inc_absorb(&s_inc, optrand, SPX_N); - shake256_inc_absorb(&s_inc, m, mlen); - shake256_inc_finalize(&s_inc); - shake256_inc_squeeze(R, SPX_N, &s_inc); - shake256_inc_ctx_release(&s_inc); -} - -/** - * Computes the message hash using R, the public key, and the message. - * Outputs the message digest and the index of the leaf. The index is split in - * the tree index and the leaf index, for convenient copying to an address. - */ -void hash_message(unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const spx_ctx *ctx) { - (void)ctx; -#define SPX_TREE_BITS (SPX_TREE_HEIGHT * (SPX_D - 1)) -#define SPX_TREE_BYTES ((SPX_TREE_BITS + 7) / 8) -#define SPX_LEAF_BITS SPX_TREE_HEIGHT -#define SPX_LEAF_BYTES ((SPX_LEAF_BITS + 7) / 8) -#define SPX_DGST_BYTES (SPX_FORS_MSG_BYTES + SPX_TREE_BYTES + SPX_LEAF_BYTES) - - unsigned char buf[SPX_DGST_BYTES]; - unsigned char *bufp = buf; - shake256incctx s_inc; - - shake256_inc_init(&s_inc); - shake256_inc_absorb(&s_inc, R, SPX_N); - shake256_inc_absorb(&s_inc, pk, SPX_PK_BYTES); - shake256_inc_absorb(&s_inc, m, mlen); - shake256_inc_finalize(&s_inc); - shake256_inc_squeeze(buf, SPX_DGST_BYTES, &s_inc); - shake256_inc_ctx_release(&s_inc); - - memcpy(digest, bufp, SPX_FORS_MSG_BYTES); - bufp += SPX_FORS_MSG_BYTES; - - - *tree = bytes_to_ull(bufp, SPX_TREE_BYTES); - *tree &= (~(uint64_t)0) >> (64 - SPX_TREE_BITS); - bufp += SPX_TREE_BYTES; - - *leaf_idx = (uint32_t)bytes_to_ull(bufp, SPX_LEAF_BYTES); - *leaf_idx &= (~(uint32_t)0) >> (32 - SPX_LEAF_BITS); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/hash_shakex2.c b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/hash_shakex2.c deleted file mode 100644 index 99571916a..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/hash_shakex2.c +++ /dev/null @@ -1,52 +0,0 @@ -#include -#include - -#include "hashx2.h" - -#include "address.h" -#include "f1600x2.h" -#include "fips202x2.h" -#include "params.h" - -/* - * 2-way parallel version of prf_addr; takes 2x as much input and output - */ -void prf_addrx2(unsigned char *out0, - unsigned char *out1, - const spx_ctx *ctx, - const uint32_t addrx2[2 * 8]) { - /* As we write and read only a few quadwords, it is more efficient to - * build and extract from the fourway SHAKE256 state by hand. */ - uint64_t state[50] = {0}; - - for (int i = 0; i < SPX_N / 8; i++) { - uint64_t x = load64(ctx->pub_seed + 8 * i); - state[2 * i] = x; - state[2 * i + 1] = x; - } - for (int i = 0; i < 4; i++) { - state[2 * (SPX_N / 8 + i)] = (((uint64_t)addrx2[1 + 2 * i]) << 32) - | (uint64_t)addrx2[2 * i]; - state[2 * (SPX_N / 8 + i) + 1] = (((uint64_t)addrx2[8 + 1 + 2 * i]) << 32) - | (uint64_t)addrx2[8 + 2 * i]; - } - for (int i = 0; i < SPX_N / 8; i++) { - uint64_t x = load64(ctx->sk_seed + 8 * i); - state[2 * (SPX_N / 8 + i + 4)] = x; - state[2 * (SPX_N / 8 + i + 4) + 1] = x; - } - - /* SHAKE domain separator and padding. */ - state[2 * (SPX_N / 4 + 4)] = 0x1f; - state[2 * (SPX_N / 4 + 4) + 1] = 0x1f; - - state[2 * 16] = 0x80ULL << 56; - state[2 * 16 + 1] = 0x80ULL << 56; - - f1600x2(state); - - for (int i = 0; i < SPX_N / 8; i++) { - store64(out0 + 8 * i, state[2 * i]); - store64(out1 + 8 * i, state[2 * i + 1]); - } -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/hashx2.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/hashx2.h deleted file mode 100644 index 99b8873a9..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/hashx2.h +++ /dev/null @@ -1,14 +0,0 @@ -#ifndef SPX_HASHX2_H -#define SPX_HASHX2_H - -#include "context.h" -#include "params.h" -#include - -#define prf_addrx2 SPX_NAMESPACE(prf_addrx2) -void prf_addrx2(unsigned char *out0, - unsigned char *out1, - const spx_ctx *ctx, - const uint32_t addrx2[2 * 8]); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/merkle.c b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/merkle.c deleted file mode 100644 index c94ee2393..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/merkle.c +++ /dev/null @@ -1,64 +0,0 @@ -#include -#include - -#include "merkle.h" - -#include "address.h" -#include "params.h" -#include "utils.h" -#include "utilsx2.h" -#include "wots.h" -#include "wotsx2.h" - -/* - * This generates a Merkle signature (WOTS signature followed by the Merkle - * authentication path). - */ -void merkle_sign(uint8_t *sig, unsigned char *root, - const spx_ctx *ctx, - uint32_t wots_addr[8], uint32_t tree_addr[8], - uint32_t idx_leaf) { - unsigned char *auth_path = sig + SPX_WOTS_BYTES; - uint32_t tree_addrx2[2 * 8] = { 0 }; - int j; - struct leaf_info_x2 info = { 0 }; - unsigned steps[ SPX_WOTS_LEN ]; - - info.wots_sig = sig; - chain_lengths(steps, root); - info.wots_steps = steps; - - for (j = 0; j < 2; j++) { - set_type(&tree_addrx2[8 * j], SPX_ADDR_TYPE_HASHTREE); - set_type(&info.leaf_addr[8 * j], SPX_ADDR_TYPE_WOTS); - set_type(&info.pk_addr[8 * j], SPX_ADDR_TYPE_WOTSPK); - copy_subtree_addr(&tree_addrx2[8 * j], tree_addr); - copy_subtree_addr(&info.leaf_addr[8 * j], wots_addr); - copy_subtree_addr(&info.pk_addr[8 * j], wots_addr); - } - - info.wots_sign_leaf = idx_leaf; - - treehashx2(root, auth_path, ctx, - idx_leaf, 0, - SPX_TREE_HEIGHT, - wots_gen_leafx2, - tree_addrx2, &info); -} - -/* Compute root node of the top-most subtree. */ -void merkle_gen_root(unsigned char *root, const spx_ctx *ctx) { - /* We do not need the auth path in key generation, but it simplifies the - code to have just one treehash routine that computes both root and path - in one function. */ - unsigned char auth_path[SPX_TREE_HEIGHT * SPX_N + SPX_WOTS_BYTES]; - uint32_t top_tree_addr[8] = {0}; - uint32_t wots_addr[8] = {0}; - - set_layer_addr(top_tree_addr, SPX_D - 1); - set_layer_addr(wots_addr, SPX_D - 1); - - merkle_sign(auth_path, root, ctx, - wots_addr, top_tree_addr, - ~0 /* ~0 means "don't bother generating an auth path */ ); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/merkle.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/merkle.h deleted file mode 100644 index 769cf2e97..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/merkle.h +++ /dev/null @@ -1,21 +0,0 @@ -#ifndef MERKLE_H_ -#define MERKLE_H_ - -#include - -#include "context.h" -#include "params.h" - -/* Generate a Merkle signature (WOTS signature followed by the Merkle */ -/* authentication path) */ -#define merkle_sign SPX_NAMESPACE(merkle_sign) -void merkle_sign(uint8_t *sig, unsigned char *root, - const spx_ctx *ctx, - uint32_t wots_addr[8], uint32_t tree_addr[8], - uint32_t idx_leaf); - -/* Compute the root node of the top-most subtree. */ -#define merkle_gen_root SPX_NAMESPACE(merkle_gen_root) -void merkle_gen_root(unsigned char *root, const spx_ctx *ctx); - -#endif /* MERKLE_H_ */ diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/nistapi.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/nistapi.h deleted file mode 100644 index 3cb71afad..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/nistapi.h +++ /dev/null @@ -1,87 +0,0 @@ -#ifndef SPX_API_H -#define SPX_API_H - -#include -#include - -#include "params.h" - -#define CRYPTO_ALGNAME "SPHINCS+" - -#define CRYPTO_SECRETKEYBYTES SPX_SK_BYTES -#define CRYPTO_PUBLICKEYBYTES SPX_PK_BYTES -#define CRYPTO_BYTES SPX_BYTES -#define CRYPTO_SEEDBYTES (3*SPX_N) - -/* - * Returns the length of a secret key, in bytes - */ -#define crypto_sign_secretkeybytes SPX_NAMESPACE(crypto_sign_secretkeybytes) -size_t crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -#define crypto_sign_publickeybytes SPX_NAMESPACE(crypto_sign_publickeybytes) -size_t crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -#define crypto_sign_bytes SPX_NAMESPACE(crypto_sign_bytes) -size_t crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -#define crypto_sign_seedbytes SPX_NAMESPACE(crypto_sign_seedbytes) -size_t crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -#define crypto_sign_seed_keypair SPX_NAMESPACE(crypto_sign_seed_keypair) -int crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk, - const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -#define crypto_sign_keypair SPX_NAMESPACE(crypto_sign_keypair) -int crypto_sign_keypair(uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -#define crypto_sign_signature SPX_NAMESPACE(crypto_sign_signature) -int crypto_sign_signature(uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -#define crypto_sign_verify SPX_NAMESPACE(crypto_sign_verify) -int crypto_sign_verify(const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -#define crypto_sign SPX_NAMESPACE(crypto_sign) -int crypto_sign(uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -#define crypto_sign_open SPX_NAMESPACE(crypto_sign_open) -int crypto_sign_open(uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *pk); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/params.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/params.h deleted file mode 100644 index c28eb3ec5..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/params.h +++ /dev/null @@ -1,56 +0,0 @@ -#ifndef SPX_PARAMS_H -#define SPX_PARAMS_H - -#define SPX_NAMESPACE(s) PQCLEAN_SPHINCSSHAKE128FSIMPLE_AARCH64_##s - -/* Hash output length in bytes. */ -#define SPX_N 16 -/* Height of the hypertree. */ -#define SPX_FULL_HEIGHT 66 -/* Number of subtree layer. */ -#define SPX_D 22 -/* FORS tree dimensions. */ -#define SPX_FORS_HEIGHT 6 -#define SPX_FORS_TREES 33 -/* Winternitz parameter, */ -#define SPX_WOTS_W 16 - -/* The hash function is defined by linking a different hash.c file, as opposed - to setting a #define constant. */ - -/* For clarity */ -#define SPX_ADDR_BYTES 32 - -/* WOTS parameters. */ -#define SPX_WOTS_LOGW 4 - -#define SPX_WOTS_LEN1 (8 * SPX_N / SPX_WOTS_LOGW) - -/* SPX_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */ -#define SPX_WOTS_LEN2 3 - -#define SPX_WOTS_LEN (SPX_WOTS_LEN1 + SPX_WOTS_LEN2) -#define SPX_WOTS_BYTES (SPX_WOTS_LEN * SPX_N) -#define SPX_WOTS_PK_BYTES SPX_WOTS_BYTES - -/* Subtree size. */ -#define SPX_TREE_HEIGHT (SPX_FULL_HEIGHT / SPX_D) - -//#if SPX_TREE_HEIGHT * SPX_D != SPX_FULL_HEIGHT -// #error SPX_D should always divide SPX_FULL_HEIGHT -//#endif - -/* FORS parameters. */ -#define SPX_FORS_MSG_BYTES ((SPX_FORS_HEIGHT * SPX_FORS_TREES + 7) / 8) -#define SPX_FORS_BYTES ((SPX_FORS_HEIGHT + 1) * SPX_FORS_TREES * SPX_N) -#define SPX_FORS_PK_BYTES SPX_N - -/* Resulting SPX sizes. */ -#define SPX_BYTES (SPX_N + SPX_FORS_BYTES + SPX_D * SPX_WOTS_BYTES +\ - SPX_FULL_HEIGHT * SPX_N) -#define SPX_PK_BYTES (2 * SPX_N) -#define SPX_SK_BYTES (2 * SPX_N + SPX_PK_BYTES) - -#include "shake_offsets.h" - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/shake_offsets.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/shake_offsets.h deleted file mode 100644 index 6b28d95d9..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/shake_offsets.h +++ /dev/null @@ -1,21 +0,0 @@ -#ifndef SHAKE_OFFSETS_H_ -#define SHAKE_OFFSETS_H_ - -/* - * Offsets of various fields in the address structure when we use SHAKE as - * the Sphincs+ hash function - */ - -#define SPX_OFFSET_LAYER 3 /* The byte used to specify the Merkle tree layer */ -#define SPX_OFFSET_TREE 8 /* The start of the 8 byte field used to specify the tree */ -#define SPX_OFFSET_TYPE 19 /* The byte used to specify the hash type (reason) */ -#define SPX_OFFSET_KP_ADDR2 22 /* The high byte used to specify the key pair (which one-time signature) */ -#define SPX_OFFSET_KP_ADDR1 23 /* The low byte used to specify the key pair */ -#define SPX_OFFSET_CHAIN_ADDR 27 /* The byte used to specify the chain address (which Winternitz chain) */ -#define SPX_OFFSET_HASH_ADDR 31 /* The byte used to specify the hash address (where in the Winternitz chain) */ -#define SPX_OFFSET_TREE_HGT 27 /* The byte used to specify the height of this node in the FORS or Merkle tree */ -#define SPX_OFFSET_TREE_INDEX 28 /* The start of the 4 byte field used to specify the node in the FORS or Merkle tree */ - -#define SPX_SHAKE 1 - -#endif /* SHAKE_OFFSETS_H_ */ diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/sign.c b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/sign.c deleted file mode 100644 index 9d0c7d1b2..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/sign.c +++ /dev/null @@ -1,286 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "context.h" -#include "fors.h" -#include "hash.h" -#include "merkle.h" -#include "nistapi.h" -#include "params.h" -#include "randombytes.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - -/* - * Returns the length of a secret key, in bytes - */ -size_t crypto_sign_secretkeybytes(void) { - return CRYPTO_SECRETKEYBYTES; -} - -/* - * Returns the length of a public key, in bytes - */ -size_t crypto_sign_publickeybytes(void) { - return CRYPTO_PUBLICKEYBYTES; -} - -/* - * Returns the length of a signature, in bytes - */ -size_t crypto_sign_bytes(void) { - return CRYPTO_BYTES; -} - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t crypto_sign_seedbytes(void) { - return CRYPTO_SEEDBYTES; -} - -/* - * Generates an SPX key pair given a seed of length - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk, - const uint8_t *seed) { - spx_ctx ctx; - - /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */ - memcpy(sk, seed, CRYPTO_SEEDBYTES); - - memcpy(pk, sk + 2 * SPX_N, SPX_N); - - memcpy(ctx.pub_seed, pk, SPX_N); - memcpy(ctx.sk_seed, sk, SPX_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - initialize_hash_function(&ctx); - - /* Compute root node of the top-most subtree. */ - merkle_gen_root(sk + 3 * SPX_N, &ctx); - - // cleanup - free_hash_function(&ctx); - - memcpy(pk + SPX_N, sk + 3 * SPX_N, SPX_N); - - return 0; -} - -/* - * Generates an SPX key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { - uint8_t seed[CRYPTO_SEEDBYTES]; - randombytes(seed, CRYPTO_SEEDBYTES); - crypto_sign_seed_keypair(pk, sk, seed); - - return 0; -} - -/** - * Returns an array containing a detached signature. - */ -int crypto_sign_signature(uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - spx_ctx ctx; - - const uint8_t *sk_prf = sk + SPX_N; - const uint8_t *pk = sk + 2 * SPX_N; - - uint8_t optrand[SPX_N]; - uint8_t mhash[SPX_FORS_MSG_BYTES]; - uint8_t root[SPX_N]; - uint32_t i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - - memcpy(ctx.sk_seed, sk, SPX_N); - memcpy(ctx.pub_seed, pk, SPX_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - initialize_hash_function(&ctx); - - set_type(wots_addr, SPX_ADDR_TYPE_WOTS); - set_type(tree_addr, SPX_ADDR_TYPE_HASHTREE); - - /* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ - randombytes(optrand, SPX_N); - /* Compute the digest randomization value. */ - gen_message_random(sig, sk_prf, optrand, m, mlen, &ctx); - - /* Derive the message digest and leaf index from R, PK and M. */ - hash_message(mhash, &tree, &idx_leaf, sig, pk, m, mlen, &ctx); - sig += SPX_N; - - set_tree_addr(wots_addr, tree); - set_keypair_addr(wots_addr, idx_leaf); - - /* Sign the message hash using FORS. */ - fors_sign(sig, root, mhash, &ctx, wots_addr); - sig += SPX_FORS_BYTES; - - for (i = 0; i < SPX_D; i++) { - set_layer_addr(tree_addr, i); - set_tree_addr(tree_addr, tree); - - copy_subtree_addr(wots_addr, tree_addr); - set_keypair_addr(wots_addr, idx_leaf); - - merkle_sign(sig, root, &ctx, wots_addr, tree_addr, idx_leaf); - sig += SPX_WOTS_BYTES + SPX_TREE_HEIGHT * SPX_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << SPX_TREE_HEIGHT) - 1)); - tree = tree >> SPX_TREE_HEIGHT; - } - - free_hash_function(&ctx); - - *siglen = SPX_BYTES; - - return 0; -} - -/** - * Verifies a detached signature and message under a given public key. - */ -int crypto_sign_verify(const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - spx_ctx ctx; - const uint8_t *pub_root = pk + SPX_N; - uint8_t mhash[SPX_FORS_MSG_BYTES]; - uint8_t wots_pk[SPX_WOTS_BYTES]; - uint8_t root[SPX_N]; - uint8_t leaf[SPX_N]; - unsigned int i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - if (siglen != SPX_BYTES) { - return -1; - } - - memcpy(ctx.pub_seed, pk, SPX_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - initialize_hash_function(&ctx); - - set_type(wots_addr, SPX_ADDR_TYPE_WOTS); - set_type(tree_addr, SPX_ADDR_TYPE_HASHTREE); - set_type(wots_pk_addr, SPX_ADDR_TYPE_WOTSPK); - - /* Derive the message digest and leaf index from R || PK || M. */ - /* The additional SPX_N is a result of the hash domain separator. */ - hash_message(mhash, &tree, &idx_leaf, sig, pk, m, mlen, &ctx); - sig += SPX_N; - - /* Layer correctly defaults to 0, so no need to set_layer_addr */ - set_tree_addr(wots_addr, tree); - set_keypair_addr(wots_addr, idx_leaf); - - fors_pk_from_sig(root, sig, mhash, &ctx, wots_addr); - sig += SPX_FORS_BYTES; - - /* For each subtree.. */ - for (i = 0; i < SPX_D; i++) { - set_layer_addr(tree_addr, i); - set_tree_addr(tree_addr, tree); - - copy_subtree_addr(wots_addr, tree_addr); - set_keypair_addr(wots_addr, idx_leaf); - - copy_keypair_addr(wots_pk_addr, wots_addr); - - /* The WOTS public key is only correct if the signature was correct. */ - /* Initially, root is the FORS pk, but on subsequent iterations it is - the root of the subtree below the currently processed subtree. */ - wots_pk_from_sig(wots_pk, sig, root, &ctx, wots_addr); - sig += SPX_WOTS_BYTES; - - /* Compute the leaf node using the WOTS public key. */ - thash(leaf, wots_pk, SPX_WOTS_LEN, &ctx, wots_pk_addr); - - /* Compute the root node of this subtree. */ - compute_root(root, leaf, idx_leaf, 0, sig, SPX_TREE_HEIGHT, - &ctx, tree_addr); - sig += SPX_TREE_HEIGHT * SPX_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << SPX_TREE_HEIGHT) - 1)); - tree = tree >> SPX_TREE_HEIGHT; - } - - // cleanup - free_hash_function(&ctx); - - /* Check if the root node equals the root node in the public key. */ - if (memcmp(root, pub_root, SPX_N) != 0) { - return -1; - } - - return 0; -} - - -/** - * Returns an array containing the signature followed by the message. - */ -int crypto_sign(uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *sk) { - size_t siglen; - - crypto_sign_signature(sm, &siglen, m, mlen, sk); - - memmove(sm + SPX_BYTES, m, mlen); - *smlen = siglen + mlen; - - return 0; -} - -/** - * Verifies a given signature-message pair under a given public key. - */ -int crypto_sign_open(uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *pk) { - /* The API caller does not necessarily know what size a signature should be - but SPHINCS+ signatures are always exactly SPX_BYTES. */ - if (smlen < SPX_BYTES) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - *mlen = smlen - SPX_BYTES; - - if (crypto_sign_verify(sm, SPX_BYTES, sm + SPX_BYTES, *mlen, pk)) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - /* If verification was successful, move the message to the right place. */ - memmove(m, sm + SPX_BYTES, *mlen); - - return 0; -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/thash.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/thash.h deleted file mode 100644 index 8687ccfb4..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/thash.h +++ /dev/null @@ -1,13 +0,0 @@ -#ifndef SPX_THASH_H -#define SPX_THASH_H - -#include "context.h" -#include "params.h" - -#include - -#define thash SPX_NAMESPACE(thash) -void thash(unsigned char *out, const unsigned char *in, unsigned int inblocks, - const spx_ctx *ctx, uint32_t addr[8]); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/thash_shake_simplex2.c b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/thash_shake_simplex2.c deleted file mode 100644 index 892e45369..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/thash_shake_simplex2.c +++ /dev/null @@ -1,83 +0,0 @@ -#include -#include - -#include "thash.h" -#include "thashx2.h" - -#include "address.h" -#include "params.h" -#include "utils.h" - -#include "f1600x2.h" -#include "fips202x2.h" - - -void thash(unsigned char *out, - const unsigned char *in, - unsigned int inblocks, - const spx_ctx *ctx, uint32_t addr[8]) { - uint32_t addrx2 [2 * 8] = { - addr[0], addr[1], addr[2], addr[3], addr[4], addr[5], addr[6], addr[7], - addr[0], addr[1], addr[2], addr[3], addr[4], addr[5], addr[6], addr[7] - }; - thashx2(out, out, in, in, inblocks, ctx, addrx2); -} - -/** - * 2-way parallel version of thash; takes 2x as much input and output - */ -void thashx2(unsigned char *out0, - unsigned char *out1, - const unsigned char *in0, - const unsigned char *in1, - unsigned int inblocks, - const spx_ctx *ctx, uint32_t addrx2[2 * 8]) { - if (inblocks == 1 || inblocks == 2) { - /* As we write and read only a few quadwords, it is more efficient to - * build and extract from the twoway SHAKE256 state by hand. */ - uint64_t state[50] = {0}; - for (int i = 0; i < SPX_N / 8; i++) { - uint64_t x = load64(ctx->pub_seed + 8 * i); - state[2 * i] = x; - state[2 * i + 1] = x; - } - for (int i = 0; i < 4; i++) { - state[2 * (SPX_N / 8 + i)] = (((uint64_t)addrx2[1 + 2 * i]) << 32) - | (uint64_t)addrx2[2 * i]; - state[2 * (SPX_N / 8 + i) + 1] = (((uint64_t)addrx2[8 + 1 + 2 * i]) << 32) - | (uint64_t)addrx2[8 + 2 * i]; - } - - for (unsigned int i = 0; i < (SPX_N / 8) * inblocks; i++) { - state[2 * (SPX_N / 8 + 4 + i)] = load64(in0 + 8 * i); - state[2 * (SPX_N / 8 + 4 + i) + 1] = load64(in1 + 8 * i); - } - - /* Domain separator and padding. */ - state[2 * 16] = 0x80ULL << 56; - state[2 * 16 + 1] = 0x80ULL << 56; - - state[2 * ((SPX_N / 8) * (1 + inblocks) + 4)] ^= 0x1f; - state[2 * ((SPX_N / 8) * (1 + inblocks) + 4) + 1] ^= 0x1f; - - f1600x2(state); - - for (int i = 0; i < SPX_N / 8; i++) { - store64(out0 + 8 * i, state[2 * i]); - store64(out1 + 8 * i, state[2 * i + 1]); - } - } else { - PQCLEAN_VLA(unsigned char, buf0, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N); - PQCLEAN_VLA(unsigned char, buf1, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N); - - memcpy(buf0, ctx->pub_seed, SPX_N); - memcpy(buf1, ctx->pub_seed, SPX_N); - memcpy(buf0 + SPX_N, addrx2 + 0 * 8, SPX_ADDR_BYTES); - memcpy(buf1 + SPX_N, addrx2 + 1 * 8, SPX_ADDR_BYTES); - memcpy(buf0 + SPX_N + SPX_ADDR_BYTES, in0, inblocks * SPX_N); - memcpy(buf1 + SPX_N + SPX_ADDR_BYTES, in1, inblocks * SPX_N); - - shake256x2(out0, out1, SPX_N, - buf0, buf1, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N); - } -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/thashx2.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/thashx2.h deleted file mode 100644 index 040375e61..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/thashx2.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef SPX_THASHX2_H -#define SPX_THASHX2_H - -#include "context.h" -#include "params.h" -#include - -#define thashx2 SPX_NAMESPACE(thashx2) -void thashx2(unsigned char *out0, - unsigned char *out1, - const unsigned char *in0, - const unsigned char *in1, - unsigned int inblocks, - const spx_ctx *ctx, uint32_t addrx2[2 * 8]); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/utils.c b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/utils.c deleted file mode 100644 index 177b541fb..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/utils.c +++ /dev/null @@ -1,148 +0,0 @@ -#include - -#include "utils.h" - -#include "address.h" -#include "hash.h" -#include "params.h" -#include "thash.h" - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void ull_to_bytes(unsigned char *out, unsigned int outlen, - unsigned long long in) { - int i; - - /* Iterate over out in decreasing order, for big-endianness. */ - for (i = (signed int)outlen - 1; i >= 0; i--) { - out[i] = in & 0xff; - in = in >> 8; - } -} - -void u32_to_bytes(unsigned char *out, uint32_t in) { - out[0] = (unsigned char)(in >> 24); - out[1] = (unsigned char)(in >> 16); - out[2] = (unsigned char)(in >> 8); - out[3] = (unsigned char)in; -} - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long bytes_to_ull(const unsigned char *in, unsigned int inlen) { - unsigned long long retval = 0; - unsigned int i; - - for (i = 0; i < inlen; i++) { - retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i)); - } - return retval; -} - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void compute_root(unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const spx_ctx *ctx, uint32_t addr[8]) { - uint32_t i; - unsigned char buffer[2 * SPX_N]; - - /* If leaf_idx is odd (last bit = 1), current path element is a right child - and auth_path has to go left. Otherwise it is the other way around. */ - if (leaf_idx & 1) { - memcpy(buffer + SPX_N, leaf, SPX_N); - memcpy(buffer, auth_path, SPX_N); - } else { - memcpy(buffer, leaf, SPX_N); - memcpy(buffer + SPX_N, auth_path, SPX_N); - } - auth_path += SPX_N; - - for (i = 0; i < tree_height - 1; i++) { - leaf_idx >>= 1; - idx_offset >>= 1; - /* Set the address of the node we're creating. */ - set_tree_height(addr, i + 1); - set_tree_index(addr, leaf_idx + idx_offset); - - /* Pick the right or left neighbor, depending on parity of the node. */ - if (leaf_idx & 1) { - thash(buffer + SPX_N, buffer, 2, ctx, addr); - memcpy(buffer, auth_path, SPX_N); - } else { - thash(buffer, buffer, 2, ctx, addr); - memcpy(buffer + SPX_N, auth_path, SPX_N); - } - auth_path += SPX_N; - } - - /* The last iteration is exceptional; we do not copy an auth_path node. */ - leaf_idx >>= 1; - idx_offset >>= 1; - set_tree_height(addr, tree_height); - set_tree_index(addr, leaf_idx + idx_offset); - thash(root, buffer, 2, ctx, addr); -} - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void treehash(unsigned char *root, unsigned char *auth_path, const spx_ctx *ctx, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const spx_ctx * /* ctx */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */), - uint32_t tree_addr[8]) { - PQCLEAN_VLA(uint8_t, stack, (tree_height + 1)*SPX_N); - PQCLEAN_VLA(unsigned int, heights, tree_height + 1); - unsigned int offset = 0; - uint32_t idx; - uint32_t tree_idx; - - for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) { - /* Add the next leaf node to the stack. */ - gen_leaf(stack + offset * SPX_N, ctx, idx + idx_offset, tree_addr); - offset++; - heights[offset - 1] = 0; - - /* If this is a node we need for the auth path.. */ - if ((leaf_idx ^ 0x1) == idx) { - memcpy(auth_path, stack + (offset - 1)*SPX_N, SPX_N); - } - - /* While the top-most nodes are of equal height.. */ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { - /* Compute index of the new node, in the next layer. */ - tree_idx = (idx >> (heights[offset - 1] + 1)); - - /* Set the address of the node we're creating. */ - set_tree_height(tree_addr, heights[offset - 1] + 1); - set_tree_index(tree_addr, - tree_idx + (idx_offset >> (heights[offset - 1] + 1))); - /* Hash the top-most nodes from the stack together. */ - thash(stack + (offset - 2)*SPX_N, - stack + (offset - 2)*SPX_N, 2, ctx, tree_addr); - offset--; - /* Note that the top-most node is now one layer higher. */ - heights[offset - 1]++; - - /* If this is a node we need for the auth path.. */ - if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) { - memcpy(auth_path + heights[offset - 1]*SPX_N, - stack + (offset - 1)*SPX_N, SPX_N); - } - } - } - memcpy(root, stack, SPX_N); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/utils.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/utils.h deleted file mode 100644 index 64f5d5a53..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/utils.h +++ /dev/null @@ -1,58 +0,0 @@ -#ifndef SPX_UTILS_H -#define SPX_UTILS_H - -#include - -#include "compat.h" -#include "context.h" -#include "params.h" - - -/* To support MSVC use alloca() instead of VLAs. See #20. */ - - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -#define ull_to_bytes SPX_NAMESPACE(ull_to_bytes) -void ull_to_bytes(unsigned char *out, unsigned int outlen, - unsigned long long in); -#define u32_to_bytes SPX_NAMESPACE(u32_to_bytes) -void u32_to_bytes(unsigned char *out, uint32_t in); - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -#define bytes_to_ull SPX_NAMESPACE(bytes_to_ull) -unsigned long long bytes_to_ull(const unsigned char *in, unsigned int inlen); - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -#define compute_root SPX_NAMESPACE(compute_root) -void compute_root(unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const spx_ctx *ctx, uint32_t addr[8]); - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -#define treehash SPX_NAMESPACE(treehash) -void treehash(unsigned char *root, unsigned char *auth_path, - const spx_ctx *ctx, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const spx_ctx *ctx /* ctx */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */), - uint32_t tree_addr[8]); - - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/utilsx2.c b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/utilsx2.c deleted file mode 100644 index 8736474e4..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/utilsx2.c +++ /dev/null @@ -1,130 +0,0 @@ -#include - -#include "utilsx2.h" - -#include "address.h" -#include "params.h" -#include "thashx2.h" -#include "utils.h" - -/* - * Generate the entire Merkle tree, computing the authentication path for leaf_idx, - * and the resulting root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE) - * - * This expects tree_addrx2 to be initialized to 2 parallel addr structures for - * the Merkle tree nodes - * - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - * - * This works by using the standard Merkle tree building algorithm, except - * that each 'node' tracked is actually 2 consecutive nodes in the real tree. - * When we combine two logical nodes AB and WX, we perform the H - * operation on adjacent real nodes, forming the parent logical node - * (AB)(WX) - * - * When we get to the top level of the real tree (where there is only - * one logical node), we continue this operation one more time; the right - * most real node will by the actual root (and the other node will be - * garbage). We follow the same thashx2 logic so that the 'extract - * authentication path components' part of the loop is still executed (and - * to simplify the code somewhat) - */ -void treehashx2(unsigned char *root, unsigned char *auth_path, - const spx_ctx *ctx, - uint32_t leaf_idx, uint32_t idx_offset, - uint32_t tree_height, - void (*gen_leafx2)( - unsigned char * /* Where to write the leaves */, - const spx_ctx *, - uint32_t idx, void *info), - uint32_t tree_addrx2[2 * 8], - void *info) { - /* This is where we keep the intermediate nodes */ - unsigned char stackx2[tree_height * 2 * SPX_N]; - uint32_t left_adj = 0, prev_left_adj = 0; /* When we're doing the top */ - /* level, the left-most part of the tree isn't at the beginning */ - /* of current[]. These give the offset of the actual start */ - - uint32_t idx; - uint32_t max_idx = (1 << (tree_height - 1)) - 1; - for (idx = 0;; idx++) { - unsigned char current[2 * SPX_N]; /* Current logical node */ - gen_leafx2( current, ctx, 2 * idx + idx_offset, - info ); - - /* Now combine the freshly generated right node with previously */ - /* generated left ones */ - uint32_t internal_idx_offset = idx_offset; - uint32_t internal_idx = idx; - uint32_t internal_leaf = leaf_idx; - uint32_t h; /* The height we are in the Merkle tree */ - for (h = 0;; h++, internal_idx >>= 1, internal_leaf >>= 1) { - - /* Special processing if we're at the top of the tree */ - if (h >= tree_height - 1) { - if (h == tree_height) { - /* We hit the root; return it */ - memcpy( root, ¤t[1 * SPX_N], SPX_N ); - return; - } - /* The tree indexing logic is a bit off in this case */ - /* Adjust it so that the left-most node of the part of */ - /* the tree that we're processing has index 0 */ - prev_left_adj = left_adj; - left_adj = 2 - (1 << (tree_height - h - 1)); - } - - /* Check if we hit the top of the tree */ - if (h == tree_height) { - /* We hit the root; return it */ - memcpy( root, ¤t[1 * SPX_N], SPX_N ); - return; - } - - /* - * Check if one of the nodes we have is a part of the - * authentication path; if it is, write it out - */ - if ((((internal_idx << 1) ^ internal_leaf) & ~0x1) == 0) { - memcpy( &auth_path[ h * SPX_N ], - ¤t[(((internal_leaf & 1) ^ 1) + prev_left_adj) * SPX_N], - SPX_N ); - } - - /* - * Check if we're at a left child; if so, stop going up the stack - * Exception: if we've reached the end of the tree, keep on going - * (so we combine the last 2 nodes into the one root node in two - * more iterations) - */ - if ((internal_idx & 1) == 0 && idx < max_idx) { - break; - } - - /* Ok, we're at a right node (or doing the top 3 levels) */ - /* Now combine the left and right logical nodes together */ - - /* Set the address of the node we're creating. */ - int j; - internal_idx_offset >>= 1; - for (j = 0; j < 2; j++) { - set_tree_height(tree_addrx2 + j * 8, h + 1); - set_tree_index(tree_addrx2 + j * 8, - (2 / 2) * (internal_idx & ~1) + j - left_adj + internal_idx_offset ); - } - unsigned char *left = &stackx2[h * 2 * SPX_N]; - thashx2( ¤t[0 * SPX_N], - ¤t[1 * SPX_N], - &left [0 * SPX_N], - ¤t[0 * SPX_N], - 2, ctx, tree_addrx2); - } - - /* We've hit a left child; save the current for when we get the */ - /* corresponding right right */ - memcpy( &stackx2[h * 2 * SPX_N], current, 2 * SPX_N); - } -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/utilsx2.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/utilsx2.h deleted file mode 100644 index e09faddc4..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/utilsx2.h +++ /dev/null @@ -1,30 +0,0 @@ -#ifndef SPX_UTILSX2_H -#define SPX_UTILSX2_H - -#include - -#include "context.h" -#include "params.h" - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - * - * This implementation uses SIMD to compute internal nodes 2 at a time (in - * parallel) - */ -#define treehashx2 SPX_NAMESPACE(treehashx2) -void treehashx2(unsigned char *root, unsigned char *auth_path, - const spx_ctx *ctx, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leafx2)( - unsigned char * /* Where to write the leaves */, - const spx_ctx * /* ctx */, - uint32_t addr_idx, void *info), - uint32_t tree_addrx2[2 * 8], void *info); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/wots.c b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/wots.c deleted file mode 100644 index 3babe45e9..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/wots.c +++ /dev/null @@ -1,259 +0,0 @@ -#include -#include - -#include "wots.h" -#include "wotsx2.h" - -#include "address.h" -#include "hash.h" -#include "hashx2.h" -#include "params.h" -#include "thashx2.h" -#include "utils.h" -#include "utilsx2.h" - -// TODO clarify address expectations, and make them more uniform. -// TODO i.e. do we expect types to be set already? -// TODO and do we expect modifications or copies? - -/** - * Computes up the chains - */ -static void gen_chains( - unsigned char *out, - const unsigned char *in, - unsigned int start[SPX_WOTS_LEN], - const unsigned int steps[SPX_WOTS_LEN], - const spx_ctx *ctx, - uint32_t addr[8]) { - uint32_t i, j, k, idx, watching; - int done; - unsigned char empty[SPX_N]; - unsigned char *bufs[4]; - uint32_t addrs[8 * 2]; - - int l; - uint16_t counts[SPX_WOTS_W] = { 0 }; - uint16_t idxs[SPX_WOTS_LEN]; - uint16_t total, newTotal; - - /* set addrs = {addr, addr} */ - for (j = 0; j < 2; j++) { - memcpy(addrs + j * 8, addr, sizeof(uint32_t) * 8); - } - - /* Initialize out with the value at position 'start'. */ - memcpy(out, in, SPX_WOTS_LEN * SPX_N); - - /* Sort the chains in reverse order by steps using counting sort. */ - for (i = 0; i < SPX_WOTS_LEN; i++) { - counts[steps[i]]++; - } - total = 0; - for (l = SPX_WOTS_W - 1; l >= 0; l--) { - newTotal = counts[l] + total; - counts[l] = total; - total = newTotal; - } - for (i = 0; i < SPX_WOTS_LEN; i++) { - idxs[counts[steps[i]]] = i; - counts[steps[i]]++; - } - - /* We got our work cut out for us: do it! */ - for (i = 0; i < SPX_WOTS_LEN; i += 2) { - for (j = 0; j < 2 && i + j < SPX_WOTS_LEN; j++) { - idx = idxs[i + j]; - set_chain_addr(addrs + j * 8, idx); - bufs[j] = out + SPX_N * idx; - } - - /* As the chains are sorted in reverse order, we know that the first - * chain is the longest and the last one is the shortest. We keep - * an eye on whether the last chain is done and then on the one before, - * et cetera. */ - watching = 1; - done = 0; - while (i + watching >= SPX_WOTS_LEN) { - bufs[watching] = &empty[0]; - watching--; - } - - for (k = 0;; k++) { - while (k == steps[idxs[i + watching]]) { - bufs[watching] = &empty[0]; - if (watching == 0) { - done = 1; - break; - } - watching--; - } - if (done) { - break; - } - for (j = 0; j < watching + 1; j++) { - set_hash_addr(addrs + j * 8, k + start[idxs[i + j]]); - } - - thashx2(bufs[0], bufs[1], - bufs[0], bufs[1], 1, ctx, addrs); - } - } -} - -/** - * base_w algorithm as described in draft. - * Interprets an array of bytes as integers in base w. - * This only works when log_w is a divisor of 8. - */ -static void base_w(unsigned int *output, const int out_len, - const unsigned char *input) { - int in = 0; - int out = 0; - unsigned char total = 0; - int bits = 0; - int consumed; - - for (consumed = 0; consumed < out_len; consumed++) { - if (bits == 0) { - total = input[in]; - in++; - bits += 8; - } - bits -= SPX_WOTS_LOGW; - output[out] = (total >> bits) & (SPX_WOTS_W - 1); - out++; - } -} - -/* Computes the WOTS+ checksum over a message (in base_w). */ -static void wots_checksum(unsigned int *csum_base_w, - const unsigned int *msg_base_w) { - unsigned int csum = 0; - unsigned char csum_bytes[(SPX_WOTS_LEN2 * SPX_WOTS_LOGW + 7) / 8]; - unsigned int i; - - /* Compute checksum. */ - for (i = 0; i < SPX_WOTS_LEN1; i++) { - csum += SPX_WOTS_W - 1 - msg_base_w[i]; - } - - /* Convert checksum to base_w. */ - /* Make sure expected empty zero bits are the least significant bits. */ - csum = csum << ((8 - ((SPX_WOTS_LEN2 * SPX_WOTS_LOGW) % 8)) % 8); - ull_to_bytes(csum_bytes, sizeof(csum_bytes), csum); - base_w(csum_base_w, SPX_WOTS_LEN2, csum_bytes); -} - -/* Takes a message and derives the matching chain lengths. */ -void chain_lengths(unsigned int *lengths, const unsigned char *msg) { - base_w(lengths, SPX_WOTS_LEN1, msg); - wots_checksum(lengths + SPX_WOTS_LEN1, lengths); -} - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void wots_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const spx_ctx *ctx, uint32_t addr[8]) { - unsigned int steps[SPX_WOTS_LEN]; - unsigned int start[SPX_WOTS_LEN]; - uint32_t i; - - chain_lengths(start, msg); - - for (i = 0; i < SPX_WOTS_LEN; i++) { - steps[i] = SPX_WOTS_W - 1 - start[i]; - } - - gen_chains(pk, sig, start, steps, ctx, addr); -} - -/* - * This generates 2 sequential WOTS public keys - * It also generates the WOTS signature if leaf_info indicates - * that we're signing with one of these WOTS keys - */ -void wots_gen_leafx2(unsigned char *dest, - const spx_ctx *ctx, - uint32_t leaf_idx, void *v_info) { - struct leaf_info_x2 *info = v_info; - uint32_t *leaf_addr = info->leaf_addr; - uint32_t *pk_addr = info->pk_addr; - unsigned int i, j, k; - unsigned char pk_buffer[ 2 * SPX_WOTS_BYTES ]; - unsigned wots_offset = SPX_WOTS_BYTES; - unsigned char *buffer; - uint32_t wots_k_mask; - unsigned wots_sign_index; - - if (((leaf_idx ^ info->wots_sign_leaf) & ~1) == 0) { - /* We're traversing the leaf that's signing; generate the WOTS */ - /* signature */ - wots_k_mask = 0; - wots_sign_index = info->wots_sign_leaf & 1; /* Which of of the 2 */ - /* slots do the signatures come from */ - } else { - /* Nope, we're just generating pk's; turn off the signature logic */ - wots_k_mask = ~0; - wots_sign_index = 0; - } - - for (j = 0; j < 2; j++) { - set_keypair_addr( leaf_addr + j * 8, leaf_idx + j ); - set_keypair_addr( pk_addr + j * 8, leaf_idx + j ); - } - - for (i = 0, buffer = pk_buffer; i < SPX_WOTS_LEN; i++, buffer += SPX_N) { - uint32_t wots_k = info->wots_steps[i] | wots_k_mask; /* Set wots_k to */ - /* the step if we're generating a signature, ~0 if we're not */ - - /* Start with the secret seed */ - for (j = 0; j < 2; j++) { - set_chain_addr(leaf_addr + j * 8, i); - set_hash_addr(leaf_addr + j * 8, 0); - set_type(leaf_addr + j * 8, SPX_ADDR_TYPE_WOTSPRF); - } - prf_addrx2(buffer + 0 * wots_offset, - buffer + 1 * wots_offset, - ctx, leaf_addr); - for (j = 0; j < 2; j++) { - set_type(leaf_addr + j * 8, SPX_ADDR_TYPE_WOTS); - } - - /* Iterate down the WOTS chain */ - for (k = 0;; k++) { - /* Check if one of the values we have needs to be saved as a */ - /* part of the WOTS signature */ - if (k == wots_k) { - memcpy( info->wots_sig + i * SPX_N, - buffer + wots_sign_index * wots_offset, SPX_N ); - } - - /* Check if we hit the top of the chain */ - if (k == SPX_WOTS_W - 1) { - break; - } - - /* Iterate one step on all 4 chains */ - for (j = 0; j < 2; j++) { - set_hash_addr(leaf_addr + j * 8, k); - } - thashx2(buffer + 0 * wots_offset, - buffer + 1 * wots_offset, - buffer + 0 * wots_offset, - buffer + 1 * wots_offset, - 1, ctx, leaf_addr); - } - } - - /* Do the final thash to generate the public keys */ - thashx2(dest + 0 * SPX_N, - dest + 1 * SPX_N, - pk_buffer + 0 * wots_offset, - pk_buffer + 1 * wots_offset, - SPX_WOTS_LEN, ctx, pk_addr); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/wots.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/wots.h deleted file mode 100644 index 4e7692eee..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/wots.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef SPX_WOTS_H -#define SPX_WOTS_H - -#include - -#include "context.h" -#include "params.h" - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -#define wots_pk_from_sig SPX_NAMESPACE(wots_pk_from_sig) -void wots_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const spx_ctx *ctx, uint32_t addr[8]); - -/* - * Compute the chain lengths needed for a given message hash - */ -#define chain_lengths SPX_NAMESPACE(chain_lengths) -void chain_lengths(unsigned int *lengths, const unsigned char *msg); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/wotsx2.h b/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/wotsx2.h deleted file mode 100644 index b58bb61f8..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128f-simple_aarch64/wotsx2.h +++ /dev/null @@ -1,40 +0,0 @@ -#ifndef WOTSX2_H_ -#define WOTSX2_H_ - -#include "params.h" -#include - -/* - * This is here to provide an interface to the internal wots_gen_leafx2 - * routine. While this routine is not referenced in the package outside of - * wots.c, it is called from the stand-alone benchmark code to characterize - * the performance - */ -struct leaf_info_x2 { - unsigned char *wots_sig; - uint32_t wots_sign_leaf; /* The index of the WOTS we're using to sign */ - uint32_t *wots_steps; - uint32_t leaf_addr[2 * 8]; - uint32_t pk_addr[2 * 8]; -}; - -/* Macro to set the leaf_info to something 'benign', that is, it would */ -/* run with the same time as it does during the real signing process */ -/* Used only by the benchmark code */ -#define INITIALIZE_LEAF_INFO_X2(info, addr, step_buffer) { \ - (info).wots_sig = 0; \ - (info).wots_sign_leaf = ~0; \ - (info).wots_steps = step_buffer; \ - int i; \ - for (i=0; i<2; i++) { \ - memcpy( &(info).leaf_addr[8*i], addr, 32 ); \ - memcpy( &(info).pk_addr[8*i], addr, 32 ); \ - } \ - } - -#define wots_gen_leafx2 SPX_NAMESPACE(wots_gen_leafx2) -void wots_gen_leafx2(unsigned char *dest, - const spx_ctx *ctx, - uint32_t leaf_idx, void *v_info); - -#endif /* WOTSX2_H_ */ diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/LICENSE b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/LICENSE deleted file mode 100644 index 670154e35..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/LICENSE +++ /dev/null @@ -1,116 +0,0 @@ -CC0 1.0 Universal - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator and -subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for the -purpose of contributing to a commons of creative, cultural and scientific -works ("Commons") that the public can reliably and without fear of later -claims of infringement build upon, modify, incorporate in other works, reuse -and redistribute as freely as possible in any form whatsoever and for any -purposes, including without limitation commercial purposes. These owners may -contribute to the Commons to promote the ideal of a free culture and the -further production of creative, cultural and scientific works, or to gain -reputation or greater distribution for their Work in part through the use and -efforts of others. - -For these and/or other purposes and motivations, and without any expectation -of additional consideration or compensation, the person associating CC0 with a -Work (the "Affirmer"), to the extent that he or she is an owner of Copyright -and Related Rights in the Work, voluntarily elects to apply CC0 to the Work -and publicly distribute the Work under its terms, with knowledge of his or her -Copyright and Related Rights in the Work and the meaning and intended legal -effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not limited -to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, communicate, - and translate a Work; - - ii. moral rights retained by the original author(s) and/or performer(s); - - iii. publicity and privacy rights pertaining to a person's image or likeness - depicted in a Work; - - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - - v. rights protecting the extraction, dissemination, use and reuse of data in - a Work; - - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation thereof, - including any amended or successor version of such directive); and - - vii. other similar, equivalent or corresponding rights throughout the world - based on applicable law or treaty, and any national implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention of, -applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and -unconditionally waives, abandons, and surrenders all of Affirmer's Copyright -and Related Rights and associated claims and causes of action, whether now -known or unknown (including existing as well as future claims and causes of -action), in the Work (i) in all territories worldwide, (ii) for the maximum -duration provided by applicable law or treaty (including future time -extensions), (iii) in any current or future medium and for any number of -copies, and (iv) for any purpose whatsoever, including without limitation -commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes -the Waiver for the benefit of each member of the public at large and to the -detriment of Affirmer's heirs and successors, fully intending that such Waiver -shall not be subject to revocation, rescission, cancellation, termination, or -any other legal or equitable action to disrupt the quiet enjoyment of the Work -by the public as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason be -judged legally invalid or ineffective under applicable law, then the Waiver -shall be preserved to the maximum extent permitted taking into account -Affirmer's express Statement of Purpose. In addition, to the extent the Waiver -is so judged Affirmer hereby grants to each affected person a royalty-free, -non transferable, non sublicensable, non exclusive, irrevocable and -unconditional license to exercise Affirmer's Copyright and Related Rights in -the Work (i) in all territories worldwide, (ii) for the maximum duration -provided by applicable law or treaty (including future time extensions), (iii) -in any current or future medium and for any number of copies, and (iv) for any -purpose whatsoever, including without limitation commercial, advertising or -promotional purposes (the "License"). The License shall be deemed effective as -of the date CC0 was applied by Affirmer to the Work. Should any part of the -License for any reason be judged legally invalid or ineffective under -applicable law, such partial invalidity or ineffectiveness shall not -invalidate the remainder of the License, and in such case Affirmer hereby -affirms that he or she will not (i) exercise any of his or her remaining -Copyright and Related Rights in the Work or (ii) assert any associated claims -and causes of action with respect to the Work, in either case contrary to -Affirmer's express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - - b. Affirmer offers the Work as-is and makes no representations or warranties - of any kind concerning the Work, express, implied, statutory or otherwise, - including without limitation warranties of title, merchantability, fitness - for a particular purpose, non infringement, or the absence of latent or - other defects, accuracy, or the present or absence of errors, whether or not - discoverable, all to the greatest extent permissible under applicable law. - - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without limitation - any person's Copyright and Related Rights in the Work. Further, Affirmer - disclaims responsibility for obtaining any necessary consents, permissions - or other rights required for any use of the Work. - - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to this - CC0 or use of the Work. - -For more information, please see - diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/address.c b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/address.c deleted file mode 100644 index d49d9f3b6..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/address.c +++ /dev/null @@ -1,95 +0,0 @@ -#include -#include - -#include "address.h" -#include "params.h" -#include "utils.h" - -/* - * Specify which level of Merkle tree (the "layer") we're working on - */ -void set_layer_addr(uint32_t addr[8], uint32_t layer) { - ((unsigned char *)addr)[SPX_OFFSET_LAYER] = (unsigned char)layer; -} - -/* - * Specify which Merkle tree within the level (the "tree address") we're working on - */ -void set_tree_addr(uint32_t addr[8], uint64_t tree) { - ull_to_bytes(&((unsigned char *)addr)[SPX_OFFSET_TREE], 8, tree ); -} - -/* - * Specify the reason we'll use this address structure for, that is, what - * hash will we compute with it. This is used so that unrelated types of - * hashes don't accidentally get the same address structure. The type will be - * one of the SPX_ADDR_TYPE constants - */ -void set_type(uint32_t addr[8], uint32_t type) { - ((unsigned char *)addr)[SPX_OFFSET_TYPE] = (unsigned char)type; -} - -/* - * Copy the layer and tree fields of the address structure. This is used - * when we're doing multiple types of hashes within the same Merkle tree - */ -void copy_subtree_addr(uint32_t out[8], const uint32_t in[8]) { - memcpy( out, in, SPX_OFFSET_TREE + 8 ); -} - -/* These functions are used for OTS addresses. */ - -/* - * Specify which Merkle leaf we're working on; that is, which OTS keypair - * we're talking about. - */ -void set_keypair_addr(uint32_t addr[8], uint32_t keypair) { - /* We have > 256 OTS at the bottom of the Merkle tree; to specify */ - /* which one, we'd need to express it in two bytes */ - ((unsigned char *)addr)[SPX_OFFSET_KP_ADDR2] = (unsigned char)(keypair >> 8); - ((unsigned char *)addr)[SPX_OFFSET_KP_ADDR1] = (unsigned char)keypair; -} - -/* - * Copy the layer, tree and keypair fields of the address structure. This is - * used when we're doing multiple things within the same OTS keypair - */ -void copy_keypair_addr(uint32_t out[8], const uint32_t in[8]) { - memcpy( out, in, SPX_OFFSET_TREE + 8 ); - ((unsigned char *)out)[SPX_OFFSET_KP_ADDR2] = ((unsigned char *)in)[SPX_OFFSET_KP_ADDR2]; - ((unsigned char *)out)[SPX_OFFSET_KP_ADDR1] = ((unsigned char *)in)[SPX_OFFSET_KP_ADDR1]; -} - -/* - * Specify which Merkle chain within the OTS we're working with - * (the chain address) - */ -void set_chain_addr(uint32_t addr[8], uint32_t chain) { - ((unsigned char *)addr)[SPX_OFFSET_CHAIN_ADDR] = (unsigned char)chain; -} - -/* - * Specify where in the Merkle chain we are -* (the hash address) - */ -void set_hash_addr(uint32_t addr[8], uint32_t hash) { - ((unsigned char *)addr)[SPX_OFFSET_HASH_ADDR] = (unsigned char)hash; -} - -/* These functions are used for all hash tree addresses (including FORS). */ - -/* - * Specify the height of the node in the Merkle/FORS tree we are in - * (the tree height) - */ -void set_tree_height(uint32_t addr[8], uint32_t tree_height) { - ((unsigned char *)addr)[SPX_OFFSET_TREE_HGT] = (unsigned char)tree_height; -} - -/* - * Specify the distance from the left edge of the node in the Merkle/FORS tree - * (the tree index) - */ -void set_tree_index(uint32_t addr[8], uint32_t tree_index) { - u32_to_bytes(&((unsigned char *)addr)[SPX_OFFSET_TREE_INDEX], tree_index ); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/address.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/address.h deleted file mode 100644 index 24a84eb40..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/address.h +++ /dev/null @@ -1,52 +0,0 @@ -#ifndef SPX_ADDRESS_H -#define SPX_ADDRESS_H - -#include - -#include "params.h" - -/* The hash types that are passed to set_type */ -#define SPX_ADDR_TYPE_WOTS 0 -#define SPX_ADDR_TYPE_WOTSPK 1 -#define SPX_ADDR_TYPE_HASHTREE 2 -#define SPX_ADDR_TYPE_FORSTREE 3 -#define SPX_ADDR_TYPE_FORSPK 4 -#define SPX_ADDR_TYPE_WOTSPRF 5 -#define SPX_ADDR_TYPE_FORSPRF 6 - -#define set_layer_addr SPX_NAMESPACE(set_layer_addr) -void set_layer_addr(uint32_t addr[8], uint32_t layer); - -#define set_tree_addr SPX_NAMESPACE(set_tree_addr) -void set_tree_addr(uint32_t addr[8], uint64_t tree); - -#define set_type SPX_NAMESPACE(set_type) -void set_type(uint32_t addr[8], uint32_t type); - -/* Copies the layer and tree part of one address into the other */ -#define copy_subtree_addr SPX_NAMESPACE(copy_subtree_addr) -void copy_subtree_addr(uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for WOTS and FORS addresses. */ - -#define set_keypair_addr SPX_NAMESPACE(set_keypair_addr) -void set_keypair_addr(uint32_t addr[8], uint32_t keypair); - -#define set_chain_addr SPX_NAMESPACE(set_chain_addr) -void set_chain_addr(uint32_t addr[8], uint32_t chain); - -#define set_hash_addr SPX_NAMESPACE(set_hash_addr) -void set_hash_addr(uint32_t addr[8], uint32_t hash); - -#define copy_keypair_addr SPX_NAMESPACE(copy_keypair_addr) -void copy_keypair_addr(uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for all hash tree addresses (including FORS). */ - -#define set_tree_height SPX_NAMESPACE(set_tree_height) -void set_tree_height(uint32_t addr[8], uint32_t tree_height); - -#define set_tree_index SPX_NAMESPACE(set_tree_index) -void set_tree_index(uint32_t addr[8], uint32_t tree_index); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/api.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/api.h deleted file mode 100644 index 2db63eec4..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/api.h +++ /dev/null @@ -1,77 +0,0 @@ -#ifndef PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_API_H -#define PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_API_H - -#include -#include - -#define PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_CRYPTO_ALGNAME "SPHINCS+-shake-128s-simple" - -#define PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_CRYPTO_SECRETKEYBYTES 64 -#define PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_CRYPTO_PUBLICKEYBYTES 32 -#define PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_CRYPTO_BYTES 7856 - -#define PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_CRYPTO_SEEDBYTES 48 - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk, - const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_crypto_sign_keypair(uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_crypto_sign_signature(uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_crypto_sign_verify(const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, - const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_crypto_sign(uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_crypto_sign_open(uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *pk); -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/context.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/context.h deleted file mode 100644 index 6e0a33f3b..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/context.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef SPX_CONTEXT_H -#define SPX_CONTEXT_H - -#include - -#include "params.h" - -typedef struct { - uint8_t pub_seed[SPX_N]; - uint8_t sk_seed[SPX_N]; -} spx_ctx; - -#define initialize_hash_function SPX_NAMESPACE(initialize_hash_function) -void initialize_hash_function(spx_ctx *ctx); - -#define free_hash_function SPX_NAMESPACE(free_hash_function) -void free_hash_function(spx_ctx *ctx); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/context_shake.c b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/context_shake.c deleted file mode 100644 index 9614a103d..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/context_shake.c +++ /dev/null @@ -1,12 +0,0 @@ -#include "context.h" - -/* For SHAKE256, there is no immediate reason to initialize at the start, - so this function is an empty operation. */ -void initialize_hash_function(spx_ctx *ctx) { - (void)ctx; /* Suppress an 'unused parameter' warning. */ -} - -// in case the hash function api is heap-based. -void free_hash_function(spx_ctx *ctx) { - (void)ctx; -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/f1600x2.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/f1600x2.h deleted file mode 100644 index 70d1af9f1..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/f1600x2.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef SPX_F1600X2_H -#define SPX_F1600X2_H - -#include - -extern uint64_t f1600_RC[24]; -extern void _f1600x2(uint64_t *a, uint64_t *rc); - -#define f1600x2(s) do {_f1600x2((s), f1600_RC);} while(0) - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/f1600x2.s b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/f1600x2.s deleted file mode 100644 index 640ed791e..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/f1600x2.s +++ /dev/null @@ -1,143 +0,0 @@ -# From https://github.com/bwesterb/armed-keccak - -.macro round - # Execute theta, but without xoring into the state yet. - # Compute parities p[i] = a[i] ^ a[5+i] ^ ... ^ a[20+i]. - eor3.16b v25, v0, v5, v10 - eor3.16b v26, v1, v6, v11 - eor3.16b v27, v2, v7, v12 - eor3.16b v28, v3, v8, v13 - eor3.16b v29, v4, v9, v14 - - eor3.16b v25, v25, v15, v20 - eor3.16b v26, v26, v16, v21 - eor3.16b v27, v27, v17, v22 - eor3.16b v28, v28, v18, v23 - eor3.16b v29, v29, v19, v24 - - # d[0] = rotl(p[1], 1) ^ p[4] - rax1.2d v30, v29, v26 - # d[3] = rotl(p[4], 1) ^ p[2] - rax1.2d v29, v27, v29 - # d[1] = rotl(p[2], 1) ^ p[0] - rax1.2d v27, v25, v27 - # d[4] = rotl(p[0], 1) ^ p[3] - rax1.2d v25, v28, v25 - # d[2] = rotl(p[3], 1) ^ p[1] - rax1.2d v28, v26, v28 - - # Xor parities from step theta into the state at the same time - # as executing rho and pi. - eor.16b v0, v0, v30 - mov.16b v31, v1 - xar.2d v1, v6, v27, 20 - xar.2d v6, v9, v25, 44 - xar.2d v9, v22, v28, 3 - xar.2d v22, v14, v25, 25 - xar.2d v14, v20, v30, 46 - xar.2d v20, v2, v28, 2 - xar.2d v2, v12, v28, 21 - xar.2d v12, v13, v29, 39 - xar.2d v13, v19, v25, 56 - xar.2d v19, v23, v29, 8 - xar.2d v23, v15, v30, 23 - xar.2d v15, v4, v25, 37 - xar.2d v4, v24, v25, 50 - xar.2d v24, v21, v27, 62 - xar.2d v21, v8, v29, 9 - xar.2d v8, v16, v27, 19 - xar.2d v16, v5, v30, 28 - xar.2d v5, v3, v29, 36 - xar.2d v3, v18, v29, 43 - xar.2d v18, v17, v28, 49 - xar.2d v17, v11, v27, 54 - xar.2d v11, v7, v28, 58 - xar.2d v7, v10, v30, 61 - xar.2d v10, v31, v27, 63 - - # Chi - bcax.16b v25, v0, v2, v1 - bcax.16b v26, v1, v3, v2 - bcax.16b v2, v2, v4, v3 - bcax.16b v3, v3, v0, v4 - bcax.16b v4, v4, v1, v0 - mov.16b v0, v25 - mov.16b v1, v26 - - bcax.16b v25, v5, v7, v6 - bcax.16b v26, v6, v8, v7 - bcax.16b v7, v7, v9, v8 - bcax.16b v8, v8, v5, v9 - bcax.16b v9, v9, v6, v5 - mov.16b v5, v25 - mov.16b v6, v26 - - bcax.16b v25, v10, v12, v11 - bcax.16b v26, v11, v13, v12 - bcax.16b v12, v12, v14, v13 - bcax.16b v13, v13, v10, v14 - bcax.16b v14, v14, v11, v10 - mov.16b v10, v25 - mov.16b v11, v26 - - bcax.16b v25, v15, v17, v16 - bcax.16b v26, v16, v18, v17 - bcax.16b v17, v17, v19, v18 - bcax.16b v18, v18, v15, v19 - bcax.16b v19, v19, v16, v15 - mov.16b v15, v25 - mov.16b v16, v26 - - bcax.16b v25, v20, v22, v21 - bcax.16b v26, v21, v23, v22 - bcax.16b v22, v22, v24, v23 - bcax.16b v23, v23, v20, v24 - bcax.16b v24, v24, v21, v20 - mov.16b v20, v25 - mov.16b v21, v26 - - # iota - ld1r {v25.2d}, [x1], #8 - eor.16b v0, v0, v25 -.endm - -.align 4 -.global __f1600x2 -__f1600x2: - stp d8, d9, [sp,#-16]! - stp d10, d11, [sp,#-16]! - stp d12, d13, [sp,#-16]! - stp d14, d15, [sp,#-16]! - - mov x2, x0 - mov x3, #24 - - ld1.2d {v0, v1, v2, v3}, [x0], #64 - ld1.2d {v4, v5, v6, v7}, [x0], #64 - ld1.2d {v8, v9, v10, v11}, [x0], #64 - ld1.2d {v12, v13, v14, v15}, [x0], #64 - ld1.2d {v16, v17, v18, v19}, [x0], #64 - ld1.2d {v20, v21, v22, v23}, [x0], #64 - ld1.2d {v24}, [x0] - -loop: - round - - subs x3, x3, #1 - cbnz x3, loop - - mov x0, x2 - st1.2d {v0, v1, v2, v3}, [x0], #64 - st1.2d {v4, v5, v6, v7}, [x0], #64 - st1.2d {v8, v9, v10, v11}, [x0], #64 - st1.2d {v12, v13, v14, v15}, [x0], #64 - st1.2d {v16, v17, v18, v19}, [x0], #64 - st1.2d {v20, v21, v22, v23}, [x0], #64 - st1.2d {v24}, [x0] - - ldp d14, d15, [sp], #16 - ldp d12, d13, [sp], #16 - ldp d10, d11, [sp], #16 - ldp d8, d9, [sp], #16 - - ret lr diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/f1600x2_const.c b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/f1600x2_const.c deleted file mode 100644 index e49c0ba14..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/f1600x2_const.c +++ /dev/null @@ -1,30 +0,0 @@ -#include "f1600x2.h" - -uint64_t f1600_RC[24] = { - 0x0000000000000001, - 0x0000000000008082, - 0x800000000000808A, - 0x8000000080008000, - 0x000000000000808B, - 0x0000000080000001, - 0x8000000080008081, - 0x8000000000008009, - 0x000000000000008A, - 0x0000000000000088, - 0x0000000080008009, - 0x000000008000000A, - 0x000000008000808B, - 0x800000000000008B, - 0x8000000000008089, - 0x8000000000008003, - 0x8000000000008002, - 0x8000000000000080, - 0x000000000000800A, - 0x800000008000000A, - 0x8000000080008081, - 0x8000000000008080, - 0x0000000080000001, - 0x8000000080008008, -}; - - diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/fips202x2.c b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/fips202x2.c deleted file mode 100644 index 4718c343b..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/fips202x2.c +++ /dev/null @@ -1,148 +0,0 @@ -#include -#include - -#include "fips202x2.h" -#include "f1600x2.h" -#include "fips202.h" - -uint64_t load64(const unsigned char *x) { - unsigned long long r = 0, i; - - for (i = 0; i < 8; ++i) { - r |= (unsigned long long)x[i] << 8 * i; - } - return r; -} - -void store64(uint8_t *x, uint64_t u) { - unsigned int i; - - for (i = 0; i < 8; ++i) { - x[i] = (uint8_t)u; - u >>= 8; - } -} - -static void keccak_absorb2x(uint64_t *s, - unsigned int r, - const unsigned char *m0, - const unsigned char *m1, - unsigned long long int mlen, - unsigned char p) { - unsigned long long i; - unsigned char t0[200]; - unsigned char t1[200]; - - while (mlen >= r) { - for (i = 0; i < r / 8; ++i) { - s[2 * i + 0] ^= load64(m0 + 8 * i); - s[2 * i + 1] ^= load64(m1 + 8 * i); - } - - f1600x2(s); - mlen -= r; - m0 += r; - m1 += r; - } - - for (i = 0; i < r; ++i) { - t0[i] = 0; - t1[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t0[i] = m0[i]; - t1[i] = m1[i]; - } - - t0[i] = p; - t1[i] = p; - - t0[r - 1] |= 128; - t1[r - 1] |= 128; - - for (i = 0; i < r / 8; ++i) { - s[2 * i + 0] ^= load64(t0 + 8 * i); - s[2 * i + 1] ^= load64(t1 + 8 * i); - } -} - - -static void keccak_squeezeblocks2x(unsigned char *h0, - unsigned char *h1, - unsigned long long int nblocks, - uint64_t *s, - unsigned int r) { - unsigned int i; - - while (nblocks > 0) { - f1600x2(s); - for (i = 0; i < (r >> 3); i++) { - store64(h0 + 8 * i, s[2 * i + 0]); - store64(h1 + 8 * i, s[2 * i + 1]); - } - h0 += r; - h1 += r; - nblocks--; - } -} - - - -void shake128x2(unsigned char *out0, - unsigned char *out1, - unsigned long long outlen, - unsigned char *in0, - unsigned char *in1, - unsigned long long inlen) { - uint64_t s[50] = {0}; - unsigned char t0[SHAKE128_RATE]; - unsigned char t1[SHAKE128_RATE]; - unsigned int i; - - /* absorb 4 message of identical length in parallel */ - keccak_absorb2x(s, SHAKE128_RATE, in0, in1, inlen, 0x1F); - - /* Squeeze output */ - keccak_squeezeblocks2x(out0, out1, outlen / SHAKE128_RATE, s, SHAKE128_RATE); - - out0 += (outlen / SHAKE128_RATE) * SHAKE128_RATE; - out1 += (outlen / SHAKE128_RATE) * SHAKE128_RATE; - - if (outlen % SHAKE128_RATE) { - keccak_squeezeblocks2x(t0, t1, 1, s, SHAKE128_RATE); - for (i = 0; i < outlen % SHAKE128_RATE; i++) { - out0[i] = t0[i]; - out1[i] = t1[i]; - } - } -} - - -void shake256x2(unsigned char *out0, - unsigned char *out1, - unsigned long long outlen, - unsigned char *in0, - unsigned char *in1, - unsigned long long inlen) { - uint64_t s[50] = {0}; - unsigned char t0[SHAKE256_RATE]; - unsigned char t1[SHAKE256_RATE]; - unsigned int i; - - /* absorb 2 message of identical length in parallel */ - keccak_absorb2x(s, SHAKE256_RATE, in0, in1, inlen, 0x1F); - - /* Squeeze output */ - keccak_squeezeblocks2x(out0, out1, outlen / SHAKE256_RATE, s, SHAKE256_RATE); - - out0 += (outlen / SHAKE256_RATE) * SHAKE256_RATE; - out1 += (outlen / SHAKE256_RATE) * SHAKE256_RATE; - - if (outlen % SHAKE256_RATE) { - keccak_squeezeblocks2x(t0, t1, 1, s, SHAKE256_RATE); - for (i = 0; i < outlen % SHAKE256_RATE; i++) { - out0[i] = t0[i]; - out1[i] = t1[i]; - } - } -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/fips202x2.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/fips202x2.h deleted file mode 100644 index 7ba58b35d..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/fips202x2.h +++ /dev/null @@ -1,24 +0,0 @@ -#ifndef SPX_FIPS202X2_H -#define SPX_FIPS202X2_H - -#include - -uint64_t load64(const unsigned char *x); -void store64(uint8_t *x, uint64_t u); - - -void shake128x2(unsigned char *out0, - unsigned char *out1, - unsigned long long outlen, - unsigned char *in0, - unsigned char *in1, - unsigned long long inlen); - -void shake256x2(unsigned char *out0, - unsigned char *out1, - unsigned long long outlen, - unsigned char *in0, - unsigned char *in1, - unsigned long long inlen); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/fors.c b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/fors.c deleted file mode 100644 index 39193d04e..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/fors.c +++ /dev/null @@ -1,191 +0,0 @@ -#include -#include -#include - -#include "fors.h" - -#include "address.h" -#include "hash.h" -#include "hashx2.h" -#include "thash.h" -#include "thashx2.h" -#include "utils.h" -#include "utilsx2.h" - -static void fors_gen_sk(unsigned char *sk, const spx_ctx *ctx, - uint32_t fors_leaf_addr[8]) { - prf_addr(sk, ctx, fors_leaf_addr); -} - -static void fors_gen_skx2(unsigned char *sk0, - unsigned char *sk1, - const spx_ctx *ctx, - uint32_t fors_leaf_addrx2[2 * 8]) { - prf_addrx2(sk0, sk1, - ctx, fors_leaf_addrx2); -} - -static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk, - const spx_ctx *ctx, - uint32_t fors_leaf_addr[8]) { - thash(leaf, sk, 1, ctx, fors_leaf_addr); -} - -static void fors_sk_to_leafx2(unsigned char *leaf0, - unsigned char *leaf1, - const unsigned char *sk0, - const unsigned char *sk1, - const spx_ctx *ctx, - uint32_t fors_leaf_addrx2[2 * 8]) { - thashx2(leaf0, leaf1, - sk0, sk1, - 1, ctx, fors_leaf_addrx2); -} - -struct fors_gen_leaf_info { - uint32_t leaf_addrx[2 * 8]; -}; - -static void fors_gen_leafx2(unsigned char *leaf, - const spx_ctx *ctx, - uint32_t addr_idx, void *info) { - struct fors_gen_leaf_info *fors_info = info; - uint32_t *fors_leaf_addrx2 = fors_info->leaf_addrx; - unsigned int j; - - /* Only set the parts that the caller doesn't set */ - for (j = 0; j < 2; j++) { - set_tree_index(fors_leaf_addrx2 + j * 8, addr_idx + j); - set_type(fors_leaf_addrx2 + j * 8, SPX_ADDR_TYPE_FORSPRF); - } - - fors_gen_skx2(leaf + 0 * SPX_N, - leaf + 1 * SPX_N, - ctx, fors_leaf_addrx2); - - for (j = 0; j < 2; j++) { - set_type(fors_leaf_addrx2 + j * 8, SPX_ADDR_TYPE_FORSTREE); - } - - fors_sk_to_leafx2(leaf + 0 * SPX_N, - leaf + 1 * SPX_N, - leaf + 0 * SPX_N, - leaf + 1 * SPX_N, - ctx, fors_leaf_addrx2); -} - -/** - * Interprets m as SPX_FORS_HEIGHT-bit unsigned integers. - * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits. - * Assumes indices has space for SPX_FORS_TREES integers. - */ -static void message_to_indices(uint32_t *indices, const unsigned char *m) { - unsigned int i, j; - unsigned int offset = 0; - - for (i = 0; i < SPX_FORS_TREES; i++) { - indices[i] = 0; - for (j = 0; j < SPX_FORS_HEIGHT; j++) { - indices[i] ^= (uint32_t)(((m[offset >> 3] >> (offset & 0x7)) & 0x1) << j); - offset++; - } - } -} - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits. - */ -void fors_sign(unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const spx_ctx *ctx, - const uint32_t fors_addr[8]) { - uint32_t indices[SPX_FORS_TREES]; - unsigned char roots[SPX_FORS_TREES * SPX_N]; - uint32_t fors_tree_addr[2 * 8] = {0}; - struct fors_gen_leaf_info fors_info = {0}; - uint32_t *fors_leaf_addr = fors_info.leaf_addrx; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - for (i = 0; i < 2; i++) { - copy_keypair_addr(fors_tree_addr + 8 * i, fors_addr); - set_type(fors_tree_addr + 8 * i, SPX_ADDR_TYPE_FORSTREE); - copy_keypair_addr(fors_leaf_addr + 8 * i, fors_addr); - } - copy_keypair_addr(fors_pk_addr, fors_addr); - set_type(fors_pk_addr, SPX_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < SPX_FORS_TREES; i++) { - idx_offset = i * (1 << SPX_FORS_HEIGHT); - - set_tree_height(fors_tree_addr, 0); - set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Include the secret key part that produces the selected leaf node. */ - set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSPRF); - fors_gen_sk(sig, ctx, fors_tree_addr); - set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSTREE); - sig += SPX_N; - - /* Compute the authentication path for this leaf node. */ - treehashx2(roots + i * SPX_N, sig, ctx, - indices[i], idx_offset, SPX_FORS_HEIGHT, fors_gen_leafx2, - fors_tree_addr, &fors_info); - - sig += SPX_N * SPX_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - thash(pk, roots, SPX_FORS_TREES, ctx, fors_pk_addr); -} - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits. - */ -void fors_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const spx_ctx *ctx, - const uint32_t fors_addr[8]) { - uint32_t indices[SPX_FORS_TREES]; - unsigned char roots[SPX_FORS_TREES * SPX_N]; - unsigned char leaf[SPX_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - copy_keypair_addr(fors_tree_addr, fors_addr); - copy_keypair_addr(fors_pk_addr, fors_addr); - - set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSTREE); - set_type(fors_pk_addr, SPX_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < SPX_FORS_TREES; i++) { - idx_offset = i * (1 << SPX_FORS_HEIGHT); - - set_tree_height(fors_tree_addr, 0); - set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Derive the leaf from the included secret key part. */ - fors_sk_to_leaf(leaf, sig, ctx, fors_tree_addr); - sig += SPX_N; - - /* Derive the corresponding root node of this tree. */ - compute_root(roots + i * SPX_N, leaf, indices[i], idx_offset, - sig, SPX_FORS_HEIGHT, ctx, fors_tree_addr); - sig += SPX_N * SPX_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - thash(pk, roots, SPX_FORS_TREES, ctx, fors_pk_addr); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/fors.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/fors.h deleted file mode 100644 index 509140a17..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/fors.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef SPX_FORS_H -#define SPX_FORS_H - -#include - -#include "context.h" -#include "params.h" - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits. - */ -#define fors_sign SPX_NAMESPACE(fors_sign) -void fors_sign(unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const spx_ctx *ctx, - const uint32_t fors_addr[8]); - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits. - */ -#define fors_pk_from_sig SPX_NAMESPACE(fors_pk_from_sig) -void fors_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const spx_ctx *ctx, - const uint32_t fors_addr[8]); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/hash.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/hash.h deleted file mode 100644 index f7c87d4c3..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/hash.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef SPX_HASH_H -#define SPX_HASH_H - -#include -#include - -#include "context.h" -#include "params.h" - -#define prf_addr SPX_NAMESPACE(prf_addr) -void prf_addr(unsigned char *out, const spx_ctx *ctx, - const uint32_t addr[8]); - -#define gen_message_random SPX_NAMESPACE(gen_message_random) -void gen_message_random(unsigned char *R, const unsigned char *sk_prf, - const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const spx_ctx *ctx); - -#define hash_message SPX_NAMESPACE(hash_message) -void hash_message(unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const spx_ctx *ctx); - - - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/hash_shake.c b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/hash_shake.c deleted file mode 100644 index ff5e7ec91..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/hash_shake.c +++ /dev/null @@ -1,83 +0,0 @@ -#include -#include - -#include "hash.h" - -#include "address.h" -#include "fips202.h" -#include "params.h" -#include "utils.h" - -/* - * Computes PRF(pk_seed, sk_seed, addr) - */ -void prf_addr(unsigned char *out, const spx_ctx *ctx, - const uint32_t addr[8]) { - unsigned char buf[2 * SPX_N + SPX_ADDR_BYTES]; - - memcpy(buf, ctx->pub_seed, SPX_N); - memcpy(buf + SPX_N, addr, SPX_ADDR_BYTES); - memcpy(buf + SPX_N + SPX_ADDR_BYTES, ctx->sk_seed, SPX_N); - - shake256(out, SPX_N, buf, 2 * SPX_N + SPX_ADDR_BYTES); -} - -/** - * Computes the message-dependent randomness R, using a secret seed and an - * optional randomization value as well as the message. - */ -void gen_message_random(unsigned char *R, const unsigned char *sk_prf, - const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const spx_ctx *ctx) { - (void)ctx; - shake256incctx s_inc; - - shake256_inc_init(&s_inc); - shake256_inc_absorb(&s_inc, sk_prf, SPX_N); - shake256_inc_absorb(&s_inc, optrand, SPX_N); - shake256_inc_absorb(&s_inc, m, mlen); - shake256_inc_finalize(&s_inc); - shake256_inc_squeeze(R, SPX_N, &s_inc); - shake256_inc_ctx_release(&s_inc); -} - -/** - * Computes the message hash using R, the public key, and the message. - * Outputs the message digest and the index of the leaf. The index is split in - * the tree index and the leaf index, for convenient copying to an address. - */ -void hash_message(unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const spx_ctx *ctx) { - (void)ctx; -#define SPX_TREE_BITS (SPX_TREE_HEIGHT * (SPX_D - 1)) -#define SPX_TREE_BYTES ((SPX_TREE_BITS + 7) / 8) -#define SPX_LEAF_BITS SPX_TREE_HEIGHT -#define SPX_LEAF_BYTES ((SPX_LEAF_BITS + 7) / 8) -#define SPX_DGST_BYTES (SPX_FORS_MSG_BYTES + SPX_TREE_BYTES + SPX_LEAF_BYTES) - - unsigned char buf[SPX_DGST_BYTES]; - unsigned char *bufp = buf; - shake256incctx s_inc; - - shake256_inc_init(&s_inc); - shake256_inc_absorb(&s_inc, R, SPX_N); - shake256_inc_absorb(&s_inc, pk, SPX_PK_BYTES); - shake256_inc_absorb(&s_inc, m, mlen); - shake256_inc_finalize(&s_inc); - shake256_inc_squeeze(buf, SPX_DGST_BYTES, &s_inc); - shake256_inc_ctx_release(&s_inc); - - memcpy(digest, bufp, SPX_FORS_MSG_BYTES); - bufp += SPX_FORS_MSG_BYTES; - - - *tree = bytes_to_ull(bufp, SPX_TREE_BYTES); - *tree &= (~(uint64_t)0) >> (64 - SPX_TREE_BITS); - bufp += SPX_TREE_BYTES; - - *leaf_idx = (uint32_t)bytes_to_ull(bufp, SPX_LEAF_BYTES); - *leaf_idx &= (~(uint32_t)0) >> (32 - SPX_LEAF_BITS); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/hash_shakex2.c b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/hash_shakex2.c deleted file mode 100644 index 99571916a..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/hash_shakex2.c +++ /dev/null @@ -1,52 +0,0 @@ -#include -#include - -#include "hashx2.h" - -#include "address.h" -#include "f1600x2.h" -#include "fips202x2.h" -#include "params.h" - -/* - * 2-way parallel version of prf_addr; takes 2x as much input and output - */ -void prf_addrx2(unsigned char *out0, - unsigned char *out1, - const spx_ctx *ctx, - const uint32_t addrx2[2 * 8]) { - /* As we write and read only a few quadwords, it is more efficient to - * build and extract from the fourway SHAKE256 state by hand. */ - uint64_t state[50] = {0}; - - for (int i = 0; i < SPX_N / 8; i++) { - uint64_t x = load64(ctx->pub_seed + 8 * i); - state[2 * i] = x; - state[2 * i + 1] = x; - } - for (int i = 0; i < 4; i++) { - state[2 * (SPX_N / 8 + i)] = (((uint64_t)addrx2[1 + 2 * i]) << 32) - | (uint64_t)addrx2[2 * i]; - state[2 * (SPX_N / 8 + i) + 1] = (((uint64_t)addrx2[8 + 1 + 2 * i]) << 32) - | (uint64_t)addrx2[8 + 2 * i]; - } - for (int i = 0; i < SPX_N / 8; i++) { - uint64_t x = load64(ctx->sk_seed + 8 * i); - state[2 * (SPX_N / 8 + i + 4)] = x; - state[2 * (SPX_N / 8 + i + 4) + 1] = x; - } - - /* SHAKE domain separator and padding. */ - state[2 * (SPX_N / 4 + 4)] = 0x1f; - state[2 * (SPX_N / 4 + 4) + 1] = 0x1f; - - state[2 * 16] = 0x80ULL << 56; - state[2 * 16 + 1] = 0x80ULL << 56; - - f1600x2(state); - - for (int i = 0; i < SPX_N / 8; i++) { - store64(out0 + 8 * i, state[2 * i]); - store64(out1 + 8 * i, state[2 * i + 1]); - } -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/hashx2.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/hashx2.h deleted file mode 100644 index 99b8873a9..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/hashx2.h +++ /dev/null @@ -1,14 +0,0 @@ -#ifndef SPX_HASHX2_H -#define SPX_HASHX2_H - -#include "context.h" -#include "params.h" -#include - -#define prf_addrx2 SPX_NAMESPACE(prf_addrx2) -void prf_addrx2(unsigned char *out0, - unsigned char *out1, - const spx_ctx *ctx, - const uint32_t addrx2[2 * 8]); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/merkle.c b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/merkle.c deleted file mode 100644 index c94ee2393..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/merkle.c +++ /dev/null @@ -1,64 +0,0 @@ -#include -#include - -#include "merkle.h" - -#include "address.h" -#include "params.h" -#include "utils.h" -#include "utilsx2.h" -#include "wots.h" -#include "wotsx2.h" - -/* - * This generates a Merkle signature (WOTS signature followed by the Merkle - * authentication path). - */ -void merkle_sign(uint8_t *sig, unsigned char *root, - const spx_ctx *ctx, - uint32_t wots_addr[8], uint32_t tree_addr[8], - uint32_t idx_leaf) { - unsigned char *auth_path = sig + SPX_WOTS_BYTES; - uint32_t tree_addrx2[2 * 8] = { 0 }; - int j; - struct leaf_info_x2 info = { 0 }; - unsigned steps[ SPX_WOTS_LEN ]; - - info.wots_sig = sig; - chain_lengths(steps, root); - info.wots_steps = steps; - - for (j = 0; j < 2; j++) { - set_type(&tree_addrx2[8 * j], SPX_ADDR_TYPE_HASHTREE); - set_type(&info.leaf_addr[8 * j], SPX_ADDR_TYPE_WOTS); - set_type(&info.pk_addr[8 * j], SPX_ADDR_TYPE_WOTSPK); - copy_subtree_addr(&tree_addrx2[8 * j], tree_addr); - copy_subtree_addr(&info.leaf_addr[8 * j], wots_addr); - copy_subtree_addr(&info.pk_addr[8 * j], wots_addr); - } - - info.wots_sign_leaf = idx_leaf; - - treehashx2(root, auth_path, ctx, - idx_leaf, 0, - SPX_TREE_HEIGHT, - wots_gen_leafx2, - tree_addrx2, &info); -} - -/* Compute root node of the top-most subtree. */ -void merkle_gen_root(unsigned char *root, const spx_ctx *ctx) { - /* We do not need the auth path in key generation, but it simplifies the - code to have just one treehash routine that computes both root and path - in one function. */ - unsigned char auth_path[SPX_TREE_HEIGHT * SPX_N + SPX_WOTS_BYTES]; - uint32_t top_tree_addr[8] = {0}; - uint32_t wots_addr[8] = {0}; - - set_layer_addr(top_tree_addr, SPX_D - 1); - set_layer_addr(wots_addr, SPX_D - 1); - - merkle_sign(auth_path, root, ctx, - wots_addr, top_tree_addr, - ~0 /* ~0 means "don't bother generating an auth path */ ); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/merkle.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/merkle.h deleted file mode 100644 index 769cf2e97..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/merkle.h +++ /dev/null @@ -1,21 +0,0 @@ -#ifndef MERKLE_H_ -#define MERKLE_H_ - -#include - -#include "context.h" -#include "params.h" - -/* Generate a Merkle signature (WOTS signature followed by the Merkle */ -/* authentication path) */ -#define merkle_sign SPX_NAMESPACE(merkle_sign) -void merkle_sign(uint8_t *sig, unsigned char *root, - const spx_ctx *ctx, - uint32_t wots_addr[8], uint32_t tree_addr[8], - uint32_t idx_leaf); - -/* Compute the root node of the top-most subtree. */ -#define merkle_gen_root SPX_NAMESPACE(merkle_gen_root) -void merkle_gen_root(unsigned char *root, const spx_ctx *ctx); - -#endif /* MERKLE_H_ */ diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/nistapi.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/nistapi.h deleted file mode 100644 index 3cb71afad..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/nistapi.h +++ /dev/null @@ -1,87 +0,0 @@ -#ifndef SPX_API_H -#define SPX_API_H - -#include -#include - -#include "params.h" - -#define CRYPTO_ALGNAME "SPHINCS+" - -#define CRYPTO_SECRETKEYBYTES SPX_SK_BYTES -#define CRYPTO_PUBLICKEYBYTES SPX_PK_BYTES -#define CRYPTO_BYTES SPX_BYTES -#define CRYPTO_SEEDBYTES (3*SPX_N) - -/* - * Returns the length of a secret key, in bytes - */ -#define crypto_sign_secretkeybytes SPX_NAMESPACE(crypto_sign_secretkeybytes) -size_t crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -#define crypto_sign_publickeybytes SPX_NAMESPACE(crypto_sign_publickeybytes) -size_t crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -#define crypto_sign_bytes SPX_NAMESPACE(crypto_sign_bytes) -size_t crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -#define crypto_sign_seedbytes SPX_NAMESPACE(crypto_sign_seedbytes) -size_t crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -#define crypto_sign_seed_keypair SPX_NAMESPACE(crypto_sign_seed_keypair) -int crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk, - const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -#define crypto_sign_keypair SPX_NAMESPACE(crypto_sign_keypair) -int crypto_sign_keypair(uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -#define crypto_sign_signature SPX_NAMESPACE(crypto_sign_signature) -int crypto_sign_signature(uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -#define crypto_sign_verify SPX_NAMESPACE(crypto_sign_verify) -int crypto_sign_verify(const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -#define crypto_sign SPX_NAMESPACE(crypto_sign) -int crypto_sign(uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -#define crypto_sign_open SPX_NAMESPACE(crypto_sign_open) -int crypto_sign_open(uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *pk); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/params.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/params.h deleted file mode 100644 index b269c9f84..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/params.h +++ /dev/null @@ -1,56 +0,0 @@ -#ifndef SPX_PARAMS_H -#define SPX_PARAMS_H - -#define SPX_NAMESPACE(s) PQCLEAN_SPHINCSSHAKE128SSIMPLE_AARCH64_##s - -/* Hash output length in bytes. */ -#define SPX_N 16 -/* Height of the hypertree. */ -#define SPX_FULL_HEIGHT 63 -/* Number of subtree layer. */ -#define SPX_D 7 -/* FORS tree dimensions. */ -#define SPX_FORS_HEIGHT 12 -#define SPX_FORS_TREES 14 -/* Winternitz parameter, */ -#define SPX_WOTS_W 16 - -/* The hash function is defined by linking a different hash.c file, as opposed - to setting a #define constant. */ - -/* For clarity */ -#define SPX_ADDR_BYTES 32 - -/* WOTS parameters. */ -#define SPX_WOTS_LOGW 4 - -#define SPX_WOTS_LEN1 (8 * SPX_N / SPX_WOTS_LOGW) - -/* SPX_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */ -#define SPX_WOTS_LEN2 3 - -#define SPX_WOTS_LEN (SPX_WOTS_LEN1 + SPX_WOTS_LEN2) -#define SPX_WOTS_BYTES (SPX_WOTS_LEN * SPX_N) -#define SPX_WOTS_PK_BYTES SPX_WOTS_BYTES - -/* Subtree size. */ -#define SPX_TREE_HEIGHT (SPX_FULL_HEIGHT / SPX_D) - -//#if SPX_TREE_HEIGHT * SPX_D != SPX_FULL_HEIGHT -// #error SPX_D should always divide SPX_FULL_HEIGHT -//#endif - -/* FORS parameters. */ -#define SPX_FORS_MSG_BYTES ((SPX_FORS_HEIGHT * SPX_FORS_TREES + 7) / 8) -#define SPX_FORS_BYTES ((SPX_FORS_HEIGHT + 1) * SPX_FORS_TREES * SPX_N) -#define SPX_FORS_PK_BYTES SPX_N - -/* Resulting SPX sizes. */ -#define SPX_BYTES (SPX_N + SPX_FORS_BYTES + SPX_D * SPX_WOTS_BYTES +\ - SPX_FULL_HEIGHT * SPX_N) -#define SPX_PK_BYTES (2 * SPX_N) -#define SPX_SK_BYTES (2 * SPX_N + SPX_PK_BYTES) - -#include "shake_offsets.h" - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/shake_offsets.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/shake_offsets.h deleted file mode 100644 index 6b28d95d9..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/shake_offsets.h +++ /dev/null @@ -1,21 +0,0 @@ -#ifndef SHAKE_OFFSETS_H_ -#define SHAKE_OFFSETS_H_ - -/* - * Offsets of various fields in the address structure when we use SHAKE as - * the Sphincs+ hash function - */ - -#define SPX_OFFSET_LAYER 3 /* The byte used to specify the Merkle tree layer */ -#define SPX_OFFSET_TREE 8 /* The start of the 8 byte field used to specify the tree */ -#define SPX_OFFSET_TYPE 19 /* The byte used to specify the hash type (reason) */ -#define SPX_OFFSET_KP_ADDR2 22 /* The high byte used to specify the key pair (which one-time signature) */ -#define SPX_OFFSET_KP_ADDR1 23 /* The low byte used to specify the key pair */ -#define SPX_OFFSET_CHAIN_ADDR 27 /* The byte used to specify the chain address (which Winternitz chain) */ -#define SPX_OFFSET_HASH_ADDR 31 /* The byte used to specify the hash address (where in the Winternitz chain) */ -#define SPX_OFFSET_TREE_HGT 27 /* The byte used to specify the height of this node in the FORS or Merkle tree */ -#define SPX_OFFSET_TREE_INDEX 28 /* The start of the 4 byte field used to specify the node in the FORS or Merkle tree */ - -#define SPX_SHAKE 1 - -#endif /* SHAKE_OFFSETS_H_ */ diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/sign.c b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/sign.c deleted file mode 100644 index 9d0c7d1b2..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/sign.c +++ /dev/null @@ -1,286 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "context.h" -#include "fors.h" -#include "hash.h" -#include "merkle.h" -#include "nistapi.h" -#include "params.h" -#include "randombytes.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - -/* - * Returns the length of a secret key, in bytes - */ -size_t crypto_sign_secretkeybytes(void) { - return CRYPTO_SECRETKEYBYTES; -} - -/* - * Returns the length of a public key, in bytes - */ -size_t crypto_sign_publickeybytes(void) { - return CRYPTO_PUBLICKEYBYTES; -} - -/* - * Returns the length of a signature, in bytes - */ -size_t crypto_sign_bytes(void) { - return CRYPTO_BYTES; -} - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t crypto_sign_seedbytes(void) { - return CRYPTO_SEEDBYTES; -} - -/* - * Generates an SPX key pair given a seed of length - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk, - const uint8_t *seed) { - spx_ctx ctx; - - /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */ - memcpy(sk, seed, CRYPTO_SEEDBYTES); - - memcpy(pk, sk + 2 * SPX_N, SPX_N); - - memcpy(ctx.pub_seed, pk, SPX_N); - memcpy(ctx.sk_seed, sk, SPX_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - initialize_hash_function(&ctx); - - /* Compute root node of the top-most subtree. */ - merkle_gen_root(sk + 3 * SPX_N, &ctx); - - // cleanup - free_hash_function(&ctx); - - memcpy(pk + SPX_N, sk + 3 * SPX_N, SPX_N); - - return 0; -} - -/* - * Generates an SPX key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { - uint8_t seed[CRYPTO_SEEDBYTES]; - randombytes(seed, CRYPTO_SEEDBYTES); - crypto_sign_seed_keypair(pk, sk, seed); - - return 0; -} - -/** - * Returns an array containing a detached signature. - */ -int crypto_sign_signature(uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - spx_ctx ctx; - - const uint8_t *sk_prf = sk + SPX_N; - const uint8_t *pk = sk + 2 * SPX_N; - - uint8_t optrand[SPX_N]; - uint8_t mhash[SPX_FORS_MSG_BYTES]; - uint8_t root[SPX_N]; - uint32_t i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - - memcpy(ctx.sk_seed, sk, SPX_N); - memcpy(ctx.pub_seed, pk, SPX_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - initialize_hash_function(&ctx); - - set_type(wots_addr, SPX_ADDR_TYPE_WOTS); - set_type(tree_addr, SPX_ADDR_TYPE_HASHTREE); - - /* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ - randombytes(optrand, SPX_N); - /* Compute the digest randomization value. */ - gen_message_random(sig, sk_prf, optrand, m, mlen, &ctx); - - /* Derive the message digest and leaf index from R, PK and M. */ - hash_message(mhash, &tree, &idx_leaf, sig, pk, m, mlen, &ctx); - sig += SPX_N; - - set_tree_addr(wots_addr, tree); - set_keypair_addr(wots_addr, idx_leaf); - - /* Sign the message hash using FORS. */ - fors_sign(sig, root, mhash, &ctx, wots_addr); - sig += SPX_FORS_BYTES; - - for (i = 0; i < SPX_D; i++) { - set_layer_addr(tree_addr, i); - set_tree_addr(tree_addr, tree); - - copy_subtree_addr(wots_addr, tree_addr); - set_keypair_addr(wots_addr, idx_leaf); - - merkle_sign(sig, root, &ctx, wots_addr, tree_addr, idx_leaf); - sig += SPX_WOTS_BYTES + SPX_TREE_HEIGHT * SPX_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << SPX_TREE_HEIGHT) - 1)); - tree = tree >> SPX_TREE_HEIGHT; - } - - free_hash_function(&ctx); - - *siglen = SPX_BYTES; - - return 0; -} - -/** - * Verifies a detached signature and message under a given public key. - */ -int crypto_sign_verify(const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - spx_ctx ctx; - const uint8_t *pub_root = pk + SPX_N; - uint8_t mhash[SPX_FORS_MSG_BYTES]; - uint8_t wots_pk[SPX_WOTS_BYTES]; - uint8_t root[SPX_N]; - uint8_t leaf[SPX_N]; - unsigned int i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - if (siglen != SPX_BYTES) { - return -1; - } - - memcpy(ctx.pub_seed, pk, SPX_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - initialize_hash_function(&ctx); - - set_type(wots_addr, SPX_ADDR_TYPE_WOTS); - set_type(tree_addr, SPX_ADDR_TYPE_HASHTREE); - set_type(wots_pk_addr, SPX_ADDR_TYPE_WOTSPK); - - /* Derive the message digest and leaf index from R || PK || M. */ - /* The additional SPX_N is a result of the hash domain separator. */ - hash_message(mhash, &tree, &idx_leaf, sig, pk, m, mlen, &ctx); - sig += SPX_N; - - /* Layer correctly defaults to 0, so no need to set_layer_addr */ - set_tree_addr(wots_addr, tree); - set_keypair_addr(wots_addr, idx_leaf); - - fors_pk_from_sig(root, sig, mhash, &ctx, wots_addr); - sig += SPX_FORS_BYTES; - - /* For each subtree.. */ - for (i = 0; i < SPX_D; i++) { - set_layer_addr(tree_addr, i); - set_tree_addr(tree_addr, tree); - - copy_subtree_addr(wots_addr, tree_addr); - set_keypair_addr(wots_addr, idx_leaf); - - copy_keypair_addr(wots_pk_addr, wots_addr); - - /* The WOTS public key is only correct if the signature was correct. */ - /* Initially, root is the FORS pk, but on subsequent iterations it is - the root of the subtree below the currently processed subtree. */ - wots_pk_from_sig(wots_pk, sig, root, &ctx, wots_addr); - sig += SPX_WOTS_BYTES; - - /* Compute the leaf node using the WOTS public key. */ - thash(leaf, wots_pk, SPX_WOTS_LEN, &ctx, wots_pk_addr); - - /* Compute the root node of this subtree. */ - compute_root(root, leaf, idx_leaf, 0, sig, SPX_TREE_HEIGHT, - &ctx, tree_addr); - sig += SPX_TREE_HEIGHT * SPX_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << SPX_TREE_HEIGHT) - 1)); - tree = tree >> SPX_TREE_HEIGHT; - } - - // cleanup - free_hash_function(&ctx); - - /* Check if the root node equals the root node in the public key. */ - if (memcmp(root, pub_root, SPX_N) != 0) { - return -1; - } - - return 0; -} - - -/** - * Returns an array containing the signature followed by the message. - */ -int crypto_sign(uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *sk) { - size_t siglen; - - crypto_sign_signature(sm, &siglen, m, mlen, sk); - - memmove(sm + SPX_BYTES, m, mlen); - *smlen = siglen + mlen; - - return 0; -} - -/** - * Verifies a given signature-message pair under a given public key. - */ -int crypto_sign_open(uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *pk) { - /* The API caller does not necessarily know what size a signature should be - but SPHINCS+ signatures are always exactly SPX_BYTES. */ - if (smlen < SPX_BYTES) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - *mlen = smlen - SPX_BYTES; - - if (crypto_sign_verify(sm, SPX_BYTES, sm + SPX_BYTES, *mlen, pk)) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - /* If verification was successful, move the message to the right place. */ - memmove(m, sm + SPX_BYTES, *mlen); - - return 0; -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/thash.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/thash.h deleted file mode 100644 index 8687ccfb4..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/thash.h +++ /dev/null @@ -1,13 +0,0 @@ -#ifndef SPX_THASH_H -#define SPX_THASH_H - -#include "context.h" -#include "params.h" - -#include - -#define thash SPX_NAMESPACE(thash) -void thash(unsigned char *out, const unsigned char *in, unsigned int inblocks, - const spx_ctx *ctx, uint32_t addr[8]); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/thash_shake_simplex2.c b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/thash_shake_simplex2.c deleted file mode 100644 index 892e45369..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/thash_shake_simplex2.c +++ /dev/null @@ -1,83 +0,0 @@ -#include -#include - -#include "thash.h" -#include "thashx2.h" - -#include "address.h" -#include "params.h" -#include "utils.h" - -#include "f1600x2.h" -#include "fips202x2.h" - - -void thash(unsigned char *out, - const unsigned char *in, - unsigned int inblocks, - const spx_ctx *ctx, uint32_t addr[8]) { - uint32_t addrx2 [2 * 8] = { - addr[0], addr[1], addr[2], addr[3], addr[4], addr[5], addr[6], addr[7], - addr[0], addr[1], addr[2], addr[3], addr[4], addr[5], addr[6], addr[7] - }; - thashx2(out, out, in, in, inblocks, ctx, addrx2); -} - -/** - * 2-way parallel version of thash; takes 2x as much input and output - */ -void thashx2(unsigned char *out0, - unsigned char *out1, - const unsigned char *in0, - const unsigned char *in1, - unsigned int inblocks, - const spx_ctx *ctx, uint32_t addrx2[2 * 8]) { - if (inblocks == 1 || inblocks == 2) { - /* As we write and read only a few quadwords, it is more efficient to - * build and extract from the twoway SHAKE256 state by hand. */ - uint64_t state[50] = {0}; - for (int i = 0; i < SPX_N / 8; i++) { - uint64_t x = load64(ctx->pub_seed + 8 * i); - state[2 * i] = x; - state[2 * i + 1] = x; - } - for (int i = 0; i < 4; i++) { - state[2 * (SPX_N / 8 + i)] = (((uint64_t)addrx2[1 + 2 * i]) << 32) - | (uint64_t)addrx2[2 * i]; - state[2 * (SPX_N / 8 + i) + 1] = (((uint64_t)addrx2[8 + 1 + 2 * i]) << 32) - | (uint64_t)addrx2[8 + 2 * i]; - } - - for (unsigned int i = 0; i < (SPX_N / 8) * inblocks; i++) { - state[2 * (SPX_N / 8 + 4 + i)] = load64(in0 + 8 * i); - state[2 * (SPX_N / 8 + 4 + i) + 1] = load64(in1 + 8 * i); - } - - /* Domain separator and padding. */ - state[2 * 16] = 0x80ULL << 56; - state[2 * 16 + 1] = 0x80ULL << 56; - - state[2 * ((SPX_N / 8) * (1 + inblocks) + 4)] ^= 0x1f; - state[2 * ((SPX_N / 8) * (1 + inblocks) + 4) + 1] ^= 0x1f; - - f1600x2(state); - - for (int i = 0; i < SPX_N / 8; i++) { - store64(out0 + 8 * i, state[2 * i]); - store64(out1 + 8 * i, state[2 * i + 1]); - } - } else { - PQCLEAN_VLA(unsigned char, buf0, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N); - PQCLEAN_VLA(unsigned char, buf1, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N); - - memcpy(buf0, ctx->pub_seed, SPX_N); - memcpy(buf1, ctx->pub_seed, SPX_N); - memcpy(buf0 + SPX_N, addrx2 + 0 * 8, SPX_ADDR_BYTES); - memcpy(buf1 + SPX_N, addrx2 + 1 * 8, SPX_ADDR_BYTES); - memcpy(buf0 + SPX_N + SPX_ADDR_BYTES, in0, inblocks * SPX_N); - memcpy(buf1 + SPX_N + SPX_ADDR_BYTES, in1, inblocks * SPX_N); - - shake256x2(out0, out1, SPX_N, - buf0, buf1, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N); - } -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/thashx2.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/thashx2.h deleted file mode 100644 index 040375e61..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/thashx2.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef SPX_THASHX2_H -#define SPX_THASHX2_H - -#include "context.h" -#include "params.h" -#include - -#define thashx2 SPX_NAMESPACE(thashx2) -void thashx2(unsigned char *out0, - unsigned char *out1, - const unsigned char *in0, - const unsigned char *in1, - unsigned int inblocks, - const spx_ctx *ctx, uint32_t addrx2[2 * 8]); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/utils.c b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/utils.c deleted file mode 100644 index 177b541fb..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/utils.c +++ /dev/null @@ -1,148 +0,0 @@ -#include - -#include "utils.h" - -#include "address.h" -#include "hash.h" -#include "params.h" -#include "thash.h" - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void ull_to_bytes(unsigned char *out, unsigned int outlen, - unsigned long long in) { - int i; - - /* Iterate over out in decreasing order, for big-endianness. */ - for (i = (signed int)outlen - 1; i >= 0; i--) { - out[i] = in & 0xff; - in = in >> 8; - } -} - -void u32_to_bytes(unsigned char *out, uint32_t in) { - out[0] = (unsigned char)(in >> 24); - out[1] = (unsigned char)(in >> 16); - out[2] = (unsigned char)(in >> 8); - out[3] = (unsigned char)in; -} - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long bytes_to_ull(const unsigned char *in, unsigned int inlen) { - unsigned long long retval = 0; - unsigned int i; - - for (i = 0; i < inlen; i++) { - retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i)); - } - return retval; -} - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void compute_root(unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const spx_ctx *ctx, uint32_t addr[8]) { - uint32_t i; - unsigned char buffer[2 * SPX_N]; - - /* If leaf_idx is odd (last bit = 1), current path element is a right child - and auth_path has to go left. Otherwise it is the other way around. */ - if (leaf_idx & 1) { - memcpy(buffer + SPX_N, leaf, SPX_N); - memcpy(buffer, auth_path, SPX_N); - } else { - memcpy(buffer, leaf, SPX_N); - memcpy(buffer + SPX_N, auth_path, SPX_N); - } - auth_path += SPX_N; - - for (i = 0; i < tree_height - 1; i++) { - leaf_idx >>= 1; - idx_offset >>= 1; - /* Set the address of the node we're creating. */ - set_tree_height(addr, i + 1); - set_tree_index(addr, leaf_idx + idx_offset); - - /* Pick the right or left neighbor, depending on parity of the node. */ - if (leaf_idx & 1) { - thash(buffer + SPX_N, buffer, 2, ctx, addr); - memcpy(buffer, auth_path, SPX_N); - } else { - thash(buffer, buffer, 2, ctx, addr); - memcpy(buffer + SPX_N, auth_path, SPX_N); - } - auth_path += SPX_N; - } - - /* The last iteration is exceptional; we do not copy an auth_path node. */ - leaf_idx >>= 1; - idx_offset >>= 1; - set_tree_height(addr, tree_height); - set_tree_index(addr, leaf_idx + idx_offset); - thash(root, buffer, 2, ctx, addr); -} - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void treehash(unsigned char *root, unsigned char *auth_path, const spx_ctx *ctx, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const spx_ctx * /* ctx */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */), - uint32_t tree_addr[8]) { - PQCLEAN_VLA(uint8_t, stack, (tree_height + 1)*SPX_N); - PQCLEAN_VLA(unsigned int, heights, tree_height + 1); - unsigned int offset = 0; - uint32_t idx; - uint32_t tree_idx; - - for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) { - /* Add the next leaf node to the stack. */ - gen_leaf(stack + offset * SPX_N, ctx, idx + idx_offset, tree_addr); - offset++; - heights[offset - 1] = 0; - - /* If this is a node we need for the auth path.. */ - if ((leaf_idx ^ 0x1) == idx) { - memcpy(auth_path, stack + (offset - 1)*SPX_N, SPX_N); - } - - /* While the top-most nodes are of equal height.. */ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { - /* Compute index of the new node, in the next layer. */ - tree_idx = (idx >> (heights[offset - 1] + 1)); - - /* Set the address of the node we're creating. */ - set_tree_height(tree_addr, heights[offset - 1] + 1); - set_tree_index(tree_addr, - tree_idx + (idx_offset >> (heights[offset - 1] + 1))); - /* Hash the top-most nodes from the stack together. */ - thash(stack + (offset - 2)*SPX_N, - stack + (offset - 2)*SPX_N, 2, ctx, tree_addr); - offset--; - /* Note that the top-most node is now one layer higher. */ - heights[offset - 1]++; - - /* If this is a node we need for the auth path.. */ - if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) { - memcpy(auth_path + heights[offset - 1]*SPX_N, - stack + (offset - 1)*SPX_N, SPX_N); - } - } - } - memcpy(root, stack, SPX_N); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/utils.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/utils.h deleted file mode 100644 index 64f5d5a53..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/utils.h +++ /dev/null @@ -1,58 +0,0 @@ -#ifndef SPX_UTILS_H -#define SPX_UTILS_H - -#include - -#include "compat.h" -#include "context.h" -#include "params.h" - - -/* To support MSVC use alloca() instead of VLAs. See #20. */ - - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -#define ull_to_bytes SPX_NAMESPACE(ull_to_bytes) -void ull_to_bytes(unsigned char *out, unsigned int outlen, - unsigned long long in); -#define u32_to_bytes SPX_NAMESPACE(u32_to_bytes) -void u32_to_bytes(unsigned char *out, uint32_t in); - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -#define bytes_to_ull SPX_NAMESPACE(bytes_to_ull) -unsigned long long bytes_to_ull(const unsigned char *in, unsigned int inlen); - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -#define compute_root SPX_NAMESPACE(compute_root) -void compute_root(unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const spx_ctx *ctx, uint32_t addr[8]); - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -#define treehash SPX_NAMESPACE(treehash) -void treehash(unsigned char *root, unsigned char *auth_path, - const spx_ctx *ctx, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const spx_ctx *ctx /* ctx */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */), - uint32_t tree_addr[8]); - - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/utilsx2.c b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/utilsx2.c deleted file mode 100644 index 8736474e4..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/utilsx2.c +++ /dev/null @@ -1,130 +0,0 @@ -#include - -#include "utilsx2.h" - -#include "address.h" -#include "params.h" -#include "thashx2.h" -#include "utils.h" - -/* - * Generate the entire Merkle tree, computing the authentication path for leaf_idx, - * and the resulting root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE) - * - * This expects tree_addrx2 to be initialized to 2 parallel addr structures for - * the Merkle tree nodes - * - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - * - * This works by using the standard Merkle tree building algorithm, except - * that each 'node' tracked is actually 2 consecutive nodes in the real tree. - * When we combine two logical nodes AB and WX, we perform the H - * operation on adjacent real nodes, forming the parent logical node - * (AB)(WX) - * - * When we get to the top level of the real tree (where there is only - * one logical node), we continue this operation one more time; the right - * most real node will by the actual root (and the other node will be - * garbage). We follow the same thashx2 logic so that the 'extract - * authentication path components' part of the loop is still executed (and - * to simplify the code somewhat) - */ -void treehashx2(unsigned char *root, unsigned char *auth_path, - const spx_ctx *ctx, - uint32_t leaf_idx, uint32_t idx_offset, - uint32_t tree_height, - void (*gen_leafx2)( - unsigned char * /* Where to write the leaves */, - const spx_ctx *, - uint32_t idx, void *info), - uint32_t tree_addrx2[2 * 8], - void *info) { - /* This is where we keep the intermediate nodes */ - unsigned char stackx2[tree_height * 2 * SPX_N]; - uint32_t left_adj = 0, prev_left_adj = 0; /* When we're doing the top */ - /* level, the left-most part of the tree isn't at the beginning */ - /* of current[]. These give the offset of the actual start */ - - uint32_t idx; - uint32_t max_idx = (1 << (tree_height - 1)) - 1; - for (idx = 0;; idx++) { - unsigned char current[2 * SPX_N]; /* Current logical node */ - gen_leafx2( current, ctx, 2 * idx + idx_offset, - info ); - - /* Now combine the freshly generated right node with previously */ - /* generated left ones */ - uint32_t internal_idx_offset = idx_offset; - uint32_t internal_idx = idx; - uint32_t internal_leaf = leaf_idx; - uint32_t h; /* The height we are in the Merkle tree */ - for (h = 0;; h++, internal_idx >>= 1, internal_leaf >>= 1) { - - /* Special processing if we're at the top of the tree */ - if (h >= tree_height - 1) { - if (h == tree_height) { - /* We hit the root; return it */ - memcpy( root, ¤t[1 * SPX_N], SPX_N ); - return; - } - /* The tree indexing logic is a bit off in this case */ - /* Adjust it so that the left-most node of the part of */ - /* the tree that we're processing has index 0 */ - prev_left_adj = left_adj; - left_adj = 2 - (1 << (tree_height - h - 1)); - } - - /* Check if we hit the top of the tree */ - if (h == tree_height) { - /* We hit the root; return it */ - memcpy( root, ¤t[1 * SPX_N], SPX_N ); - return; - } - - /* - * Check if one of the nodes we have is a part of the - * authentication path; if it is, write it out - */ - if ((((internal_idx << 1) ^ internal_leaf) & ~0x1) == 0) { - memcpy( &auth_path[ h * SPX_N ], - ¤t[(((internal_leaf & 1) ^ 1) + prev_left_adj) * SPX_N], - SPX_N ); - } - - /* - * Check if we're at a left child; if so, stop going up the stack - * Exception: if we've reached the end of the tree, keep on going - * (so we combine the last 2 nodes into the one root node in two - * more iterations) - */ - if ((internal_idx & 1) == 0 && idx < max_idx) { - break; - } - - /* Ok, we're at a right node (or doing the top 3 levels) */ - /* Now combine the left and right logical nodes together */ - - /* Set the address of the node we're creating. */ - int j; - internal_idx_offset >>= 1; - for (j = 0; j < 2; j++) { - set_tree_height(tree_addrx2 + j * 8, h + 1); - set_tree_index(tree_addrx2 + j * 8, - (2 / 2) * (internal_idx & ~1) + j - left_adj + internal_idx_offset ); - } - unsigned char *left = &stackx2[h * 2 * SPX_N]; - thashx2( ¤t[0 * SPX_N], - ¤t[1 * SPX_N], - &left [0 * SPX_N], - ¤t[0 * SPX_N], - 2, ctx, tree_addrx2); - } - - /* We've hit a left child; save the current for when we get the */ - /* corresponding right right */ - memcpy( &stackx2[h * 2 * SPX_N], current, 2 * SPX_N); - } -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/utilsx2.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/utilsx2.h deleted file mode 100644 index e09faddc4..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/utilsx2.h +++ /dev/null @@ -1,30 +0,0 @@ -#ifndef SPX_UTILSX2_H -#define SPX_UTILSX2_H - -#include - -#include "context.h" -#include "params.h" - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - * - * This implementation uses SIMD to compute internal nodes 2 at a time (in - * parallel) - */ -#define treehashx2 SPX_NAMESPACE(treehashx2) -void treehashx2(unsigned char *root, unsigned char *auth_path, - const spx_ctx *ctx, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leafx2)( - unsigned char * /* Where to write the leaves */, - const spx_ctx * /* ctx */, - uint32_t addr_idx, void *info), - uint32_t tree_addrx2[2 * 8], void *info); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/wots.c b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/wots.c deleted file mode 100644 index 3babe45e9..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/wots.c +++ /dev/null @@ -1,259 +0,0 @@ -#include -#include - -#include "wots.h" -#include "wotsx2.h" - -#include "address.h" -#include "hash.h" -#include "hashx2.h" -#include "params.h" -#include "thashx2.h" -#include "utils.h" -#include "utilsx2.h" - -// TODO clarify address expectations, and make them more uniform. -// TODO i.e. do we expect types to be set already? -// TODO and do we expect modifications or copies? - -/** - * Computes up the chains - */ -static void gen_chains( - unsigned char *out, - const unsigned char *in, - unsigned int start[SPX_WOTS_LEN], - const unsigned int steps[SPX_WOTS_LEN], - const spx_ctx *ctx, - uint32_t addr[8]) { - uint32_t i, j, k, idx, watching; - int done; - unsigned char empty[SPX_N]; - unsigned char *bufs[4]; - uint32_t addrs[8 * 2]; - - int l; - uint16_t counts[SPX_WOTS_W] = { 0 }; - uint16_t idxs[SPX_WOTS_LEN]; - uint16_t total, newTotal; - - /* set addrs = {addr, addr} */ - for (j = 0; j < 2; j++) { - memcpy(addrs + j * 8, addr, sizeof(uint32_t) * 8); - } - - /* Initialize out with the value at position 'start'. */ - memcpy(out, in, SPX_WOTS_LEN * SPX_N); - - /* Sort the chains in reverse order by steps using counting sort. */ - for (i = 0; i < SPX_WOTS_LEN; i++) { - counts[steps[i]]++; - } - total = 0; - for (l = SPX_WOTS_W - 1; l >= 0; l--) { - newTotal = counts[l] + total; - counts[l] = total; - total = newTotal; - } - for (i = 0; i < SPX_WOTS_LEN; i++) { - idxs[counts[steps[i]]] = i; - counts[steps[i]]++; - } - - /* We got our work cut out for us: do it! */ - for (i = 0; i < SPX_WOTS_LEN; i += 2) { - for (j = 0; j < 2 && i + j < SPX_WOTS_LEN; j++) { - idx = idxs[i + j]; - set_chain_addr(addrs + j * 8, idx); - bufs[j] = out + SPX_N * idx; - } - - /* As the chains are sorted in reverse order, we know that the first - * chain is the longest and the last one is the shortest. We keep - * an eye on whether the last chain is done and then on the one before, - * et cetera. */ - watching = 1; - done = 0; - while (i + watching >= SPX_WOTS_LEN) { - bufs[watching] = &empty[0]; - watching--; - } - - for (k = 0;; k++) { - while (k == steps[idxs[i + watching]]) { - bufs[watching] = &empty[0]; - if (watching == 0) { - done = 1; - break; - } - watching--; - } - if (done) { - break; - } - for (j = 0; j < watching + 1; j++) { - set_hash_addr(addrs + j * 8, k + start[idxs[i + j]]); - } - - thashx2(bufs[0], bufs[1], - bufs[0], bufs[1], 1, ctx, addrs); - } - } -} - -/** - * base_w algorithm as described in draft. - * Interprets an array of bytes as integers in base w. - * This only works when log_w is a divisor of 8. - */ -static void base_w(unsigned int *output, const int out_len, - const unsigned char *input) { - int in = 0; - int out = 0; - unsigned char total = 0; - int bits = 0; - int consumed; - - for (consumed = 0; consumed < out_len; consumed++) { - if (bits == 0) { - total = input[in]; - in++; - bits += 8; - } - bits -= SPX_WOTS_LOGW; - output[out] = (total >> bits) & (SPX_WOTS_W - 1); - out++; - } -} - -/* Computes the WOTS+ checksum over a message (in base_w). */ -static void wots_checksum(unsigned int *csum_base_w, - const unsigned int *msg_base_w) { - unsigned int csum = 0; - unsigned char csum_bytes[(SPX_WOTS_LEN2 * SPX_WOTS_LOGW + 7) / 8]; - unsigned int i; - - /* Compute checksum. */ - for (i = 0; i < SPX_WOTS_LEN1; i++) { - csum += SPX_WOTS_W - 1 - msg_base_w[i]; - } - - /* Convert checksum to base_w. */ - /* Make sure expected empty zero bits are the least significant bits. */ - csum = csum << ((8 - ((SPX_WOTS_LEN2 * SPX_WOTS_LOGW) % 8)) % 8); - ull_to_bytes(csum_bytes, sizeof(csum_bytes), csum); - base_w(csum_base_w, SPX_WOTS_LEN2, csum_bytes); -} - -/* Takes a message and derives the matching chain lengths. */ -void chain_lengths(unsigned int *lengths, const unsigned char *msg) { - base_w(lengths, SPX_WOTS_LEN1, msg); - wots_checksum(lengths + SPX_WOTS_LEN1, lengths); -} - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void wots_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const spx_ctx *ctx, uint32_t addr[8]) { - unsigned int steps[SPX_WOTS_LEN]; - unsigned int start[SPX_WOTS_LEN]; - uint32_t i; - - chain_lengths(start, msg); - - for (i = 0; i < SPX_WOTS_LEN; i++) { - steps[i] = SPX_WOTS_W - 1 - start[i]; - } - - gen_chains(pk, sig, start, steps, ctx, addr); -} - -/* - * This generates 2 sequential WOTS public keys - * It also generates the WOTS signature if leaf_info indicates - * that we're signing with one of these WOTS keys - */ -void wots_gen_leafx2(unsigned char *dest, - const spx_ctx *ctx, - uint32_t leaf_idx, void *v_info) { - struct leaf_info_x2 *info = v_info; - uint32_t *leaf_addr = info->leaf_addr; - uint32_t *pk_addr = info->pk_addr; - unsigned int i, j, k; - unsigned char pk_buffer[ 2 * SPX_WOTS_BYTES ]; - unsigned wots_offset = SPX_WOTS_BYTES; - unsigned char *buffer; - uint32_t wots_k_mask; - unsigned wots_sign_index; - - if (((leaf_idx ^ info->wots_sign_leaf) & ~1) == 0) { - /* We're traversing the leaf that's signing; generate the WOTS */ - /* signature */ - wots_k_mask = 0; - wots_sign_index = info->wots_sign_leaf & 1; /* Which of of the 2 */ - /* slots do the signatures come from */ - } else { - /* Nope, we're just generating pk's; turn off the signature logic */ - wots_k_mask = ~0; - wots_sign_index = 0; - } - - for (j = 0; j < 2; j++) { - set_keypair_addr( leaf_addr + j * 8, leaf_idx + j ); - set_keypair_addr( pk_addr + j * 8, leaf_idx + j ); - } - - for (i = 0, buffer = pk_buffer; i < SPX_WOTS_LEN; i++, buffer += SPX_N) { - uint32_t wots_k = info->wots_steps[i] | wots_k_mask; /* Set wots_k to */ - /* the step if we're generating a signature, ~0 if we're not */ - - /* Start with the secret seed */ - for (j = 0; j < 2; j++) { - set_chain_addr(leaf_addr + j * 8, i); - set_hash_addr(leaf_addr + j * 8, 0); - set_type(leaf_addr + j * 8, SPX_ADDR_TYPE_WOTSPRF); - } - prf_addrx2(buffer + 0 * wots_offset, - buffer + 1 * wots_offset, - ctx, leaf_addr); - for (j = 0; j < 2; j++) { - set_type(leaf_addr + j * 8, SPX_ADDR_TYPE_WOTS); - } - - /* Iterate down the WOTS chain */ - for (k = 0;; k++) { - /* Check if one of the values we have needs to be saved as a */ - /* part of the WOTS signature */ - if (k == wots_k) { - memcpy( info->wots_sig + i * SPX_N, - buffer + wots_sign_index * wots_offset, SPX_N ); - } - - /* Check if we hit the top of the chain */ - if (k == SPX_WOTS_W - 1) { - break; - } - - /* Iterate one step on all 4 chains */ - for (j = 0; j < 2; j++) { - set_hash_addr(leaf_addr + j * 8, k); - } - thashx2(buffer + 0 * wots_offset, - buffer + 1 * wots_offset, - buffer + 0 * wots_offset, - buffer + 1 * wots_offset, - 1, ctx, leaf_addr); - } - } - - /* Do the final thash to generate the public keys */ - thashx2(dest + 0 * SPX_N, - dest + 1 * SPX_N, - pk_buffer + 0 * wots_offset, - pk_buffer + 1 * wots_offset, - SPX_WOTS_LEN, ctx, pk_addr); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/wots.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/wots.h deleted file mode 100644 index 4e7692eee..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/wots.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef SPX_WOTS_H -#define SPX_WOTS_H - -#include - -#include "context.h" -#include "params.h" - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -#define wots_pk_from_sig SPX_NAMESPACE(wots_pk_from_sig) -void wots_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const spx_ctx *ctx, uint32_t addr[8]); - -/* - * Compute the chain lengths needed for a given message hash - */ -#define chain_lengths SPX_NAMESPACE(chain_lengths) -void chain_lengths(unsigned int *lengths, const unsigned char *msg); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/wotsx2.h b/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/wotsx2.h deleted file mode 100644 index b58bb61f8..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-128s-simple_aarch64/wotsx2.h +++ /dev/null @@ -1,40 +0,0 @@ -#ifndef WOTSX2_H_ -#define WOTSX2_H_ - -#include "params.h" -#include - -/* - * This is here to provide an interface to the internal wots_gen_leafx2 - * routine. While this routine is not referenced in the package outside of - * wots.c, it is called from the stand-alone benchmark code to characterize - * the performance - */ -struct leaf_info_x2 { - unsigned char *wots_sig; - uint32_t wots_sign_leaf; /* The index of the WOTS we're using to sign */ - uint32_t *wots_steps; - uint32_t leaf_addr[2 * 8]; - uint32_t pk_addr[2 * 8]; -}; - -/* Macro to set the leaf_info to something 'benign', that is, it would */ -/* run with the same time as it does during the real signing process */ -/* Used only by the benchmark code */ -#define INITIALIZE_LEAF_INFO_X2(info, addr, step_buffer) { \ - (info).wots_sig = 0; \ - (info).wots_sign_leaf = ~0; \ - (info).wots_steps = step_buffer; \ - int i; \ - for (i=0; i<2; i++) { \ - memcpy( &(info).leaf_addr[8*i], addr, 32 ); \ - memcpy( &(info).pk_addr[8*i], addr, 32 ); \ - } \ - } - -#define wots_gen_leafx2 SPX_NAMESPACE(wots_gen_leafx2) -void wots_gen_leafx2(unsigned char *dest, - const spx_ctx *ctx, - uint32_t leaf_idx, void *v_info); - -#endif /* WOTSX2_H_ */ diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/LICENSE b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/LICENSE deleted file mode 100644 index 670154e35..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/LICENSE +++ /dev/null @@ -1,116 +0,0 @@ -CC0 1.0 Universal - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator and -subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for the -purpose of contributing to a commons of creative, cultural and scientific -works ("Commons") that the public can reliably and without fear of later -claims of infringement build upon, modify, incorporate in other works, reuse -and redistribute as freely as possible in any form whatsoever and for any -purposes, including without limitation commercial purposes. These owners may -contribute to the Commons to promote the ideal of a free culture and the -further production of creative, cultural and scientific works, or to gain -reputation or greater distribution for their Work in part through the use and -efforts of others. - -For these and/or other purposes and motivations, and without any expectation -of additional consideration or compensation, the person associating CC0 with a -Work (the "Affirmer"), to the extent that he or she is an owner of Copyright -and Related Rights in the Work, voluntarily elects to apply CC0 to the Work -and publicly distribute the Work under its terms, with knowledge of his or her -Copyright and Related Rights in the Work and the meaning and intended legal -effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not limited -to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, communicate, - and translate a Work; - - ii. moral rights retained by the original author(s) and/or performer(s); - - iii. publicity and privacy rights pertaining to a person's image or likeness - depicted in a Work; - - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - - v. rights protecting the extraction, dissemination, use and reuse of data in - a Work; - - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation thereof, - including any amended or successor version of such directive); and - - vii. other similar, equivalent or corresponding rights throughout the world - based on applicable law or treaty, and any national implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention of, -applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and -unconditionally waives, abandons, and surrenders all of Affirmer's Copyright -and Related Rights and associated claims and causes of action, whether now -known or unknown (including existing as well as future claims and causes of -action), in the Work (i) in all territories worldwide, (ii) for the maximum -duration provided by applicable law or treaty (including future time -extensions), (iii) in any current or future medium and for any number of -copies, and (iv) for any purpose whatsoever, including without limitation -commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes -the Waiver for the benefit of each member of the public at large and to the -detriment of Affirmer's heirs and successors, fully intending that such Waiver -shall not be subject to revocation, rescission, cancellation, termination, or -any other legal or equitable action to disrupt the quiet enjoyment of the Work -by the public as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason be -judged legally invalid or ineffective under applicable law, then the Waiver -shall be preserved to the maximum extent permitted taking into account -Affirmer's express Statement of Purpose. In addition, to the extent the Waiver -is so judged Affirmer hereby grants to each affected person a royalty-free, -non transferable, non sublicensable, non exclusive, irrevocable and -unconditional license to exercise Affirmer's Copyright and Related Rights in -the Work (i) in all territories worldwide, (ii) for the maximum duration -provided by applicable law or treaty (including future time extensions), (iii) -in any current or future medium and for any number of copies, and (iv) for any -purpose whatsoever, including without limitation commercial, advertising or -promotional purposes (the "License"). The License shall be deemed effective as -of the date CC0 was applied by Affirmer to the Work. Should any part of the -License for any reason be judged legally invalid or ineffective under -applicable law, such partial invalidity or ineffectiveness shall not -invalidate the remainder of the License, and in such case Affirmer hereby -affirms that he or she will not (i) exercise any of his or her remaining -Copyright and Related Rights in the Work or (ii) assert any associated claims -and causes of action with respect to the Work, in either case contrary to -Affirmer's express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - - b. Affirmer offers the Work as-is and makes no representations or warranties - of any kind concerning the Work, express, implied, statutory or otherwise, - including without limitation warranties of title, merchantability, fitness - for a particular purpose, non infringement, or the absence of latent or - other defects, accuracy, or the present or absence of errors, whether or not - discoverable, all to the greatest extent permissible under applicable law. - - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without limitation - any person's Copyright and Related Rights in the Work. Further, Affirmer - disclaims responsibility for obtaining any necessary consents, permissions - or other rights required for any use of the Work. - - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to this - CC0 or use of the Work. - -For more information, please see - diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/address.c b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/address.c deleted file mode 100644 index b956e9cb2..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/address.c +++ /dev/null @@ -1,91 +0,0 @@ -#include -#include - -#include "address.h" -#include "params.h" -#include "utils.h" - -/* - * Specify which level of Merkle tree (the "layer") we're working on - */ -void set_layer_addr(uint32_t addr[8], uint32_t layer) { - ((unsigned char *)addr)[SPX_OFFSET_LAYER] = (unsigned char)layer; -} - -/* - * Specify which Merkle tree within the level (the "tree address") we're working on - */ -void set_tree_addr(uint32_t addr[8], uint64_t tree) { - ull_to_bytes(&((unsigned char *)addr)[SPX_OFFSET_TREE], 8, tree ); -} - -/* - * Specify the reason we'll use this address structure for, that is, what - * hash will we compute with it. This is used so that unrelated types of - * hashes don't accidentally get the same address structure. The type will be - * one of the SPX_ADDR_TYPE constants - */ -void set_type(uint32_t addr[8], uint32_t type) { - ((unsigned char *)addr)[SPX_OFFSET_TYPE] = (unsigned char)type; -} - -/* - * Copy the layer and tree fields of the address structure. This is used - * when we're doing multiple types of hashes within the same Merkle tree - */ -void copy_subtree_addr(uint32_t out[8], const uint32_t in[8]) { - memcpy( out, in, SPX_OFFSET_TREE + 8 ); -} - -/* These functions are used for OTS addresses. */ - -/* - * Specify which Merkle leaf we're working on; that is, which OTS keypair - * we're talking about. - */ -void set_keypair_addr(uint32_t addr[8], uint32_t keypair) { - ((unsigned char *)addr)[SPX_OFFSET_KP_ADDR1] = (unsigned char)keypair; -} - -/* - * Copy the layer, tree and keypair fields of the address structure. This is - * used when we're doing multiple things within the same OTS keypair - */ -void copy_keypair_addr(uint32_t out[8], const uint32_t in[8]) { - memcpy( out, in, SPX_OFFSET_TREE + 8 ); - ((unsigned char *)out)[SPX_OFFSET_KP_ADDR1] = ((unsigned char *)in)[SPX_OFFSET_KP_ADDR1]; -} - -/* - * Specify which Merkle chain within the OTS we're working with - * (the chain address) - */ -void set_chain_addr(uint32_t addr[8], uint32_t chain) { - ((unsigned char *)addr)[SPX_OFFSET_CHAIN_ADDR] = (unsigned char)chain; -} - -/* - * Specify where in the Merkle chain we are -* (the hash address) - */ -void set_hash_addr(uint32_t addr[8], uint32_t hash) { - ((unsigned char *)addr)[SPX_OFFSET_HASH_ADDR] = (unsigned char)hash; -} - -/* These functions are used for all hash tree addresses (including FORS). */ - -/* - * Specify the height of the node in the Merkle/FORS tree we are in - * (the tree height) - */ -void set_tree_height(uint32_t addr[8], uint32_t tree_height) { - ((unsigned char *)addr)[SPX_OFFSET_TREE_HGT] = (unsigned char)tree_height; -} - -/* - * Specify the distance from the left edge of the node in the Merkle/FORS tree - * (the tree index) - */ -void set_tree_index(uint32_t addr[8], uint32_t tree_index) { - u32_to_bytes(&((unsigned char *)addr)[SPX_OFFSET_TREE_INDEX], tree_index ); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/address.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/address.h deleted file mode 100644 index 24a84eb40..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/address.h +++ /dev/null @@ -1,52 +0,0 @@ -#ifndef SPX_ADDRESS_H -#define SPX_ADDRESS_H - -#include - -#include "params.h" - -/* The hash types that are passed to set_type */ -#define SPX_ADDR_TYPE_WOTS 0 -#define SPX_ADDR_TYPE_WOTSPK 1 -#define SPX_ADDR_TYPE_HASHTREE 2 -#define SPX_ADDR_TYPE_FORSTREE 3 -#define SPX_ADDR_TYPE_FORSPK 4 -#define SPX_ADDR_TYPE_WOTSPRF 5 -#define SPX_ADDR_TYPE_FORSPRF 6 - -#define set_layer_addr SPX_NAMESPACE(set_layer_addr) -void set_layer_addr(uint32_t addr[8], uint32_t layer); - -#define set_tree_addr SPX_NAMESPACE(set_tree_addr) -void set_tree_addr(uint32_t addr[8], uint64_t tree); - -#define set_type SPX_NAMESPACE(set_type) -void set_type(uint32_t addr[8], uint32_t type); - -/* Copies the layer and tree part of one address into the other */ -#define copy_subtree_addr SPX_NAMESPACE(copy_subtree_addr) -void copy_subtree_addr(uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for WOTS and FORS addresses. */ - -#define set_keypair_addr SPX_NAMESPACE(set_keypair_addr) -void set_keypair_addr(uint32_t addr[8], uint32_t keypair); - -#define set_chain_addr SPX_NAMESPACE(set_chain_addr) -void set_chain_addr(uint32_t addr[8], uint32_t chain); - -#define set_hash_addr SPX_NAMESPACE(set_hash_addr) -void set_hash_addr(uint32_t addr[8], uint32_t hash); - -#define copy_keypair_addr SPX_NAMESPACE(copy_keypair_addr) -void copy_keypair_addr(uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for all hash tree addresses (including FORS). */ - -#define set_tree_height SPX_NAMESPACE(set_tree_height) -void set_tree_height(uint32_t addr[8], uint32_t tree_height); - -#define set_tree_index SPX_NAMESPACE(set_tree_index) -void set_tree_index(uint32_t addr[8], uint32_t tree_index); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/api.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/api.h deleted file mode 100644 index 3e80e17f5..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/api.h +++ /dev/null @@ -1,77 +0,0 @@ -#ifndef PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_API_H -#define PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_API_H - -#include -#include - -#define PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_CRYPTO_ALGNAME "SPHINCS+-shake-192f-simple" - -#define PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_CRYPTO_SECRETKEYBYTES 96 -#define PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_CRYPTO_PUBLICKEYBYTES 48 -#define PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_CRYPTO_BYTES 35664 - -#define PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_CRYPTO_SEEDBYTES 72 - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk, - const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_crypto_sign_keypair(uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_crypto_sign_signature(uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_crypto_sign_verify(const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, - const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_crypto_sign(uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_crypto_sign_open(uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *pk); -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/context.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/context.h deleted file mode 100644 index 6e0a33f3b..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/context.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef SPX_CONTEXT_H -#define SPX_CONTEXT_H - -#include - -#include "params.h" - -typedef struct { - uint8_t pub_seed[SPX_N]; - uint8_t sk_seed[SPX_N]; -} spx_ctx; - -#define initialize_hash_function SPX_NAMESPACE(initialize_hash_function) -void initialize_hash_function(spx_ctx *ctx); - -#define free_hash_function SPX_NAMESPACE(free_hash_function) -void free_hash_function(spx_ctx *ctx); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/context_shake.c b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/context_shake.c deleted file mode 100644 index 9614a103d..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/context_shake.c +++ /dev/null @@ -1,12 +0,0 @@ -#include "context.h" - -/* For SHAKE256, there is no immediate reason to initialize at the start, - so this function is an empty operation. */ -void initialize_hash_function(spx_ctx *ctx) { - (void)ctx; /* Suppress an 'unused parameter' warning. */ -} - -// in case the hash function api is heap-based. -void free_hash_function(spx_ctx *ctx) { - (void)ctx; -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/f1600x2.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/f1600x2.h deleted file mode 100644 index 70d1af9f1..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/f1600x2.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef SPX_F1600X2_H -#define SPX_F1600X2_H - -#include - -extern uint64_t f1600_RC[24]; -extern void _f1600x2(uint64_t *a, uint64_t *rc); - -#define f1600x2(s) do {_f1600x2((s), f1600_RC);} while(0) - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/f1600x2.s b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/f1600x2.s deleted file mode 100644 index 640ed791e..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/f1600x2.s +++ /dev/null @@ -1,143 +0,0 @@ -# From https://github.com/bwesterb/armed-keccak - -.macro round - # Execute theta, but without xoring into the state yet. - # Compute parities p[i] = a[i] ^ a[5+i] ^ ... ^ a[20+i]. - eor3.16b v25, v0, v5, v10 - eor3.16b v26, v1, v6, v11 - eor3.16b v27, v2, v7, v12 - eor3.16b v28, v3, v8, v13 - eor3.16b v29, v4, v9, v14 - - eor3.16b v25, v25, v15, v20 - eor3.16b v26, v26, v16, v21 - eor3.16b v27, v27, v17, v22 - eor3.16b v28, v28, v18, v23 - eor3.16b v29, v29, v19, v24 - - # d[0] = rotl(p[1], 1) ^ p[4] - rax1.2d v30, v29, v26 - # d[3] = rotl(p[4], 1) ^ p[2] - rax1.2d v29, v27, v29 - # d[1] = rotl(p[2], 1) ^ p[0] - rax1.2d v27, v25, v27 - # d[4] = rotl(p[0], 1) ^ p[3] - rax1.2d v25, v28, v25 - # d[2] = rotl(p[3], 1) ^ p[1] - rax1.2d v28, v26, v28 - - # Xor parities from step theta into the state at the same time - # as executing rho and pi. - eor.16b v0, v0, v30 - mov.16b v31, v1 - xar.2d v1, v6, v27, 20 - xar.2d v6, v9, v25, 44 - xar.2d v9, v22, v28, 3 - xar.2d v22, v14, v25, 25 - xar.2d v14, v20, v30, 46 - xar.2d v20, v2, v28, 2 - xar.2d v2, v12, v28, 21 - xar.2d v12, v13, v29, 39 - xar.2d v13, v19, v25, 56 - xar.2d v19, v23, v29, 8 - xar.2d v23, v15, v30, 23 - xar.2d v15, v4, v25, 37 - xar.2d v4, v24, v25, 50 - xar.2d v24, v21, v27, 62 - xar.2d v21, v8, v29, 9 - xar.2d v8, v16, v27, 19 - xar.2d v16, v5, v30, 28 - xar.2d v5, v3, v29, 36 - xar.2d v3, v18, v29, 43 - xar.2d v18, v17, v28, 49 - xar.2d v17, v11, v27, 54 - xar.2d v11, v7, v28, 58 - xar.2d v7, v10, v30, 61 - xar.2d v10, v31, v27, 63 - - # Chi - bcax.16b v25, v0, v2, v1 - bcax.16b v26, v1, v3, v2 - bcax.16b v2, v2, v4, v3 - bcax.16b v3, v3, v0, v4 - bcax.16b v4, v4, v1, v0 - mov.16b v0, v25 - mov.16b v1, v26 - - bcax.16b v25, v5, v7, v6 - bcax.16b v26, v6, v8, v7 - bcax.16b v7, v7, v9, v8 - bcax.16b v8, v8, v5, v9 - bcax.16b v9, v9, v6, v5 - mov.16b v5, v25 - mov.16b v6, v26 - - bcax.16b v25, v10, v12, v11 - bcax.16b v26, v11, v13, v12 - bcax.16b v12, v12, v14, v13 - bcax.16b v13, v13, v10, v14 - bcax.16b v14, v14, v11, v10 - mov.16b v10, v25 - mov.16b v11, v26 - - bcax.16b v25, v15, v17, v16 - bcax.16b v26, v16, v18, v17 - bcax.16b v17, v17, v19, v18 - bcax.16b v18, v18, v15, v19 - bcax.16b v19, v19, v16, v15 - mov.16b v15, v25 - mov.16b v16, v26 - - bcax.16b v25, v20, v22, v21 - bcax.16b v26, v21, v23, v22 - bcax.16b v22, v22, v24, v23 - bcax.16b v23, v23, v20, v24 - bcax.16b v24, v24, v21, v20 - mov.16b v20, v25 - mov.16b v21, v26 - - # iota - ld1r {v25.2d}, [x1], #8 - eor.16b v0, v0, v25 -.endm - -.align 4 -.global __f1600x2 -__f1600x2: - stp d8, d9, [sp,#-16]! - stp d10, d11, [sp,#-16]! - stp d12, d13, [sp,#-16]! - stp d14, d15, [sp,#-16]! - - mov x2, x0 - mov x3, #24 - - ld1.2d {v0, v1, v2, v3}, [x0], #64 - ld1.2d {v4, v5, v6, v7}, [x0], #64 - ld1.2d {v8, v9, v10, v11}, [x0], #64 - ld1.2d {v12, v13, v14, v15}, [x0], #64 - ld1.2d {v16, v17, v18, v19}, [x0], #64 - ld1.2d {v20, v21, v22, v23}, [x0], #64 - ld1.2d {v24}, [x0] - -loop: - round - - subs x3, x3, #1 - cbnz x3, loop - - mov x0, x2 - st1.2d {v0, v1, v2, v3}, [x0], #64 - st1.2d {v4, v5, v6, v7}, [x0], #64 - st1.2d {v8, v9, v10, v11}, [x0], #64 - st1.2d {v12, v13, v14, v15}, [x0], #64 - st1.2d {v16, v17, v18, v19}, [x0], #64 - st1.2d {v20, v21, v22, v23}, [x0], #64 - st1.2d {v24}, [x0] - - ldp d14, d15, [sp], #16 - ldp d12, d13, [sp], #16 - ldp d10, d11, [sp], #16 - ldp d8, d9, [sp], #16 - - ret lr diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/f1600x2_const.c b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/f1600x2_const.c deleted file mode 100644 index e49c0ba14..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/f1600x2_const.c +++ /dev/null @@ -1,30 +0,0 @@ -#include "f1600x2.h" - -uint64_t f1600_RC[24] = { - 0x0000000000000001, - 0x0000000000008082, - 0x800000000000808A, - 0x8000000080008000, - 0x000000000000808B, - 0x0000000080000001, - 0x8000000080008081, - 0x8000000000008009, - 0x000000000000008A, - 0x0000000000000088, - 0x0000000080008009, - 0x000000008000000A, - 0x000000008000808B, - 0x800000000000008B, - 0x8000000000008089, - 0x8000000000008003, - 0x8000000000008002, - 0x8000000000000080, - 0x000000000000800A, - 0x800000008000000A, - 0x8000000080008081, - 0x8000000000008080, - 0x0000000080000001, - 0x8000000080008008, -}; - - diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/fips202x2.c b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/fips202x2.c deleted file mode 100644 index 4718c343b..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/fips202x2.c +++ /dev/null @@ -1,148 +0,0 @@ -#include -#include - -#include "fips202x2.h" -#include "f1600x2.h" -#include "fips202.h" - -uint64_t load64(const unsigned char *x) { - unsigned long long r = 0, i; - - for (i = 0; i < 8; ++i) { - r |= (unsigned long long)x[i] << 8 * i; - } - return r; -} - -void store64(uint8_t *x, uint64_t u) { - unsigned int i; - - for (i = 0; i < 8; ++i) { - x[i] = (uint8_t)u; - u >>= 8; - } -} - -static void keccak_absorb2x(uint64_t *s, - unsigned int r, - const unsigned char *m0, - const unsigned char *m1, - unsigned long long int mlen, - unsigned char p) { - unsigned long long i; - unsigned char t0[200]; - unsigned char t1[200]; - - while (mlen >= r) { - for (i = 0; i < r / 8; ++i) { - s[2 * i + 0] ^= load64(m0 + 8 * i); - s[2 * i + 1] ^= load64(m1 + 8 * i); - } - - f1600x2(s); - mlen -= r; - m0 += r; - m1 += r; - } - - for (i = 0; i < r; ++i) { - t0[i] = 0; - t1[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t0[i] = m0[i]; - t1[i] = m1[i]; - } - - t0[i] = p; - t1[i] = p; - - t0[r - 1] |= 128; - t1[r - 1] |= 128; - - for (i = 0; i < r / 8; ++i) { - s[2 * i + 0] ^= load64(t0 + 8 * i); - s[2 * i + 1] ^= load64(t1 + 8 * i); - } -} - - -static void keccak_squeezeblocks2x(unsigned char *h0, - unsigned char *h1, - unsigned long long int nblocks, - uint64_t *s, - unsigned int r) { - unsigned int i; - - while (nblocks > 0) { - f1600x2(s); - for (i = 0; i < (r >> 3); i++) { - store64(h0 + 8 * i, s[2 * i + 0]); - store64(h1 + 8 * i, s[2 * i + 1]); - } - h0 += r; - h1 += r; - nblocks--; - } -} - - - -void shake128x2(unsigned char *out0, - unsigned char *out1, - unsigned long long outlen, - unsigned char *in0, - unsigned char *in1, - unsigned long long inlen) { - uint64_t s[50] = {0}; - unsigned char t0[SHAKE128_RATE]; - unsigned char t1[SHAKE128_RATE]; - unsigned int i; - - /* absorb 4 message of identical length in parallel */ - keccak_absorb2x(s, SHAKE128_RATE, in0, in1, inlen, 0x1F); - - /* Squeeze output */ - keccak_squeezeblocks2x(out0, out1, outlen / SHAKE128_RATE, s, SHAKE128_RATE); - - out0 += (outlen / SHAKE128_RATE) * SHAKE128_RATE; - out1 += (outlen / SHAKE128_RATE) * SHAKE128_RATE; - - if (outlen % SHAKE128_RATE) { - keccak_squeezeblocks2x(t0, t1, 1, s, SHAKE128_RATE); - for (i = 0; i < outlen % SHAKE128_RATE; i++) { - out0[i] = t0[i]; - out1[i] = t1[i]; - } - } -} - - -void shake256x2(unsigned char *out0, - unsigned char *out1, - unsigned long long outlen, - unsigned char *in0, - unsigned char *in1, - unsigned long long inlen) { - uint64_t s[50] = {0}; - unsigned char t0[SHAKE256_RATE]; - unsigned char t1[SHAKE256_RATE]; - unsigned int i; - - /* absorb 2 message of identical length in parallel */ - keccak_absorb2x(s, SHAKE256_RATE, in0, in1, inlen, 0x1F); - - /* Squeeze output */ - keccak_squeezeblocks2x(out0, out1, outlen / SHAKE256_RATE, s, SHAKE256_RATE); - - out0 += (outlen / SHAKE256_RATE) * SHAKE256_RATE; - out1 += (outlen / SHAKE256_RATE) * SHAKE256_RATE; - - if (outlen % SHAKE256_RATE) { - keccak_squeezeblocks2x(t0, t1, 1, s, SHAKE256_RATE); - for (i = 0; i < outlen % SHAKE256_RATE; i++) { - out0[i] = t0[i]; - out1[i] = t1[i]; - } - } -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/fips202x2.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/fips202x2.h deleted file mode 100644 index 7ba58b35d..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/fips202x2.h +++ /dev/null @@ -1,24 +0,0 @@ -#ifndef SPX_FIPS202X2_H -#define SPX_FIPS202X2_H - -#include - -uint64_t load64(const unsigned char *x); -void store64(uint8_t *x, uint64_t u); - - -void shake128x2(unsigned char *out0, - unsigned char *out1, - unsigned long long outlen, - unsigned char *in0, - unsigned char *in1, - unsigned long long inlen); - -void shake256x2(unsigned char *out0, - unsigned char *out1, - unsigned long long outlen, - unsigned char *in0, - unsigned char *in1, - unsigned long long inlen); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/fors.c b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/fors.c deleted file mode 100644 index 39193d04e..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/fors.c +++ /dev/null @@ -1,191 +0,0 @@ -#include -#include -#include - -#include "fors.h" - -#include "address.h" -#include "hash.h" -#include "hashx2.h" -#include "thash.h" -#include "thashx2.h" -#include "utils.h" -#include "utilsx2.h" - -static void fors_gen_sk(unsigned char *sk, const spx_ctx *ctx, - uint32_t fors_leaf_addr[8]) { - prf_addr(sk, ctx, fors_leaf_addr); -} - -static void fors_gen_skx2(unsigned char *sk0, - unsigned char *sk1, - const spx_ctx *ctx, - uint32_t fors_leaf_addrx2[2 * 8]) { - prf_addrx2(sk0, sk1, - ctx, fors_leaf_addrx2); -} - -static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk, - const spx_ctx *ctx, - uint32_t fors_leaf_addr[8]) { - thash(leaf, sk, 1, ctx, fors_leaf_addr); -} - -static void fors_sk_to_leafx2(unsigned char *leaf0, - unsigned char *leaf1, - const unsigned char *sk0, - const unsigned char *sk1, - const spx_ctx *ctx, - uint32_t fors_leaf_addrx2[2 * 8]) { - thashx2(leaf0, leaf1, - sk0, sk1, - 1, ctx, fors_leaf_addrx2); -} - -struct fors_gen_leaf_info { - uint32_t leaf_addrx[2 * 8]; -}; - -static void fors_gen_leafx2(unsigned char *leaf, - const spx_ctx *ctx, - uint32_t addr_idx, void *info) { - struct fors_gen_leaf_info *fors_info = info; - uint32_t *fors_leaf_addrx2 = fors_info->leaf_addrx; - unsigned int j; - - /* Only set the parts that the caller doesn't set */ - for (j = 0; j < 2; j++) { - set_tree_index(fors_leaf_addrx2 + j * 8, addr_idx + j); - set_type(fors_leaf_addrx2 + j * 8, SPX_ADDR_TYPE_FORSPRF); - } - - fors_gen_skx2(leaf + 0 * SPX_N, - leaf + 1 * SPX_N, - ctx, fors_leaf_addrx2); - - for (j = 0; j < 2; j++) { - set_type(fors_leaf_addrx2 + j * 8, SPX_ADDR_TYPE_FORSTREE); - } - - fors_sk_to_leafx2(leaf + 0 * SPX_N, - leaf + 1 * SPX_N, - leaf + 0 * SPX_N, - leaf + 1 * SPX_N, - ctx, fors_leaf_addrx2); -} - -/** - * Interprets m as SPX_FORS_HEIGHT-bit unsigned integers. - * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits. - * Assumes indices has space for SPX_FORS_TREES integers. - */ -static void message_to_indices(uint32_t *indices, const unsigned char *m) { - unsigned int i, j; - unsigned int offset = 0; - - for (i = 0; i < SPX_FORS_TREES; i++) { - indices[i] = 0; - for (j = 0; j < SPX_FORS_HEIGHT; j++) { - indices[i] ^= (uint32_t)(((m[offset >> 3] >> (offset & 0x7)) & 0x1) << j); - offset++; - } - } -} - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits. - */ -void fors_sign(unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const spx_ctx *ctx, - const uint32_t fors_addr[8]) { - uint32_t indices[SPX_FORS_TREES]; - unsigned char roots[SPX_FORS_TREES * SPX_N]; - uint32_t fors_tree_addr[2 * 8] = {0}; - struct fors_gen_leaf_info fors_info = {0}; - uint32_t *fors_leaf_addr = fors_info.leaf_addrx; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - for (i = 0; i < 2; i++) { - copy_keypair_addr(fors_tree_addr + 8 * i, fors_addr); - set_type(fors_tree_addr + 8 * i, SPX_ADDR_TYPE_FORSTREE); - copy_keypair_addr(fors_leaf_addr + 8 * i, fors_addr); - } - copy_keypair_addr(fors_pk_addr, fors_addr); - set_type(fors_pk_addr, SPX_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < SPX_FORS_TREES; i++) { - idx_offset = i * (1 << SPX_FORS_HEIGHT); - - set_tree_height(fors_tree_addr, 0); - set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Include the secret key part that produces the selected leaf node. */ - set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSPRF); - fors_gen_sk(sig, ctx, fors_tree_addr); - set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSTREE); - sig += SPX_N; - - /* Compute the authentication path for this leaf node. */ - treehashx2(roots + i * SPX_N, sig, ctx, - indices[i], idx_offset, SPX_FORS_HEIGHT, fors_gen_leafx2, - fors_tree_addr, &fors_info); - - sig += SPX_N * SPX_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - thash(pk, roots, SPX_FORS_TREES, ctx, fors_pk_addr); -} - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits. - */ -void fors_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const spx_ctx *ctx, - const uint32_t fors_addr[8]) { - uint32_t indices[SPX_FORS_TREES]; - unsigned char roots[SPX_FORS_TREES * SPX_N]; - unsigned char leaf[SPX_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - copy_keypair_addr(fors_tree_addr, fors_addr); - copy_keypair_addr(fors_pk_addr, fors_addr); - - set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSTREE); - set_type(fors_pk_addr, SPX_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < SPX_FORS_TREES; i++) { - idx_offset = i * (1 << SPX_FORS_HEIGHT); - - set_tree_height(fors_tree_addr, 0); - set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Derive the leaf from the included secret key part. */ - fors_sk_to_leaf(leaf, sig, ctx, fors_tree_addr); - sig += SPX_N; - - /* Derive the corresponding root node of this tree. */ - compute_root(roots + i * SPX_N, leaf, indices[i], idx_offset, - sig, SPX_FORS_HEIGHT, ctx, fors_tree_addr); - sig += SPX_N * SPX_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - thash(pk, roots, SPX_FORS_TREES, ctx, fors_pk_addr); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/fors.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/fors.h deleted file mode 100644 index 509140a17..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/fors.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef SPX_FORS_H -#define SPX_FORS_H - -#include - -#include "context.h" -#include "params.h" - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits. - */ -#define fors_sign SPX_NAMESPACE(fors_sign) -void fors_sign(unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const spx_ctx *ctx, - const uint32_t fors_addr[8]); - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits. - */ -#define fors_pk_from_sig SPX_NAMESPACE(fors_pk_from_sig) -void fors_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const spx_ctx *ctx, - const uint32_t fors_addr[8]); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/hash.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/hash.h deleted file mode 100644 index f7c87d4c3..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/hash.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef SPX_HASH_H -#define SPX_HASH_H - -#include -#include - -#include "context.h" -#include "params.h" - -#define prf_addr SPX_NAMESPACE(prf_addr) -void prf_addr(unsigned char *out, const spx_ctx *ctx, - const uint32_t addr[8]); - -#define gen_message_random SPX_NAMESPACE(gen_message_random) -void gen_message_random(unsigned char *R, const unsigned char *sk_prf, - const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const spx_ctx *ctx); - -#define hash_message SPX_NAMESPACE(hash_message) -void hash_message(unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const spx_ctx *ctx); - - - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/hash_shake.c b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/hash_shake.c deleted file mode 100644 index ff5e7ec91..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/hash_shake.c +++ /dev/null @@ -1,83 +0,0 @@ -#include -#include - -#include "hash.h" - -#include "address.h" -#include "fips202.h" -#include "params.h" -#include "utils.h" - -/* - * Computes PRF(pk_seed, sk_seed, addr) - */ -void prf_addr(unsigned char *out, const spx_ctx *ctx, - const uint32_t addr[8]) { - unsigned char buf[2 * SPX_N + SPX_ADDR_BYTES]; - - memcpy(buf, ctx->pub_seed, SPX_N); - memcpy(buf + SPX_N, addr, SPX_ADDR_BYTES); - memcpy(buf + SPX_N + SPX_ADDR_BYTES, ctx->sk_seed, SPX_N); - - shake256(out, SPX_N, buf, 2 * SPX_N + SPX_ADDR_BYTES); -} - -/** - * Computes the message-dependent randomness R, using a secret seed and an - * optional randomization value as well as the message. - */ -void gen_message_random(unsigned char *R, const unsigned char *sk_prf, - const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const spx_ctx *ctx) { - (void)ctx; - shake256incctx s_inc; - - shake256_inc_init(&s_inc); - shake256_inc_absorb(&s_inc, sk_prf, SPX_N); - shake256_inc_absorb(&s_inc, optrand, SPX_N); - shake256_inc_absorb(&s_inc, m, mlen); - shake256_inc_finalize(&s_inc); - shake256_inc_squeeze(R, SPX_N, &s_inc); - shake256_inc_ctx_release(&s_inc); -} - -/** - * Computes the message hash using R, the public key, and the message. - * Outputs the message digest and the index of the leaf. The index is split in - * the tree index and the leaf index, for convenient copying to an address. - */ -void hash_message(unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const spx_ctx *ctx) { - (void)ctx; -#define SPX_TREE_BITS (SPX_TREE_HEIGHT * (SPX_D - 1)) -#define SPX_TREE_BYTES ((SPX_TREE_BITS + 7) / 8) -#define SPX_LEAF_BITS SPX_TREE_HEIGHT -#define SPX_LEAF_BYTES ((SPX_LEAF_BITS + 7) / 8) -#define SPX_DGST_BYTES (SPX_FORS_MSG_BYTES + SPX_TREE_BYTES + SPX_LEAF_BYTES) - - unsigned char buf[SPX_DGST_BYTES]; - unsigned char *bufp = buf; - shake256incctx s_inc; - - shake256_inc_init(&s_inc); - shake256_inc_absorb(&s_inc, R, SPX_N); - shake256_inc_absorb(&s_inc, pk, SPX_PK_BYTES); - shake256_inc_absorb(&s_inc, m, mlen); - shake256_inc_finalize(&s_inc); - shake256_inc_squeeze(buf, SPX_DGST_BYTES, &s_inc); - shake256_inc_ctx_release(&s_inc); - - memcpy(digest, bufp, SPX_FORS_MSG_BYTES); - bufp += SPX_FORS_MSG_BYTES; - - - *tree = bytes_to_ull(bufp, SPX_TREE_BYTES); - *tree &= (~(uint64_t)0) >> (64 - SPX_TREE_BITS); - bufp += SPX_TREE_BYTES; - - *leaf_idx = (uint32_t)bytes_to_ull(bufp, SPX_LEAF_BYTES); - *leaf_idx &= (~(uint32_t)0) >> (32 - SPX_LEAF_BITS); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/hash_shakex2.c b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/hash_shakex2.c deleted file mode 100644 index 99571916a..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/hash_shakex2.c +++ /dev/null @@ -1,52 +0,0 @@ -#include -#include - -#include "hashx2.h" - -#include "address.h" -#include "f1600x2.h" -#include "fips202x2.h" -#include "params.h" - -/* - * 2-way parallel version of prf_addr; takes 2x as much input and output - */ -void prf_addrx2(unsigned char *out0, - unsigned char *out1, - const spx_ctx *ctx, - const uint32_t addrx2[2 * 8]) { - /* As we write and read only a few quadwords, it is more efficient to - * build and extract from the fourway SHAKE256 state by hand. */ - uint64_t state[50] = {0}; - - for (int i = 0; i < SPX_N / 8; i++) { - uint64_t x = load64(ctx->pub_seed + 8 * i); - state[2 * i] = x; - state[2 * i + 1] = x; - } - for (int i = 0; i < 4; i++) { - state[2 * (SPX_N / 8 + i)] = (((uint64_t)addrx2[1 + 2 * i]) << 32) - | (uint64_t)addrx2[2 * i]; - state[2 * (SPX_N / 8 + i) + 1] = (((uint64_t)addrx2[8 + 1 + 2 * i]) << 32) - | (uint64_t)addrx2[8 + 2 * i]; - } - for (int i = 0; i < SPX_N / 8; i++) { - uint64_t x = load64(ctx->sk_seed + 8 * i); - state[2 * (SPX_N / 8 + i + 4)] = x; - state[2 * (SPX_N / 8 + i + 4) + 1] = x; - } - - /* SHAKE domain separator and padding. */ - state[2 * (SPX_N / 4 + 4)] = 0x1f; - state[2 * (SPX_N / 4 + 4) + 1] = 0x1f; - - state[2 * 16] = 0x80ULL << 56; - state[2 * 16 + 1] = 0x80ULL << 56; - - f1600x2(state); - - for (int i = 0; i < SPX_N / 8; i++) { - store64(out0 + 8 * i, state[2 * i]); - store64(out1 + 8 * i, state[2 * i + 1]); - } -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/hashx2.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/hashx2.h deleted file mode 100644 index 99b8873a9..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/hashx2.h +++ /dev/null @@ -1,14 +0,0 @@ -#ifndef SPX_HASHX2_H -#define SPX_HASHX2_H - -#include "context.h" -#include "params.h" -#include - -#define prf_addrx2 SPX_NAMESPACE(prf_addrx2) -void prf_addrx2(unsigned char *out0, - unsigned char *out1, - const spx_ctx *ctx, - const uint32_t addrx2[2 * 8]); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/merkle.c b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/merkle.c deleted file mode 100644 index c94ee2393..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/merkle.c +++ /dev/null @@ -1,64 +0,0 @@ -#include -#include - -#include "merkle.h" - -#include "address.h" -#include "params.h" -#include "utils.h" -#include "utilsx2.h" -#include "wots.h" -#include "wotsx2.h" - -/* - * This generates a Merkle signature (WOTS signature followed by the Merkle - * authentication path). - */ -void merkle_sign(uint8_t *sig, unsigned char *root, - const spx_ctx *ctx, - uint32_t wots_addr[8], uint32_t tree_addr[8], - uint32_t idx_leaf) { - unsigned char *auth_path = sig + SPX_WOTS_BYTES; - uint32_t tree_addrx2[2 * 8] = { 0 }; - int j; - struct leaf_info_x2 info = { 0 }; - unsigned steps[ SPX_WOTS_LEN ]; - - info.wots_sig = sig; - chain_lengths(steps, root); - info.wots_steps = steps; - - for (j = 0; j < 2; j++) { - set_type(&tree_addrx2[8 * j], SPX_ADDR_TYPE_HASHTREE); - set_type(&info.leaf_addr[8 * j], SPX_ADDR_TYPE_WOTS); - set_type(&info.pk_addr[8 * j], SPX_ADDR_TYPE_WOTSPK); - copy_subtree_addr(&tree_addrx2[8 * j], tree_addr); - copy_subtree_addr(&info.leaf_addr[8 * j], wots_addr); - copy_subtree_addr(&info.pk_addr[8 * j], wots_addr); - } - - info.wots_sign_leaf = idx_leaf; - - treehashx2(root, auth_path, ctx, - idx_leaf, 0, - SPX_TREE_HEIGHT, - wots_gen_leafx2, - tree_addrx2, &info); -} - -/* Compute root node of the top-most subtree. */ -void merkle_gen_root(unsigned char *root, const spx_ctx *ctx) { - /* We do not need the auth path in key generation, but it simplifies the - code to have just one treehash routine that computes both root and path - in one function. */ - unsigned char auth_path[SPX_TREE_HEIGHT * SPX_N + SPX_WOTS_BYTES]; - uint32_t top_tree_addr[8] = {0}; - uint32_t wots_addr[8] = {0}; - - set_layer_addr(top_tree_addr, SPX_D - 1); - set_layer_addr(wots_addr, SPX_D - 1); - - merkle_sign(auth_path, root, ctx, - wots_addr, top_tree_addr, - ~0 /* ~0 means "don't bother generating an auth path */ ); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/merkle.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/merkle.h deleted file mode 100644 index 769cf2e97..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/merkle.h +++ /dev/null @@ -1,21 +0,0 @@ -#ifndef MERKLE_H_ -#define MERKLE_H_ - -#include - -#include "context.h" -#include "params.h" - -/* Generate a Merkle signature (WOTS signature followed by the Merkle */ -/* authentication path) */ -#define merkle_sign SPX_NAMESPACE(merkle_sign) -void merkle_sign(uint8_t *sig, unsigned char *root, - const spx_ctx *ctx, - uint32_t wots_addr[8], uint32_t tree_addr[8], - uint32_t idx_leaf); - -/* Compute the root node of the top-most subtree. */ -#define merkle_gen_root SPX_NAMESPACE(merkle_gen_root) -void merkle_gen_root(unsigned char *root, const spx_ctx *ctx); - -#endif /* MERKLE_H_ */ diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/nistapi.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/nistapi.h deleted file mode 100644 index 3cb71afad..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/nistapi.h +++ /dev/null @@ -1,87 +0,0 @@ -#ifndef SPX_API_H -#define SPX_API_H - -#include -#include - -#include "params.h" - -#define CRYPTO_ALGNAME "SPHINCS+" - -#define CRYPTO_SECRETKEYBYTES SPX_SK_BYTES -#define CRYPTO_PUBLICKEYBYTES SPX_PK_BYTES -#define CRYPTO_BYTES SPX_BYTES -#define CRYPTO_SEEDBYTES (3*SPX_N) - -/* - * Returns the length of a secret key, in bytes - */ -#define crypto_sign_secretkeybytes SPX_NAMESPACE(crypto_sign_secretkeybytes) -size_t crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -#define crypto_sign_publickeybytes SPX_NAMESPACE(crypto_sign_publickeybytes) -size_t crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -#define crypto_sign_bytes SPX_NAMESPACE(crypto_sign_bytes) -size_t crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -#define crypto_sign_seedbytes SPX_NAMESPACE(crypto_sign_seedbytes) -size_t crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -#define crypto_sign_seed_keypair SPX_NAMESPACE(crypto_sign_seed_keypair) -int crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk, - const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -#define crypto_sign_keypair SPX_NAMESPACE(crypto_sign_keypair) -int crypto_sign_keypair(uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -#define crypto_sign_signature SPX_NAMESPACE(crypto_sign_signature) -int crypto_sign_signature(uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -#define crypto_sign_verify SPX_NAMESPACE(crypto_sign_verify) -int crypto_sign_verify(const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -#define crypto_sign SPX_NAMESPACE(crypto_sign) -int crypto_sign(uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -#define crypto_sign_open SPX_NAMESPACE(crypto_sign_open) -int crypto_sign_open(uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *pk); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/params.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/params.h deleted file mode 100644 index 6a93983ca..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/params.h +++ /dev/null @@ -1,56 +0,0 @@ -#ifndef SPX_PARAMS_H -#define SPX_PARAMS_H - -#define SPX_NAMESPACE(s) PQCLEAN_SPHINCSSHAKE192FSIMPLE_AARCH64_##s - -/* Hash output length in bytes. */ -#define SPX_N 24 -/* Height of the hypertree. */ -#define SPX_FULL_HEIGHT 66 -/* Number of subtree layer. */ -#define SPX_D 22 -/* FORS tree dimensions. */ -#define SPX_FORS_HEIGHT 8 -#define SPX_FORS_TREES 33 -/* Winternitz parameter, */ -#define SPX_WOTS_W 16 - -/* The hash function is defined by linking a different hash.c file, as opposed - to setting a #define constant. */ - -/* For clarity */ -#define SPX_ADDR_BYTES 32 - -/* WOTS parameters. */ -#define SPX_WOTS_LOGW 4 - -#define SPX_WOTS_LEN1 (8 * SPX_N / SPX_WOTS_LOGW) - -/* SPX_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */ -#define SPX_WOTS_LEN2 3 - -#define SPX_WOTS_LEN (SPX_WOTS_LEN1 + SPX_WOTS_LEN2) -#define SPX_WOTS_BYTES (SPX_WOTS_LEN * SPX_N) -#define SPX_WOTS_PK_BYTES SPX_WOTS_BYTES - -/* Subtree size. */ -#define SPX_TREE_HEIGHT (SPX_FULL_HEIGHT / SPX_D) - -//#if SPX_TREE_HEIGHT * SPX_D != SPX_FULL_HEIGHT -// #error SPX_D should always divide SPX_FULL_HEIGHT -//#endif - -/* FORS parameters. */ -#define SPX_FORS_MSG_BYTES ((SPX_FORS_HEIGHT * SPX_FORS_TREES + 7) / 8) -#define SPX_FORS_BYTES ((SPX_FORS_HEIGHT + 1) * SPX_FORS_TREES * SPX_N) -#define SPX_FORS_PK_BYTES SPX_N - -/* Resulting SPX sizes. */ -#define SPX_BYTES (SPX_N + SPX_FORS_BYTES + SPX_D * SPX_WOTS_BYTES +\ - SPX_FULL_HEIGHT * SPX_N) -#define SPX_PK_BYTES (2 * SPX_N) -#define SPX_SK_BYTES (2 * SPX_N + SPX_PK_BYTES) - -#include "shake_offsets.h" - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/shake_offsets.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/shake_offsets.h deleted file mode 100644 index 6b28d95d9..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/shake_offsets.h +++ /dev/null @@ -1,21 +0,0 @@ -#ifndef SHAKE_OFFSETS_H_ -#define SHAKE_OFFSETS_H_ - -/* - * Offsets of various fields in the address structure when we use SHAKE as - * the Sphincs+ hash function - */ - -#define SPX_OFFSET_LAYER 3 /* The byte used to specify the Merkle tree layer */ -#define SPX_OFFSET_TREE 8 /* The start of the 8 byte field used to specify the tree */ -#define SPX_OFFSET_TYPE 19 /* The byte used to specify the hash type (reason) */ -#define SPX_OFFSET_KP_ADDR2 22 /* The high byte used to specify the key pair (which one-time signature) */ -#define SPX_OFFSET_KP_ADDR1 23 /* The low byte used to specify the key pair */ -#define SPX_OFFSET_CHAIN_ADDR 27 /* The byte used to specify the chain address (which Winternitz chain) */ -#define SPX_OFFSET_HASH_ADDR 31 /* The byte used to specify the hash address (where in the Winternitz chain) */ -#define SPX_OFFSET_TREE_HGT 27 /* The byte used to specify the height of this node in the FORS or Merkle tree */ -#define SPX_OFFSET_TREE_INDEX 28 /* The start of the 4 byte field used to specify the node in the FORS or Merkle tree */ - -#define SPX_SHAKE 1 - -#endif /* SHAKE_OFFSETS_H_ */ diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/sign.c b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/sign.c deleted file mode 100644 index 9d0c7d1b2..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/sign.c +++ /dev/null @@ -1,286 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "context.h" -#include "fors.h" -#include "hash.h" -#include "merkle.h" -#include "nistapi.h" -#include "params.h" -#include "randombytes.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - -/* - * Returns the length of a secret key, in bytes - */ -size_t crypto_sign_secretkeybytes(void) { - return CRYPTO_SECRETKEYBYTES; -} - -/* - * Returns the length of a public key, in bytes - */ -size_t crypto_sign_publickeybytes(void) { - return CRYPTO_PUBLICKEYBYTES; -} - -/* - * Returns the length of a signature, in bytes - */ -size_t crypto_sign_bytes(void) { - return CRYPTO_BYTES; -} - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t crypto_sign_seedbytes(void) { - return CRYPTO_SEEDBYTES; -} - -/* - * Generates an SPX key pair given a seed of length - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk, - const uint8_t *seed) { - spx_ctx ctx; - - /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */ - memcpy(sk, seed, CRYPTO_SEEDBYTES); - - memcpy(pk, sk + 2 * SPX_N, SPX_N); - - memcpy(ctx.pub_seed, pk, SPX_N); - memcpy(ctx.sk_seed, sk, SPX_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - initialize_hash_function(&ctx); - - /* Compute root node of the top-most subtree. */ - merkle_gen_root(sk + 3 * SPX_N, &ctx); - - // cleanup - free_hash_function(&ctx); - - memcpy(pk + SPX_N, sk + 3 * SPX_N, SPX_N); - - return 0; -} - -/* - * Generates an SPX key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { - uint8_t seed[CRYPTO_SEEDBYTES]; - randombytes(seed, CRYPTO_SEEDBYTES); - crypto_sign_seed_keypair(pk, sk, seed); - - return 0; -} - -/** - * Returns an array containing a detached signature. - */ -int crypto_sign_signature(uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - spx_ctx ctx; - - const uint8_t *sk_prf = sk + SPX_N; - const uint8_t *pk = sk + 2 * SPX_N; - - uint8_t optrand[SPX_N]; - uint8_t mhash[SPX_FORS_MSG_BYTES]; - uint8_t root[SPX_N]; - uint32_t i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - - memcpy(ctx.sk_seed, sk, SPX_N); - memcpy(ctx.pub_seed, pk, SPX_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - initialize_hash_function(&ctx); - - set_type(wots_addr, SPX_ADDR_TYPE_WOTS); - set_type(tree_addr, SPX_ADDR_TYPE_HASHTREE); - - /* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ - randombytes(optrand, SPX_N); - /* Compute the digest randomization value. */ - gen_message_random(sig, sk_prf, optrand, m, mlen, &ctx); - - /* Derive the message digest and leaf index from R, PK and M. */ - hash_message(mhash, &tree, &idx_leaf, sig, pk, m, mlen, &ctx); - sig += SPX_N; - - set_tree_addr(wots_addr, tree); - set_keypair_addr(wots_addr, idx_leaf); - - /* Sign the message hash using FORS. */ - fors_sign(sig, root, mhash, &ctx, wots_addr); - sig += SPX_FORS_BYTES; - - for (i = 0; i < SPX_D; i++) { - set_layer_addr(tree_addr, i); - set_tree_addr(tree_addr, tree); - - copy_subtree_addr(wots_addr, tree_addr); - set_keypair_addr(wots_addr, idx_leaf); - - merkle_sign(sig, root, &ctx, wots_addr, tree_addr, idx_leaf); - sig += SPX_WOTS_BYTES + SPX_TREE_HEIGHT * SPX_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << SPX_TREE_HEIGHT) - 1)); - tree = tree >> SPX_TREE_HEIGHT; - } - - free_hash_function(&ctx); - - *siglen = SPX_BYTES; - - return 0; -} - -/** - * Verifies a detached signature and message under a given public key. - */ -int crypto_sign_verify(const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - spx_ctx ctx; - const uint8_t *pub_root = pk + SPX_N; - uint8_t mhash[SPX_FORS_MSG_BYTES]; - uint8_t wots_pk[SPX_WOTS_BYTES]; - uint8_t root[SPX_N]; - uint8_t leaf[SPX_N]; - unsigned int i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - if (siglen != SPX_BYTES) { - return -1; - } - - memcpy(ctx.pub_seed, pk, SPX_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - initialize_hash_function(&ctx); - - set_type(wots_addr, SPX_ADDR_TYPE_WOTS); - set_type(tree_addr, SPX_ADDR_TYPE_HASHTREE); - set_type(wots_pk_addr, SPX_ADDR_TYPE_WOTSPK); - - /* Derive the message digest and leaf index from R || PK || M. */ - /* The additional SPX_N is a result of the hash domain separator. */ - hash_message(mhash, &tree, &idx_leaf, sig, pk, m, mlen, &ctx); - sig += SPX_N; - - /* Layer correctly defaults to 0, so no need to set_layer_addr */ - set_tree_addr(wots_addr, tree); - set_keypair_addr(wots_addr, idx_leaf); - - fors_pk_from_sig(root, sig, mhash, &ctx, wots_addr); - sig += SPX_FORS_BYTES; - - /* For each subtree.. */ - for (i = 0; i < SPX_D; i++) { - set_layer_addr(tree_addr, i); - set_tree_addr(tree_addr, tree); - - copy_subtree_addr(wots_addr, tree_addr); - set_keypair_addr(wots_addr, idx_leaf); - - copy_keypair_addr(wots_pk_addr, wots_addr); - - /* The WOTS public key is only correct if the signature was correct. */ - /* Initially, root is the FORS pk, but on subsequent iterations it is - the root of the subtree below the currently processed subtree. */ - wots_pk_from_sig(wots_pk, sig, root, &ctx, wots_addr); - sig += SPX_WOTS_BYTES; - - /* Compute the leaf node using the WOTS public key. */ - thash(leaf, wots_pk, SPX_WOTS_LEN, &ctx, wots_pk_addr); - - /* Compute the root node of this subtree. */ - compute_root(root, leaf, idx_leaf, 0, sig, SPX_TREE_HEIGHT, - &ctx, tree_addr); - sig += SPX_TREE_HEIGHT * SPX_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << SPX_TREE_HEIGHT) - 1)); - tree = tree >> SPX_TREE_HEIGHT; - } - - // cleanup - free_hash_function(&ctx); - - /* Check if the root node equals the root node in the public key. */ - if (memcmp(root, pub_root, SPX_N) != 0) { - return -1; - } - - return 0; -} - - -/** - * Returns an array containing the signature followed by the message. - */ -int crypto_sign(uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *sk) { - size_t siglen; - - crypto_sign_signature(sm, &siglen, m, mlen, sk); - - memmove(sm + SPX_BYTES, m, mlen); - *smlen = siglen + mlen; - - return 0; -} - -/** - * Verifies a given signature-message pair under a given public key. - */ -int crypto_sign_open(uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *pk) { - /* The API caller does not necessarily know what size a signature should be - but SPHINCS+ signatures are always exactly SPX_BYTES. */ - if (smlen < SPX_BYTES) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - *mlen = smlen - SPX_BYTES; - - if (crypto_sign_verify(sm, SPX_BYTES, sm + SPX_BYTES, *mlen, pk)) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - /* If verification was successful, move the message to the right place. */ - memmove(m, sm + SPX_BYTES, *mlen); - - return 0; -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/thash.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/thash.h deleted file mode 100644 index 8687ccfb4..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/thash.h +++ /dev/null @@ -1,13 +0,0 @@ -#ifndef SPX_THASH_H -#define SPX_THASH_H - -#include "context.h" -#include "params.h" - -#include - -#define thash SPX_NAMESPACE(thash) -void thash(unsigned char *out, const unsigned char *in, unsigned int inblocks, - const spx_ctx *ctx, uint32_t addr[8]); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/thash_shake_simplex2.c b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/thash_shake_simplex2.c deleted file mode 100644 index 892e45369..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/thash_shake_simplex2.c +++ /dev/null @@ -1,83 +0,0 @@ -#include -#include - -#include "thash.h" -#include "thashx2.h" - -#include "address.h" -#include "params.h" -#include "utils.h" - -#include "f1600x2.h" -#include "fips202x2.h" - - -void thash(unsigned char *out, - const unsigned char *in, - unsigned int inblocks, - const spx_ctx *ctx, uint32_t addr[8]) { - uint32_t addrx2 [2 * 8] = { - addr[0], addr[1], addr[2], addr[3], addr[4], addr[5], addr[6], addr[7], - addr[0], addr[1], addr[2], addr[3], addr[4], addr[5], addr[6], addr[7] - }; - thashx2(out, out, in, in, inblocks, ctx, addrx2); -} - -/** - * 2-way parallel version of thash; takes 2x as much input and output - */ -void thashx2(unsigned char *out0, - unsigned char *out1, - const unsigned char *in0, - const unsigned char *in1, - unsigned int inblocks, - const spx_ctx *ctx, uint32_t addrx2[2 * 8]) { - if (inblocks == 1 || inblocks == 2) { - /* As we write and read only a few quadwords, it is more efficient to - * build and extract from the twoway SHAKE256 state by hand. */ - uint64_t state[50] = {0}; - for (int i = 0; i < SPX_N / 8; i++) { - uint64_t x = load64(ctx->pub_seed + 8 * i); - state[2 * i] = x; - state[2 * i + 1] = x; - } - for (int i = 0; i < 4; i++) { - state[2 * (SPX_N / 8 + i)] = (((uint64_t)addrx2[1 + 2 * i]) << 32) - | (uint64_t)addrx2[2 * i]; - state[2 * (SPX_N / 8 + i) + 1] = (((uint64_t)addrx2[8 + 1 + 2 * i]) << 32) - | (uint64_t)addrx2[8 + 2 * i]; - } - - for (unsigned int i = 0; i < (SPX_N / 8) * inblocks; i++) { - state[2 * (SPX_N / 8 + 4 + i)] = load64(in0 + 8 * i); - state[2 * (SPX_N / 8 + 4 + i) + 1] = load64(in1 + 8 * i); - } - - /* Domain separator and padding. */ - state[2 * 16] = 0x80ULL << 56; - state[2 * 16 + 1] = 0x80ULL << 56; - - state[2 * ((SPX_N / 8) * (1 + inblocks) + 4)] ^= 0x1f; - state[2 * ((SPX_N / 8) * (1 + inblocks) + 4) + 1] ^= 0x1f; - - f1600x2(state); - - for (int i = 0; i < SPX_N / 8; i++) { - store64(out0 + 8 * i, state[2 * i]); - store64(out1 + 8 * i, state[2 * i + 1]); - } - } else { - PQCLEAN_VLA(unsigned char, buf0, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N); - PQCLEAN_VLA(unsigned char, buf1, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N); - - memcpy(buf0, ctx->pub_seed, SPX_N); - memcpy(buf1, ctx->pub_seed, SPX_N); - memcpy(buf0 + SPX_N, addrx2 + 0 * 8, SPX_ADDR_BYTES); - memcpy(buf1 + SPX_N, addrx2 + 1 * 8, SPX_ADDR_BYTES); - memcpy(buf0 + SPX_N + SPX_ADDR_BYTES, in0, inblocks * SPX_N); - memcpy(buf1 + SPX_N + SPX_ADDR_BYTES, in1, inblocks * SPX_N); - - shake256x2(out0, out1, SPX_N, - buf0, buf1, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N); - } -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/thashx2.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/thashx2.h deleted file mode 100644 index 040375e61..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/thashx2.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef SPX_THASHX2_H -#define SPX_THASHX2_H - -#include "context.h" -#include "params.h" -#include - -#define thashx2 SPX_NAMESPACE(thashx2) -void thashx2(unsigned char *out0, - unsigned char *out1, - const unsigned char *in0, - const unsigned char *in1, - unsigned int inblocks, - const spx_ctx *ctx, uint32_t addrx2[2 * 8]); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/utils.c b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/utils.c deleted file mode 100644 index 177b541fb..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/utils.c +++ /dev/null @@ -1,148 +0,0 @@ -#include - -#include "utils.h" - -#include "address.h" -#include "hash.h" -#include "params.h" -#include "thash.h" - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void ull_to_bytes(unsigned char *out, unsigned int outlen, - unsigned long long in) { - int i; - - /* Iterate over out in decreasing order, for big-endianness. */ - for (i = (signed int)outlen - 1; i >= 0; i--) { - out[i] = in & 0xff; - in = in >> 8; - } -} - -void u32_to_bytes(unsigned char *out, uint32_t in) { - out[0] = (unsigned char)(in >> 24); - out[1] = (unsigned char)(in >> 16); - out[2] = (unsigned char)(in >> 8); - out[3] = (unsigned char)in; -} - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long bytes_to_ull(const unsigned char *in, unsigned int inlen) { - unsigned long long retval = 0; - unsigned int i; - - for (i = 0; i < inlen; i++) { - retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i)); - } - return retval; -} - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void compute_root(unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const spx_ctx *ctx, uint32_t addr[8]) { - uint32_t i; - unsigned char buffer[2 * SPX_N]; - - /* If leaf_idx is odd (last bit = 1), current path element is a right child - and auth_path has to go left. Otherwise it is the other way around. */ - if (leaf_idx & 1) { - memcpy(buffer + SPX_N, leaf, SPX_N); - memcpy(buffer, auth_path, SPX_N); - } else { - memcpy(buffer, leaf, SPX_N); - memcpy(buffer + SPX_N, auth_path, SPX_N); - } - auth_path += SPX_N; - - for (i = 0; i < tree_height - 1; i++) { - leaf_idx >>= 1; - idx_offset >>= 1; - /* Set the address of the node we're creating. */ - set_tree_height(addr, i + 1); - set_tree_index(addr, leaf_idx + idx_offset); - - /* Pick the right or left neighbor, depending on parity of the node. */ - if (leaf_idx & 1) { - thash(buffer + SPX_N, buffer, 2, ctx, addr); - memcpy(buffer, auth_path, SPX_N); - } else { - thash(buffer, buffer, 2, ctx, addr); - memcpy(buffer + SPX_N, auth_path, SPX_N); - } - auth_path += SPX_N; - } - - /* The last iteration is exceptional; we do not copy an auth_path node. */ - leaf_idx >>= 1; - idx_offset >>= 1; - set_tree_height(addr, tree_height); - set_tree_index(addr, leaf_idx + idx_offset); - thash(root, buffer, 2, ctx, addr); -} - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void treehash(unsigned char *root, unsigned char *auth_path, const spx_ctx *ctx, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const spx_ctx * /* ctx */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */), - uint32_t tree_addr[8]) { - PQCLEAN_VLA(uint8_t, stack, (tree_height + 1)*SPX_N); - PQCLEAN_VLA(unsigned int, heights, tree_height + 1); - unsigned int offset = 0; - uint32_t idx; - uint32_t tree_idx; - - for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) { - /* Add the next leaf node to the stack. */ - gen_leaf(stack + offset * SPX_N, ctx, idx + idx_offset, tree_addr); - offset++; - heights[offset - 1] = 0; - - /* If this is a node we need for the auth path.. */ - if ((leaf_idx ^ 0x1) == idx) { - memcpy(auth_path, stack + (offset - 1)*SPX_N, SPX_N); - } - - /* While the top-most nodes are of equal height.. */ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { - /* Compute index of the new node, in the next layer. */ - tree_idx = (idx >> (heights[offset - 1] + 1)); - - /* Set the address of the node we're creating. */ - set_tree_height(tree_addr, heights[offset - 1] + 1); - set_tree_index(tree_addr, - tree_idx + (idx_offset >> (heights[offset - 1] + 1))); - /* Hash the top-most nodes from the stack together. */ - thash(stack + (offset - 2)*SPX_N, - stack + (offset - 2)*SPX_N, 2, ctx, tree_addr); - offset--; - /* Note that the top-most node is now one layer higher. */ - heights[offset - 1]++; - - /* If this is a node we need for the auth path.. */ - if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) { - memcpy(auth_path + heights[offset - 1]*SPX_N, - stack + (offset - 1)*SPX_N, SPX_N); - } - } - } - memcpy(root, stack, SPX_N); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/utils.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/utils.h deleted file mode 100644 index 64f5d5a53..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/utils.h +++ /dev/null @@ -1,58 +0,0 @@ -#ifndef SPX_UTILS_H -#define SPX_UTILS_H - -#include - -#include "compat.h" -#include "context.h" -#include "params.h" - - -/* To support MSVC use alloca() instead of VLAs. See #20. */ - - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -#define ull_to_bytes SPX_NAMESPACE(ull_to_bytes) -void ull_to_bytes(unsigned char *out, unsigned int outlen, - unsigned long long in); -#define u32_to_bytes SPX_NAMESPACE(u32_to_bytes) -void u32_to_bytes(unsigned char *out, uint32_t in); - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -#define bytes_to_ull SPX_NAMESPACE(bytes_to_ull) -unsigned long long bytes_to_ull(const unsigned char *in, unsigned int inlen); - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -#define compute_root SPX_NAMESPACE(compute_root) -void compute_root(unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const spx_ctx *ctx, uint32_t addr[8]); - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -#define treehash SPX_NAMESPACE(treehash) -void treehash(unsigned char *root, unsigned char *auth_path, - const spx_ctx *ctx, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const spx_ctx *ctx /* ctx */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */), - uint32_t tree_addr[8]); - - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/utilsx2.c b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/utilsx2.c deleted file mode 100644 index 8736474e4..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/utilsx2.c +++ /dev/null @@ -1,130 +0,0 @@ -#include - -#include "utilsx2.h" - -#include "address.h" -#include "params.h" -#include "thashx2.h" -#include "utils.h" - -/* - * Generate the entire Merkle tree, computing the authentication path for leaf_idx, - * and the resulting root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE) - * - * This expects tree_addrx2 to be initialized to 2 parallel addr structures for - * the Merkle tree nodes - * - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - * - * This works by using the standard Merkle tree building algorithm, except - * that each 'node' tracked is actually 2 consecutive nodes in the real tree. - * When we combine two logical nodes AB and WX, we perform the H - * operation on adjacent real nodes, forming the parent logical node - * (AB)(WX) - * - * When we get to the top level of the real tree (where there is only - * one logical node), we continue this operation one more time; the right - * most real node will by the actual root (and the other node will be - * garbage). We follow the same thashx2 logic so that the 'extract - * authentication path components' part of the loop is still executed (and - * to simplify the code somewhat) - */ -void treehashx2(unsigned char *root, unsigned char *auth_path, - const spx_ctx *ctx, - uint32_t leaf_idx, uint32_t idx_offset, - uint32_t tree_height, - void (*gen_leafx2)( - unsigned char * /* Where to write the leaves */, - const spx_ctx *, - uint32_t idx, void *info), - uint32_t tree_addrx2[2 * 8], - void *info) { - /* This is where we keep the intermediate nodes */ - unsigned char stackx2[tree_height * 2 * SPX_N]; - uint32_t left_adj = 0, prev_left_adj = 0; /* When we're doing the top */ - /* level, the left-most part of the tree isn't at the beginning */ - /* of current[]. These give the offset of the actual start */ - - uint32_t idx; - uint32_t max_idx = (1 << (tree_height - 1)) - 1; - for (idx = 0;; idx++) { - unsigned char current[2 * SPX_N]; /* Current logical node */ - gen_leafx2( current, ctx, 2 * idx + idx_offset, - info ); - - /* Now combine the freshly generated right node with previously */ - /* generated left ones */ - uint32_t internal_idx_offset = idx_offset; - uint32_t internal_idx = idx; - uint32_t internal_leaf = leaf_idx; - uint32_t h; /* The height we are in the Merkle tree */ - for (h = 0;; h++, internal_idx >>= 1, internal_leaf >>= 1) { - - /* Special processing if we're at the top of the tree */ - if (h >= tree_height - 1) { - if (h == tree_height) { - /* We hit the root; return it */ - memcpy( root, ¤t[1 * SPX_N], SPX_N ); - return; - } - /* The tree indexing logic is a bit off in this case */ - /* Adjust it so that the left-most node of the part of */ - /* the tree that we're processing has index 0 */ - prev_left_adj = left_adj; - left_adj = 2 - (1 << (tree_height - h - 1)); - } - - /* Check if we hit the top of the tree */ - if (h == tree_height) { - /* We hit the root; return it */ - memcpy( root, ¤t[1 * SPX_N], SPX_N ); - return; - } - - /* - * Check if one of the nodes we have is a part of the - * authentication path; if it is, write it out - */ - if ((((internal_idx << 1) ^ internal_leaf) & ~0x1) == 0) { - memcpy( &auth_path[ h * SPX_N ], - ¤t[(((internal_leaf & 1) ^ 1) + prev_left_adj) * SPX_N], - SPX_N ); - } - - /* - * Check if we're at a left child; if so, stop going up the stack - * Exception: if we've reached the end of the tree, keep on going - * (so we combine the last 2 nodes into the one root node in two - * more iterations) - */ - if ((internal_idx & 1) == 0 && idx < max_idx) { - break; - } - - /* Ok, we're at a right node (or doing the top 3 levels) */ - /* Now combine the left and right logical nodes together */ - - /* Set the address of the node we're creating. */ - int j; - internal_idx_offset >>= 1; - for (j = 0; j < 2; j++) { - set_tree_height(tree_addrx2 + j * 8, h + 1); - set_tree_index(tree_addrx2 + j * 8, - (2 / 2) * (internal_idx & ~1) + j - left_adj + internal_idx_offset ); - } - unsigned char *left = &stackx2[h * 2 * SPX_N]; - thashx2( ¤t[0 * SPX_N], - ¤t[1 * SPX_N], - &left [0 * SPX_N], - ¤t[0 * SPX_N], - 2, ctx, tree_addrx2); - } - - /* We've hit a left child; save the current for when we get the */ - /* corresponding right right */ - memcpy( &stackx2[h * 2 * SPX_N], current, 2 * SPX_N); - } -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/utilsx2.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/utilsx2.h deleted file mode 100644 index e09faddc4..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/utilsx2.h +++ /dev/null @@ -1,30 +0,0 @@ -#ifndef SPX_UTILSX2_H -#define SPX_UTILSX2_H - -#include - -#include "context.h" -#include "params.h" - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - * - * This implementation uses SIMD to compute internal nodes 2 at a time (in - * parallel) - */ -#define treehashx2 SPX_NAMESPACE(treehashx2) -void treehashx2(unsigned char *root, unsigned char *auth_path, - const spx_ctx *ctx, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leafx2)( - unsigned char * /* Where to write the leaves */, - const spx_ctx * /* ctx */, - uint32_t addr_idx, void *info), - uint32_t tree_addrx2[2 * 8], void *info); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/wots.c b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/wots.c deleted file mode 100644 index 3babe45e9..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/wots.c +++ /dev/null @@ -1,259 +0,0 @@ -#include -#include - -#include "wots.h" -#include "wotsx2.h" - -#include "address.h" -#include "hash.h" -#include "hashx2.h" -#include "params.h" -#include "thashx2.h" -#include "utils.h" -#include "utilsx2.h" - -// TODO clarify address expectations, and make them more uniform. -// TODO i.e. do we expect types to be set already? -// TODO and do we expect modifications or copies? - -/** - * Computes up the chains - */ -static void gen_chains( - unsigned char *out, - const unsigned char *in, - unsigned int start[SPX_WOTS_LEN], - const unsigned int steps[SPX_WOTS_LEN], - const spx_ctx *ctx, - uint32_t addr[8]) { - uint32_t i, j, k, idx, watching; - int done; - unsigned char empty[SPX_N]; - unsigned char *bufs[4]; - uint32_t addrs[8 * 2]; - - int l; - uint16_t counts[SPX_WOTS_W] = { 0 }; - uint16_t idxs[SPX_WOTS_LEN]; - uint16_t total, newTotal; - - /* set addrs = {addr, addr} */ - for (j = 0; j < 2; j++) { - memcpy(addrs + j * 8, addr, sizeof(uint32_t) * 8); - } - - /* Initialize out with the value at position 'start'. */ - memcpy(out, in, SPX_WOTS_LEN * SPX_N); - - /* Sort the chains in reverse order by steps using counting sort. */ - for (i = 0; i < SPX_WOTS_LEN; i++) { - counts[steps[i]]++; - } - total = 0; - for (l = SPX_WOTS_W - 1; l >= 0; l--) { - newTotal = counts[l] + total; - counts[l] = total; - total = newTotal; - } - for (i = 0; i < SPX_WOTS_LEN; i++) { - idxs[counts[steps[i]]] = i; - counts[steps[i]]++; - } - - /* We got our work cut out for us: do it! */ - for (i = 0; i < SPX_WOTS_LEN; i += 2) { - for (j = 0; j < 2 && i + j < SPX_WOTS_LEN; j++) { - idx = idxs[i + j]; - set_chain_addr(addrs + j * 8, idx); - bufs[j] = out + SPX_N * idx; - } - - /* As the chains are sorted in reverse order, we know that the first - * chain is the longest and the last one is the shortest. We keep - * an eye on whether the last chain is done and then on the one before, - * et cetera. */ - watching = 1; - done = 0; - while (i + watching >= SPX_WOTS_LEN) { - bufs[watching] = &empty[0]; - watching--; - } - - for (k = 0;; k++) { - while (k == steps[idxs[i + watching]]) { - bufs[watching] = &empty[0]; - if (watching == 0) { - done = 1; - break; - } - watching--; - } - if (done) { - break; - } - for (j = 0; j < watching + 1; j++) { - set_hash_addr(addrs + j * 8, k + start[idxs[i + j]]); - } - - thashx2(bufs[0], bufs[1], - bufs[0], bufs[1], 1, ctx, addrs); - } - } -} - -/** - * base_w algorithm as described in draft. - * Interprets an array of bytes as integers in base w. - * This only works when log_w is a divisor of 8. - */ -static void base_w(unsigned int *output, const int out_len, - const unsigned char *input) { - int in = 0; - int out = 0; - unsigned char total = 0; - int bits = 0; - int consumed; - - for (consumed = 0; consumed < out_len; consumed++) { - if (bits == 0) { - total = input[in]; - in++; - bits += 8; - } - bits -= SPX_WOTS_LOGW; - output[out] = (total >> bits) & (SPX_WOTS_W - 1); - out++; - } -} - -/* Computes the WOTS+ checksum over a message (in base_w). */ -static void wots_checksum(unsigned int *csum_base_w, - const unsigned int *msg_base_w) { - unsigned int csum = 0; - unsigned char csum_bytes[(SPX_WOTS_LEN2 * SPX_WOTS_LOGW + 7) / 8]; - unsigned int i; - - /* Compute checksum. */ - for (i = 0; i < SPX_WOTS_LEN1; i++) { - csum += SPX_WOTS_W - 1 - msg_base_w[i]; - } - - /* Convert checksum to base_w. */ - /* Make sure expected empty zero bits are the least significant bits. */ - csum = csum << ((8 - ((SPX_WOTS_LEN2 * SPX_WOTS_LOGW) % 8)) % 8); - ull_to_bytes(csum_bytes, sizeof(csum_bytes), csum); - base_w(csum_base_w, SPX_WOTS_LEN2, csum_bytes); -} - -/* Takes a message and derives the matching chain lengths. */ -void chain_lengths(unsigned int *lengths, const unsigned char *msg) { - base_w(lengths, SPX_WOTS_LEN1, msg); - wots_checksum(lengths + SPX_WOTS_LEN1, lengths); -} - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void wots_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const spx_ctx *ctx, uint32_t addr[8]) { - unsigned int steps[SPX_WOTS_LEN]; - unsigned int start[SPX_WOTS_LEN]; - uint32_t i; - - chain_lengths(start, msg); - - for (i = 0; i < SPX_WOTS_LEN; i++) { - steps[i] = SPX_WOTS_W - 1 - start[i]; - } - - gen_chains(pk, sig, start, steps, ctx, addr); -} - -/* - * This generates 2 sequential WOTS public keys - * It also generates the WOTS signature if leaf_info indicates - * that we're signing with one of these WOTS keys - */ -void wots_gen_leafx2(unsigned char *dest, - const spx_ctx *ctx, - uint32_t leaf_idx, void *v_info) { - struct leaf_info_x2 *info = v_info; - uint32_t *leaf_addr = info->leaf_addr; - uint32_t *pk_addr = info->pk_addr; - unsigned int i, j, k; - unsigned char pk_buffer[ 2 * SPX_WOTS_BYTES ]; - unsigned wots_offset = SPX_WOTS_BYTES; - unsigned char *buffer; - uint32_t wots_k_mask; - unsigned wots_sign_index; - - if (((leaf_idx ^ info->wots_sign_leaf) & ~1) == 0) { - /* We're traversing the leaf that's signing; generate the WOTS */ - /* signature */ - wots_k_mask = 0; - wots_sign_index = info->wots_sign_leaf & 1; /* Which of of the 2 */ - /* slots do the signatures come from */ - } else { - /* Nope, we're just generating pk's; turn off the signature logic */ - wots_k_mask = ~0; - wots_sign_index = 0; - } - - for (j = 0; j < 2; j++) { - set_keypair_addr( leaf_addr + j * 8, leaf_idx + j ); - set_keypair_addr( pk_addr + j * 8, leaf_idx + j ); - } - - for (i = 0, buffer = pk_buffer; i < SPX_WOTS_LEN; i++, buffer += SPX_N) { - uint32_t wots_k = info->wots_steps[i] | wots_k_mask; /* Set wots_k to */ - /* the step if we're generating a signature, ~0 if we're not */ - - /* Start with the secret seed */ - for (j = 0; j < 2; j++) { - set_chain_addr(leaf_addr + j * 8, i); - set_hash_addr(leaf_addr + j * 8, 0); - set_type(leaf_addr + j * 8, SPX_ADDR_TYPE_WOTSPRF); - } - prf_addrx2(buffer + 0 * wots_offset, - buffer + 1 * wots_offset, - ctx, leaf_addr); - for (j = 0; j < 2; j++) { - set_type(leaf_addr + j * 8, SPX_ADDR_TYPE_WOTS); - } - - /* Iterate down the WOTS chain */ - for (k = 0;; k++) { - /* Check if one of the values we have needs to be saved as a */ - /* part of the WOTS signature */ - if (k == wots_k) { - memcpy( info->wots_sig + i * SPX_N, - buffer + wots_sign_index * wots_offset, SPX_N ); - } - - /* Check if we hit the top of the chain */ - if (k == SPX_WOTS_W - 1) { - break; - } - - /* Iterate one step on all 4 chains */ - for (j = 0; j < 2; j++) { - set_hash_addr(leaf_addr + j * 8, k); - } - thashx2(buffer + 0 * wots_offset, - buffer + 1 * wots_offset, - buffer + 0 * wots_offset, - buffer + 1 * wots_offset, - 1, ctx, leaf_addr); - } - } - - /* Do the final thash to generate the public keys */ - thashx2(dest + 0 * SPX_N, - dest + 1 * SPX_N, - pk_buffer + 0 * wots_offset, - pk_buffer + 1 * wots_offset, - SPX_WOTS_LEN, ctx, pk_addr); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/wots.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/wots.h deleted file mode 100644 index 4e7692eee..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/wots.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef SPX_WOTS_H -#define SPX_WOTS_H - -#include - -#include "context.h" -#include "params.h" - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -#define wots_pk_from_sig SPX_NAMESPACE(wots_pk_from_sig) -void wots_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const spx_ctx *ctx, uint32_t addr[8]); - -/* - * Compute the chain lengths needed for a given message hash - */ -#define chain_lengths SPX_NAMESPACE(chain_lengths) -void chain_lengths(unsigned int *lengths, const unsigned char *msg); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/wotsx2.h b/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/wotsx2.h deleted file mode 100644 index b58bb61f8..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192f-simple_aarch64/wotsx2.h +++ /dev/null @@ -1,40 +0,0 @@ -#ifndef WOTSX2_H_ -#define WOTSX2_H_ - -#include "params.h" -#include - -/* - * This is here to provide an interface to the internal wots_gen_leafx2 - * routine. While this routine is not referenced in the package outside of - * wots.c, it is called from the stand-alone benchmark code to characterize - * the performance - */ -struct leaf_info_x2 { - unsigned char *wots_sig; - uint32_t wots_sign_leaf; /* The index of the WOTS we're using to sign */ - uint32_t *wots_steps; - uint32_t leaf_addr[2 * 8]; - uint32_t pk_addr[2 * 8]; -}; - -/* Macro to set the leaf_info to something 'benign', that is, it would */ -/* run with the same time as it does during the real signing process */ -/* Used only by the benchmark code */ -#define INITIALIZE_LEAF_INFO_X2(info, addr, step_buffer) { \ - (info).wots_sig = 0; \ - (info).wots_sign_leaf = ~0; \ - (info).wots_steps = step_buffer; \ - int i; \ - for (i=0; i<2; i++) { \ - memcpy( &(info).leaf_addr[8*i], addr, 32 ); \ - memcpy( &(info).pk_addr[8*i], addr, 32 ); \ - } \ - } - -#define wots_gen_leafx2 SPX_NAMESPACE(wots_gen_leafx2) -void wots_gen_leafx2(unsigned char *dest, - const spx_ctx *ctx, - uint32_t leaf_idx, void *v_info); - -#endif /* WOTSX2_H_ */ diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/LICENSE b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/LICENSE deleted file mode 100644 index 670154e35..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/LICENSE +++ /dev/null @@ -1,116 +0,0 @@ -CC0 1.0 Universal - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator and -subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for the -purpose of contributing to a commons of creative, cultural and scientific -works ("Commons") that the public can reliably and without fear of later -claims of infringement build upon, modify, incorporate in other works, reuse -and redistribute as freely as possible in any form whatsoever and for any -purposes, including without limitation commercial purposes. These owners may -contribute to the Commons to promote the ideal of a free culture and the -further production of creative, cultural and scientific works, or to gain -reputation or greater distribution for their Work in part through the use and -efforts of others. - -For these and/or other purposes and motivations, and without any expectation -of additional consideration or compensation, the person associating CC0 with a -Work (the "Affirmer"), to the extent that he or she is an owner of Copyright -and Related Rights in the Work, voluntarily elects to apply CC0 to the Work -and publicly distribute the Work under its terms, with knowledge of his or her -Copyright and Related Rights in the Work and the meaning and intended legal -effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not limited -to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, communicate, - and translate a Work; - - ii. moral rights retained by the original author(s) and/or performer(s); - - iii. publicity and privacy rights pertaining to a person's image or likeness - depicted in a Work; - - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - - v. rights protecting the extraction, dissemination, use and reuse of data in - a Work; - - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation thereof, - including any amended or successor version of such directive); and - - vii. other similar, equivalent or corresponding rights throughout the world - based on applicable law or treaty, and any national implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention of, -applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and -unconditionally waives, abandons, and surrenders all of Affirmer's Copyright -and Related Rights and associated claims and causes of action, whether now -known or unknown (including existing as well as future claims and causes of -action), in the Work (i) in all territories worldwide, (ii) for the maximum -duration provided by applicable law or treaty (including future time -extensions), (iii) in any current or future medium and for any number of -copies, and (iv) for any purpose whatsoever, including without limitation -commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes -the Waiver for the benefit of each member of the public at large and to the -detriment of Affirmer's heirs and successors, fully intending that such Waiver -shall not be subject to revocation, rescission, cancellation, termination, or -any other legal or equitable action to disrupt the quiet enjoyment of the Work -by the public as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason be -judged legally invalid or ineffective under applicable law, then the Waiver -shall be preserved to the maximum extent permitted taking into account -Affirmer's express Statement of Purpose. In addition, to the extent the Waiver -is so judged Affirmer hereby grants to each affected person a royalty-free, -non transferable, non sublicensable, non exclusive, irrevocable and -unconditional license to exercise Affirmer's Copyright and Related Rights in -the Work (i) in all territories worldwide, (ii) for the maximum duration -provided by applicable law or treaty (including future time extensions), (iii) -in any current or future medium and for any number of copies, and (iv) for any -purpose whatsoever, including without limitation commercial, advertising or -promotional purposes (the "License"). The License shall be deemed effective as -of the date CC0 was applied by Affirmer to the Work. Should any part of the -License for any reason be judged legally invalid or ineffective under -applicable law, such partial invalidity or ineffectiveness shall not -invalidate the remainder of the License, and in such case Affirmer hereby -affirms that he or she will not (i) exercise any of his or her remaining -Copyright and Related Rights in the Work or (ii) assert any associated claims -and causes of action with respect to the Work, in either case contrary to -Affirmer's express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - - b. Affirmer offers the Work as-is and makes no representations or warranties - of any kind concerning the Work, express, implied, statutory or otherwise, - including without limitation warranties of title, merchantability, fitness - for a particular purpose, non infringement, or the absence of latent or - other defects, accuracy, or the present or absence of errors, whether or not - discoverable, all to the greatest extent permissible under applicable law. - - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without limitation - any person's Copyright and Related Rights in the Work. Further, Affirmer - disclaims responsibility for obtaining any necessary consents, permissions - or other rights required for any use of the Work. - - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to this - CC0 or use of the Work. - -For more information, please see - diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/address.c b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/address.c deleted file mode 100644 index d49d9f3b6..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/address.c +++ /dev/null @@ -1,95 +0,0 @@ -#include -#include - -#include "address.h" -#include "params.h" -#include "utils.h" - -/* - * Specify which level of Merkle tree (the "layer") we're working on - */ -void set_layer_addr(uint32_t addr[8], uint32_t layer) { - ((unsigned char *)addr)[SPX_OFFSET_LAYER] = (unsigned char)layer; -} - -/* - * Specify which Merkle tree within the level (the "tree address") we're working on - */ -void set_tree_addr(uint32_t addr[8], uint64_t tree) { - ull_to_bytes(&((unsigned char *)addr)[SPX_OFFSET_TREE], 8, tree ); -} - -/* - * Specify the reason we'll use this address structure for, that is, what - * hash will we compute with it. This is used so that unrelated types of - * hashes don't accidentally get the same address structure. The type will be - * one of the SPX_ADDR_TYPE constants - */ -void set_type(uint32_t addr[8], uint32_t type) { - ((unsigned char *)addr)[SPX_OFFSET_TYPE] = (unsigned char)type; -} - -/* - * Copy the layer and tree fields of the address structure. This is used - * when we're doing multiple types of hashes within the same Merkle tree - */ -void copy_subtree_addr(uint32_t out[8], const uint32_t in[8]) { - memcpy( out, in, SPX_OFFSET_TREE + 8 ); -} - -/* These functions are used for OTS addresses. */ - -/* - * Specify which Merkle leaf we're working on; that is, which OTS keypair - * we're talking about. - */ -void set_keypair_addr(uint32_t addr[8], uint32_t keypair) { - /* We have > 256 OTS at the bottom of the Merkle tree; to specify */ - /* which one, we'd need to express it in two bytes */ - ((unsigned char *)addr)[SPX_OFFSET_KP_ADDR2] = (unsigned char)(keypair >> 8); - ((unsigned char *)addr)[SPX_OFFSET_KP_ADDR1] = (unsigned char)keypair; -} - -/* - * Copy the layer, tree and keypair fields of the address structure. This is - * used when we're doing multiple things within the same OTS keypair - */ -void copy_keypair_addr(uint32_t out[8], const uint32_t in[8]) { - memcpy( out, in, SPX_OFFSET_TREE + 8 ); - ((unsigned char *)out)[SPX_OFFSET_KP_ADDR2] = ((unsigned char *)in)[SPX_OFFSET_KP_ADDR2]; - ((unsigned char *)out)[SPX_OFFSET_KP_ADDR1] = ((unsigned char *)in)[SPX_OFFSET_KP_ADDR1]; -} - -/* - * Specify which Merkle chain within the OTS we're working with - * (the chain address) - */ -void set_chain_addr(uint32_t addr[8], uint32_t chain) { - ((unsigned char *)addr)[SPX_OFFSET_CHAIN_ADDR] = (unsigned char)chain; -} - -/* - * Specify where in the Merkle chain we are -* (the hash address) - */ -void set_hash_addr(uint32_t addr[8], uint32_t hash) { - ((unsigned char *)addr)[SPX_OFFSET_HASH_ADDR] = (unsigned char)hash; -} - -/* These functions are used for all hash tree addresses (including FORS). */ - -/* - * Specify the height of the node in the Merkle/FORS tree we are in - * (the tree height) - */ -void set_tree_height(uint32_t addr[8], uint32_t tree_height) { - ((unsigned char *)addr)[SPX_OFFSET_TREE_HGT] = (unsigned char)tree_height; -} - -/* - * Specify the distance from the left edge of the node in the Merkle/FORS tree - * (the tree index) - */ -void set_tree_index(uint32_t addr[8], uint32_t tree_index) { - u32_to_bytes(&((unsigned char *)addr)[SPX_OFFSET_TREE_INDEX], tree_index ); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/address.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/address.h deleted file mode 100644 index 24a84eb40..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/address.h +++ /dev/null @@ -1,52 +0,0 @@ -#ifndef SPX_ADDRESS_H -#define SPX_ADDRESS_H - -#include - -#include "params.h" - -/* The hash types that are passed to set_type */ -#define SPX_ADDR_TYPE_WOTS 0 -#define SPX_ADDR_TYPE_WOTSPK 1 -#define SPX_ADDR_TYPE_HASHTREE 2 -#define SPX_ADDR_TYPE_FORSTREE 3 -#define SPX_ADDR_TYPE_FORSPK 4 -#define SPX_ADDR_TYPE_WOTSPRF 5 -#define SPX_ADDR_TYPE_FORSPRF 6 - -#define set_layer_addr SPX_NAMESPACE(set_layer_addr) -void set_layer_addr(uint32_t addr[8], uint32_t layer); - -#define set_tree_addr SPX_NAMESPACE(set_tree_addr) -void set_tree_addr(uint32_t addr[8], uint64_t tree); - -#define set_type SPX_NAMESPACE(set_type) -void set_type(uint32_t addr[8], uint32_t type); - -/* Copies the layer and tree part of one address into the other */ -#define copy_subtree_addr SPX_NAMESPACE(copy_subtree_addr) -void copy_subtree_addr(uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for WOTS and FORS addresses. */ - -#define set_keypair_addr SPX_NAMESPACE(set_keypair_addr) -void set_keypair_addr(uint32_t addr[8], uint32_t keypair); - -#define set_chain_addr SPX_NAMESPACE(set_chain_addr) -void set_chain_addr(uint32_t addr[8], uint32_t chain); - -#define set_hash_addr SPX_NAMESPACE(set_hash_addr) -void set_hash_addr(uint32_t addr[8], uint32_t hash); - -#define copy_keypair_addr SPX_NAMESPACE(copy_keypair_addr) -void copy_keypair_addr(uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for all hash tree addresses (including FORS). */ - -#define set_tree_height SPX_NAMESPACE(set_tree_height) -void set_tree_height(uint32_t addr[8], uint32_t tree_height); - -#define set_tree_index SPX_NAMESPACE(set_tree_index) -void set_tree_index(uint32_t addr[8], uint32_t tree_index); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/api.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/api.h deleted file mode 100644 index 59e16cd73..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/api.h +++ /dev/null @@ -1,77 +0,0 @@ -#ifndef PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_API_H -#define PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_API_H - -#include -#include - -#define PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_CRYPTO_ALGNAME "SPHINCS+-shake-192s-simple" - -#define PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_CRYPTO_SECRETKEYBYTES 96 -#define PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_CRYPTO_PUBLICKEYBYTES 48 -#define PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_CRYPTO_BYTES 16224 - -#define PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_CRYPTO_SEEDBYTES 72 - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk, - const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_crypto_sign_keypair(uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_crypto_sign_signature(uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_crypto_sign_verify(const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, - const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_crypto_sign(uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_crypto_sign_open(uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *pk); -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/context.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/context.h deleted file mode 100644 index 6e0a33f3b..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/context.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef SPX_CONTEXT_H -#define SPX_CONTEXT_H - -#include - -#include "params.h" - -typedef struct { - uint8_t pub_seed[SPX_N]; - uint8_t sk_seed[SPX_N]; -} spx_ctx; - -#define initialize_hash_function SPX_NAMESPACE(initialize_hash_function) -void initialize_hash_function(spx_ctx *ctx); - -#define free_hash_function SPX_NAMESPACE(free_hash_function) -void free_hash_function(spx_ctx *ctx); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/context_shake.c b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/context_shake.c deleted file mode 100644 index 9614a103d..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/context_shake.c +++ /dev/null @@ -1,12 +0,0 @@ -#include "context.h" - -/* For SHAKE256, there is no immediate reason to initialize at the start, - so this function is an empty operation. */ -void initialize_hash_function(spx_ctx *ctx) { - (void)ctx; /* Suppress an 'unused parameter' warning. */ -} - -// in case the hash function api is heap-based. -void free_hash_function(spx_ctx *ctx) { - (void)ctx; -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/f1600x2.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/f1600x2.h deleted file mode 100644 index 70d1af9f1..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/f1600x2.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef SPX_F1600X2_H -#define SPX_F1600X2_H - -#include - -extern uint64_t f1600_RC[24]; -extern void _f1600x2(uint64_t *a, uint64_t *rc); - -#define f1600x2(s) do {_f1600x2((s), f1600_RC);} while(0) - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/f1600x2.s b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/f1600x2.s deleted file mode 100644 index 640ed791e..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/f1600x2.s +++ /dev/null @@ -1,143 +0,0 @@ -# From https://github.com/bwesterb/armed-keccak - -.macro round - # Execute theta, but without xoring into the state yet. - # Compute parities p[i] = a[i] ^ a[5+i] ^ ... ^ a[20+i]. - eor3.16b v25, v0, v5, v10 - eor3.16b v26, v1, v6, v11 - eor3.16b v27, v2, v7, v12 - eor3.16b v28, v3, v8, v13 - eor3.16b v29, v4, v9, v14 - - eor3.16b v25, v25, v15, v20 - eor3.16b v26, v26, v16, v21 - eor3.16b v27, v27, v17, v22 - eor3.16b v28, v28, v18, v23 - eor3.16b v29, v29, v19, v24 - - # d[0] = rotl(p[1], 1) ^ p[4] - rax1.2d v30, v29, v26 - # d[3] = rotl(p[4], 1) ^ p[2] - rax1.2d v29, v27, v29 - # d[1] = rotl(p[2], 1) ^ p[0] - rax1.2d v27, v25, v27 - # d[4] = rotl(p[0], 1) ^ p[3] - rax1.2d v25, v28, v25 - # d[2] = rotl(p[3], 1) ^ p[1] - rax1.2d v28, v26, v28 - - # Xor parities from step theta into the state at the same time - # as executing rho and pi. - eor.16b v0, v0, v30 - mov.16b v31, v1 - xar.2d v1, v6, v27, 20 - xar.2d v6, v9, v25, 44 - xar.2d v9, v22, v28, 3 - xar.2d v22, v14, v25, 25 - xar.2d v14, v20, v30, 46 - xar.2d v20, v2, v28, 2 - xar.2d v2, v12, v28, 21 - xar.2d v12, v13, v29, 39 - xar.2d v13, v19, v25, 56 - xar.2d v19, v23, v29, 8 - xar.2d v23, v15, v30, 23 - xar.2d v15, v4, v25, 37 - xar.2d v4, v24, v25, 50 - xar.2d v24, v21, v27, 62 - xar.2d v21, v8, v29, 9 - xar.2d v8, v16, v27, 19 - xar.2d v16, v5, v30, 28 - xar.2d v5, v3, v29, 36 - xar.2d v3, v18, v29, 43 - xar.2d v18, v17, v28, 49 - xar.2d v17, v11, v27, 54 - xar.2d v11, v7, v28, 58 - xar.2d v7, v10, v30, 61 - xar.2d v10, v31, v27, 63 - - # Chi - bcax.16b v25, v0, v2, v1 - bcax.16b v26, v1, v3, v2 - bcax.16b v2, v2, v4, v3 - bcax.16b v3, v3, v0, v4 - bcax.16b v4, v4, v1, v0 - mov.16b v0, v25 - mov.16b v1, v26 - - bcax.16b v25, v5, v7, v6 - bcax.16b v26, v6, v8, v7 - bcax.16b v7, v7, v9, v8 - bcax.16b v8, v8, v5, v9 - bcax.16b v9, v9, v6, v5 - mov.16b v5, v25 - mov.16b v6, v26 - - bcax.16b v25, v10, v12, v11 - bcax.16b v26, v11, v13, v12 - bcax.16b v12, v12, v14, v13 - bcax.16b v13, v13, v10, v14 - bcax.16b v14, v14, v11, v10 - mov.16b v10, v25 - mov.16b v11, v26 - - bcax.16b v25, v15, v17, v16 - bcax.16b v26, v16, v18, v17 - bcax.16b v17, v17, v19, v18 - bcax.16b v18, v18, v15, v19 - bcax.16b v19, v19, v16, v15 - mov.16b v15, v25 - mov.16b v16, v26 - - bcax.16b v25, v20, v22, v21 - bcax.16b v26, v21, v23, v22 - bcax.16b v22, v22, v24, v23 - bcax.16b v23, v23, v20, v24 - bcax.16b v24, v24, v21, v20 - mov.16b v20, v25 - mov.16b v21, v26 - - # iota - ld1r {v25.2d}, [x1], #8 - eor.16b v0, v0, v25 -.endm - -.align 4 -.global __f1600x2 -__f1600x2: - stp d8, d9, [sp,#-16]! - stp d10, d11, [sp,#-16]! - stp d12, d13, [sp,#-16]! - stp d14, d15, [sp,#-16]! - - mov x2, x0 - mov x3, #24 - - ld1.2d {v0, v1, v2, v3}, [x0], #64 - ld1.2d {v4, v5, v6, v7}, [x0], #64 - ld1.2d {v8, v9, v10, v11}, [x0], #64 - ld1.2d {v12, v13, v14, v15}, [x0], #64 - ld1.2d {v16, v17, v18, v19}, [x0], #64 - ld1.2d {v20, v21, v22, v23}, [x0], #64 - ld1.2d {v24}, [x0] - -loop: - round - - subs x3, x3, #1 - cbnz x3, loop - - mov x0, x2 - st1.2d {v0, v1, v2, v3}, [x0], #64 - st1.2d {v4, v5, v6, v7}, [x0], #64 - st1.2d {v8, v9, v10, v11}, [x0], #64 - st1.2d {v12, v13, v14, v15}, [x0], #64 - st1.2d {v16, v17, v18, v19}, [x0], #64 - st1.2d {v20, v21, v22, v23}, [x0], #64 - st1.2d {v24}, [x0] - - ldp d14, d15, [sp], #16 - ldp d12, d13, [sp], #16 - ldp d10, d11, [sp], #16 - ldp d8, d9, [sp], #16 - - ret lr diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/f1600x2_const.c b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/f1600x2_const.c deleted file mode 100644 index e49c0ba14..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/f1600x2_const.c +++ /dev/null @@ -1,30 +0,0 @@ -#include "f1600x2.h" - -uint64_t f1600_RC[24] = { - 0x0000000000000001, - 0x0000000000008082, - 0x800000000000808A, - 0x8000000080008000, - 0x000000000000808B, - 0x0000000080000001, - 0x8000000080008081, - 0x8000000000008009, - 0x000000000000008A, - 0x0000000000000088, - 0x0000000080008009, - 0x000000008000000A, - 0x000000008000808B, - 0x800000000000008B, - 0x8000000000008089, - 0x8000000000008003, - 0x8000000000008002, - 0x8000000000000080, - 0x000000000000800A, - 0x800000008000000A, - 0x8000000080008081, - 0x8000000000008080, - 0x0000000080000001, - 0x8000000080008008, -}; - - diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/fips202x2.c b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/fips202x2.c deleted file mode 100644 index 4718c343b..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/fips202x2.c +++ /dev/null @@ -1,148 +0,0 @@ -#include -#include - -#include "fips202x2.h" -#include "f1600x2.h" -#include "fips202.h" - -uint64_t load64(const unsigned char *x) { - unsigned long long r = 0, i; - - for (i = 0; i < 8; ++i) { - r |= (unsigned long long)x[i] << 8 * i; - } - return r; -} - -void store64(uint8_t *x, uint64_t u) { - unsigned int i; - - for (i = 0; i < 8; ++i) { - x[i] = (uint8_t)u; - u >>= 8; - } -} - -static void keccak_absorb2x(uint64_t *s, - unsigned int r, - const unsigned char *m0, - const unsigned char *m1, - unsigned long long int mlen, - unsigned char p) { - unsigned long long i; - unsigned char t0[200]; - unsigned char t1[200]; - - while (mlen >= r) { - for (i = 0; i < r / 8; ++i) { - s[2 * i + 0] ^= load64(m0 + 8 * i); - s[2 * i + 1] ^= load64(m1 + 8 * i); - } - - f1600x2(s); - mlen -= r; - m0 += r; - m1 += r; - } - - for (i = 0; i < r; ++i) { - t0[i] = 0; - t1[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t0[i] = m0[i]; - t1[i] = m1[i]; - } - - t0[i] = p; - t1[i] = p; - - t0[r - 1] |= 128; - t1[r - 1] |= 128; - - for (i = 0; i < r / 8; ++i) { - s[2 * i + 0] ^= load64(t0 + 8 * i); - s[2 * i + 1] ^= load64(t1 + 8 * i); - } -} - - -static void keccak_squeezeblocks2x(unsigned char *h0, - unsigned char *h1, - unsigned long long int nblocks, - uint64_t *s, - unsigned int r) { - unsigned int i; - - while (nblocks > 0) { - f1600x2(s); - for (i = 0; i < (r >> 3); i++) { - store64(h0 + 8 * i, s[2 * i + 0]); - store64(h1 + 8 * i, s[2 * i + 1]); - } - h0 += r; - h1 += r; - nblocks--; - } -} - - - -void shake128x2(unsigned char *out0, - unsigned char *out1, - unsigned long long outlen, - unsigned char *in0, - unsigned char *in1, - unsigned long long inlen) { - uint64_t s[50] = {0}; - unsigned char t0[SHAKE128_RATE]; - unsigned char t1[SHAKE128_RATE]; - unsigned int i; - - /* absorb 4 message of identical length in parallel */ - keccak_absorb2x(s, SHAKE128_RATE, in0, in1, inlen, 0x1F); - - /* Squeeze output */ - keccak_squeezeblocks2x(out0, out1, outlen / SHAKE128_RATE, s, SHAKE128_RATE); - - out0 += (outlen / SHAKE128_RATE) * SHAKE128_RATE; - out1 += (outlen / SHAKE128_RATE) * SHAKE128_RATE; - - if (outlen % SHAKE128_RATE) { - keccak_squeezeblocks2x(t0, t1, 1, s, SHAKE128_RATE); - for (i = 0; i < outlen % SHAKE128_RATE; i++) { - out0[i] = t0[i]; - out1[i] = t1[i]; - } - } -} - - -void shake256x2(unsigned char *out0, - unsigned char *out1, - unsigned long long outlen, - unsigned char *in0, - unsigned char *in1, - unsigned long long inlen) { - uint64_t s[50] = {0}; - unsigned char t0[SHAKE256_RATE]; - unsigned char t1[SHAKE256_RATE]; - unsigned int i; - - /* absorb 2 message of identical length in parallel */ - keccak_absorb2x(s, SHAKE256_RATE, in0, in1, inlen, 0x1F); - - /* Squeeze output */ - keccak_squeezeblocks2x(out0, out1, outlen / SHAKE256_RATE, s, SHAKE256_RATE); - - out0 += (outlen / SHAKE256_RATE) * SHAKE256_RATE; - out1 += (outlen / SHAKE256_RATE) * SHAKE256_RATE; - - if (outlen % SHAKE256_RATE) { - keccak_squeezeblocks2x(t0, t1, 1, s, SHAKE256_RATE); - for (i = 0; i < outlen % SHAKE256_RATE; i++) { - out0[i] = t0[i]; - out1[i] = t1[i]; - } - } -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/fips202x2.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/fips202x2.h deleted file mode 100644 index 7ba58b35d..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/fips202x2.h +++ /dev/null @@ -1,24 +0,0 @@ -#ifndef SPX_FIPS202X2_H -#define SPX_FIPS202X2_H - -#include - -uint64_t load64(const unsigned char *x); -void store64(uint8_t *x, uint64_t u); - - -void shake128x2(unsigned char *out0, - unsigned char *out1, - unsigned long long outlen, - unsigned char *in0, - unsigned char *in1, - unsigned long long inlen); - -void shake256x2(unsigned char *out0, - unsigned char *out1, - unsigned long long outlen, - unsigned char *in0, - unsigned char *in1, - unsigned long long inlen); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/fors.c b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/fors.c deleted file mode 100644 index 39193d04e..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/fors.c +++ /dev/null @@ -1,191 +0,0 @@ -#include -#include -#include - -#include "fors.h" - -#include "address.h" -#include "hash.h" -#include "hashx2.h" -#include "thash.h" -#include "thashx2.h" -#include "utils.h" -#include "utilsx2.h" - -static void fors_gen_sk(unsigned char *sk, const spx_ctx *ctx, - uint32_t fors_leaf_addr[8]) { - prf_addr(sk, ctx, fors_leaf_addr); -} - -static void fors_gen_skx2(unsigned char *sk0, - unsigned char *sk1, - const spx_ctx *ctx, - uint32_t fors_leaf_addrx2[2 * 8]) { - prf_addrx2(sk0, sk1, - ctx, fors_leaf_addrx2); -} - -static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk, - const spx_ctx *ctx, - uint32_t fors_leaf_addr[8]) { - thash(leaf, sk, 1, ctx, fors_leaf_addr); -} - -static void fors_sk_to_leafx2(unsigned char *leaf0, - unsigned char *leaf1, - const unsigned char *sk0, - const unsigned char *sk1, - const spx_ctx *ctx, - uint32_t fors_leaf_addrx2[2 * 8]) { - thashx2(leaf0, leaf1, - sk0, sk1, - 1, ctx, fors_leaf_addrx2); -} - -struct fors_gen_leaf_info { - uint32_t leaf_addrx[2 * 8]; -}; - -static void fors_gen_leafx2(unsigned char *leaf, - const spx_ctx *ctx, - uint32_t addr_idx, void *info) { - struct fors_gen_leaf_info *fors_info = info; - uint32_t *fors_leaf_addrx2 = fors_info->leaf_addrx; - unsigned int j; - - /* Only set the parts that the caller doesn't set */ - for (j = 0; j < 2; j++) { - set_tree_index(fors_leaf_addrx2 + j * 8, addr_idx + j); - set_type(fors_leaf_addrx2 + j * 8, SPX_ADDR_TYPE_FORSPRF); - } - - fors_gen_skx2(leaf + 0 * SPX_N, - leaf + 1 * SPX_N, - ctx, fors_leaf_addrx2); - - for (j = 0; j < 2; j++) { - set_type(fors_leaf_addrx2 + j * 8, SPX_ADDR_TYPE_FORSTREE); - } - - fors_sk_to_leafx2(leaf + 0 * SPX_N, - leaf + 1 * SPX_N, - leaf + 0 * SPX_N, - leaf + 1 * SPX_N, - ctx, fors_leaf_addrx2); -} - -/** - * Interprets m as SPX_FORS_HEIGHT-bit unsigned integers. - * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits. - * Assumes indices has space for SPX_FORS_TREES integers. - */ -static void message_to_indices(uint32_t *indices, const unsigned char *m) { - unsigned int i, j; - unsigned int offset = 0; - - for (i = 0; i < SPX_FORS_TREES; i++) { - indices[i] = 0; - for (j = 0; j < SPX_FORS_HEIGHT; j++) { - indices[i] ^= (uint32_t)(((m[offset >> 3] >> (offset & 0x7)) & 0x1) << j); - offset++; - } - } -} - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits. - */ -void fors_sign(unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const spx_ctx *ctx, - const uint32_t fors_addr[8]) { - uint32_t indices[SPX_FORS_TREES]; - unsigned char roots[SPX_FORS_TREES * SPX_N]; - uint32_t fors_tree_addr[2 * 8] = {0}; - struct fors_gen_leaf_info fors_info = {0}; - uint32_t *fors_leaf_addr = fors_info.leaf_addrx; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - for (i = 0; i < 2; i++) { - copy_keypair_addr(fors_tree_addr + 8 * i, fors_addr); - set_type(fors_tree_addr + 8 * i, SPX_ADDR_TYPE_FORSTREE); - copy_keypair_addr(fors_leaf_addr + 8 * i, fors_addr); - } - copy_keypair_addr(fors_pk_addr, fors_addr); - set_type(fors_pk_addr, SPX_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < SPX_FORS_TREES; i++) { - idx_offset = i * (1 << SPX_FORS_HEIGHT); - - set_tree_height(fors_tree_addr, 0); - set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Include the secret key part that produces the selected leaf node. */ - set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSPRF); - fors_gen_sk(sig, ctx, fors_tree_addr); - set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSTREE); - sig += SPX_N; - - /* Compute the authentication path for this leaf node. */ - treehashx2(roots + i * SPX_N, sig, ctx, - indices[i], idx_offset, SPX_FORS_HEIGHT, fors_gen_leafx2, - fors_tree_addr, &fors_info); - - sig += SPX_N * SPX_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - thash(pk, roots, SPX_FORS_TREES, ctx, fors_pk_addr); -} - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits. - */ -void fors_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const spx_ctx *ctx, - const uint32_t fors_addr[8]) { - uint32_t indices[SPX_FORS_TREES]; - unsigned char roots[SPX_FORS_TREES * SPX_N]; - unsigned char leaf[SPX_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - copy_keypair_addr(fors_tree_addr, fors_addr); - copy_keypair_addr(fors_pk_addr, fors_addr); - - set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSTREE); - set_type(fors_pk_addr, SPX_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < SPX_FORS_TREES; i++) { - idx_offset = i * (1 << SPX_FORS_HEIGHT); - - set_tree_height(fors_tree_addr, 0); - set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Derive the leaf from the included secret key part. */ - fors_sk_to_leaf(leaf, sig, ctx, fors_tree_addr); - sig += SPX_N; - - /* Derive the corresponding root node of this tree. */ - compute_root(roots + i * SPX_N, leaf, indices[i], idx_offset, - sig, SPX_FORS_HEIGHT, ctx, fors_tree_addr); - sig += SPX_N * SPX_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - thash(pk, roots, SPX_FORS_TREES, ctx, fors_pk_addr); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/fors.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/fors.h deleted file mode 100644 index 509140a17..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/fors.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef SPX_FORS_H -#define SPX_FORS_H - -#include - -#include "context.h" -#include "params.h" - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits. - */ -#define fors_sign SPX_NAMESPACE(fors_sign) -void fors_sign(unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const spx_ctx *ctx, - const uint32_t fors_addr[8]); - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits. - */ -#define fors_pk_from_sig SPX_NAMESPACE(fors_pk_from_sig) -void fors_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const spx_ctx *ctx, - const uint32_t fors_addr[8]); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/hash.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/hash.h deleted file mode 100644 index f7c87d4c3..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/hash.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef SPX_HASH_H -#define SPX_HASH_H - -#include -#include - -#include "context.h" -#include "params.h" - -#define prf_addr SPX_NAMESPACE(prf_addr) -void prf_addr(unsigned char *out, const spx_ctx *ctx, - const uint32_t addr[8]); - -#define gen_message_random SPX_NAMESPACE(gen_message_random) -void gen_message_random(unsigned char *R, const unsigned char *sk_prf, - const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const spx_ctx *ctx); - -#define hash_message SPX_NAMESPACE(hash_message) -void hash_message(unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const spx_ctx *ctx); - - - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/hash_shake.c b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/hash_shake.c deleted file mode 100644 index ff5e7ec91..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/hash_shake.c +++ /dev/null @@ -1,83 +0,0 @@ -#include -#include - -#include "hash.h" - -#include "address.h" -#include "fips202.h" -#include "params.h" -#include "utils.h" - -/* - * Computes PRF(pk_seed, sk_seed, addr) - */ -void prf_addr(unsigned char *out, const spx_ctx *ctx, - const uint32_t addr[8]) { - unsigned char buf[2 * SPX_N + SPX_ADDR_BYTES]; - - memcpy(buf, ctx->pub_seed, SPX_N); - memcpy(buf + SPX_N, addr, SPX_ADDR_BYTES); - memcpy(buf + SPX_N + SPX_ADDR_BYTES, ctx->sk_seed, SPX_N); - - shake256(out, SPX_N, buf, 2 * SPX_N + SPX_ADDR_BYTES); -} - -/** - * Computes the message-dependent randomness R, using a secret seed and an - * optional randomization value as well as the message. - */ -void gen_message_random(unsigned char *R, const unsigned char *sk_prf, - const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const spx_ctx *ctx) { - (void)ctx; - shake256incctx s_inc; - - shake256_inc_init(&s_inc); - shake256_inc_absorb(&s_inc, sk_prf, SPX_N); - shake256_inc_absorb(&s_inc, optrand, SPX_N); - shake256_inc_absorb(&s_inc, m, mlen); - shake256_inc_finalize(&s_inc); - shake256_inc_squeeze(R, SPX_N, &s_inc); - shake256_inc_ctx_release(&s_inc); -} - -/** - * Computes the message hash using R, the public key, and the message. - * Outputs the message digest and the index of the leaf. The index is split in - * the tree index and the leaf index, for convenient copying to an address. - */ -void hash_message(unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const spx_ctx *ctx) { - (void)ctx; -#define SPX_TREE_BITS (SPX_TREE_HEIGHT * (SPX_D - 1)) -#define SPX_TREE_BYTES ((SPX_TREE_BITS + 7) / 8) -#define SPX_LEAF_BITS SPX_TREE_HEIGHT -#define SPX_LEAF_BYTES ((SPX_LEAF_BITS + 7) / 8) -#define SPX_DGST_BYTES (SPX_FORS_MSG_BYTES + SPX_TREE_BYTES + SPX_LEAF_BYTES) - - unsigned char buf[SPX_DGST_BYTES]; - unsigned char *bufp = buf; - shake256incctx s_inc; - - shake256_inc_init(&s_inc); - shake256_inc_absorb(&s_inc, R, SPX_N); - shake256_inc_absorb(&s_inc, pk, SPX_PK_BYTES); - shake256_inc_absorb(&s_inc, m, mlen); - shake256_inc_finalize(&s_inc); - shake256_inc_squeeze(buf, SPX_DGST_BYTES, &s_inc); - shake256_inc_ctx_release(&s_inc); - - memcpy(digest, bufp, SPX_FORS_MSG_BYTES); - bufp += SPX_FORS_MSG_BYTES; - - - *tree = bytes_to_ull(bufp, SPX_TREE_BYTES); - *tree &= (~(uint64_t)0) >> (64 - SPX_TREE_BITS); - bufp += SPX_TREE_BYTES; - - *leaf_idx = (uint32_t)bytes_to_ull(bufp, SPX_LEAF_BYTES); - *leaf_idx &= (~(uint32_t)0) >> (32 - SPX_LEAF_BITS); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/hash_shakex2.c b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/hash_shakex2.c deleted file mode 100644 index 99571916a..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/hash_shakex2.c +++ /dev/null @@ -1,52 +0,0 @@ -#include -#include - -#include "hashx2.h" - -#include "address.h" -#include "f1600x2.h" -#include "fips202x2.h" -#include "params.h" - -/* - * 2-way parallel version of prf_addr; takes 2x as much input and output - */ -void prf_addrx2(unsigned char *out0, - unsigned char *out1, - const spx_ctx *ctx, - const uint32_t addrx2[2 * 8]) { - /* As we write and read only a few quadwords, it is more efficient to - * build and extract from the fourway SHAKE256 state by hand. */ - uint64_t state[50] = {0}; - - for (int i = 0; i < SPX_N / 8; i++) { - uint64_t x = load64(ctx->pub_seed + 8 * i); - state[2 * i] = x; - state[2 * i + 1] = x; - } - for (int i = 0; i < 4; i++) { - state[2 * (SPX_N / 8 + i)] = (((uint64_t)addrx2[1 + 2 * i]) << 32) - | (uint64_t)addrx2[2 * i]; - state[2 * (SPX_N / 8 + i) + 1] = (((uint64_t)addrx2[8 + 1 + 2 * i]) << 32) - | (uint64_t)addrx2[8 + 2 * i]; - } - for (int i = 0; i < SPX_N / 8; i++) { - uint64_t x = load64(ctx->sk_seed + 8 * i); - state[2 * (SPX_N / 8 + i + 4)] = x; - state[2 * (SPX_N / 8 + i + 4) + 1] = x; - } - - /* SHAKE domain separator and padding. */ - state[2 * (SPX_N / 4 + 4)] = 0x1f; - state[2 * (SPX_N / 4 + 4) + 1] = 0x1f; - - state[2 * 16] = 0x80ULL << 56; - state[2 * 16 + 1] = 0x80ULL << 56; - - f1600x2(state); - - for (int i = 0; i < SPX_N / 8; i++) { - store64(out0 + 8 * i, state[2 * i]); - store64(out1 + 8 * i, state[2 * i + 1]); - } -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/hashx2.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/hashx2.h deleted file mode 100644 index 99b8873a9..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/hashx2.h +++ /dev/null @@ -1,14 +0,0 @@ -#ifndef SPX_HASHX2_H -#define SPX_HASHX2_H - -#include "context.h" -#include "params.h" -#include - -#define prf_addrx2 SPX_NAMESPACE(prf_addrx2) -void prf_addrx2(unsigned char *out0, - unsigned char *out1, - const spx_ctx *ctx, - const uint32_t addrx2[2 * 8]); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/merkle.c b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/merkle.c deleted file mode 100644 index c94ee2393..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/merkle.c +++ /dev/null @@ -1,64 +0,0 @@ -#include -#include - -#include "merkle.h" - -#include "address.h" -#include "params.h" -#include "utils.h" -#include "utilsx2.h" -#include "wots.h" -#include "wotsx2.h" - -/* - * This generates a Merkle signature (WOTS signature followed by the Merkle - * authentication path). - */ -void merkle_sign(uint8_t *sig, unsigned char *root, - const spx_ctx *ctx, - uint32_t wots_addr[8], uint32_t tree_addr[8], - uint32_t idx_leaf) { - unsigned char *auth_path = sig + SPX_WOTS_BYTES; - uint32_t tree_addrx2[2 * 8] = { 0 }; - int j; - struct leaf_info_x2 info = { 0 }; - unsigned steps[ SPX_WOTS_LEN ]; - - info.wots_sig = sig; - chain_lengths(steps, root); - info.wots_steps = steps; - - for (j = 0; j < 2; j++) { - set_type(&tree_addrx2[8 * j], SPX_ADDR_TYPE_HASHTREE); - set_type(&info.leaf_addr[8 * j], SPX_ADDR_TYPE_WOTS); - set_type(&info.pk_addr[8 * j], SPX_ADDR_TYPE_WOTSPK); - copy_subtree_addr(&tree_addrx2[8 * j], tree_addr); - copy_subtree_addr(&info.leaf_addr[8 * j], wots_addr); - copy_subtree_addr(&info.pk_addr[8 * j], wots_addr); - } - - info.wots_sign_leaf = idx_leaf; - - treehashx2(root, auth_path, ctx, - idx_leaf, 0, - SPX_TREE_HEIGHT, - wots_gen_leafx2, - tree_addrx2, &info); -} - -/* Compute root node of the top-most subtree. */ -void merkle_gen_root(unsigned char *root, const spx_ctx *ctx) { - /* We do not need the auth path in key generation, but it simplifies the - code to have just one treehash routine that computes both root and path - in one function. */ - unsigned char auth_path[SPX_TREE_HEIGHT * SPX_N + SPX_WOTS_BYTES]; - uint32_t top_tree_addr[8] = {0}; - uint32_t wots_addr[8] = {0}; - - set_layer_addr(top_tree_addr, SPX_D - 1); - set_layer_addr(wots_addr, SPX_D - 1); - - merkle_sign(auth_path, root, ctx, - wots_addr, top_tree_addr, - ~0 /* ~0 means "don't bother generating an auth path */ ); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/merkle.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/merkle.h deleted file mode 100644 index 769cf2e97..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/merkle.h +++ /dev/null @@ -1,21 +0,0 @@ -#ifndef MERKLE_H_ -#define MERKLE_H_ - -#include - -#include "context.h" -#include "params.h" - -/* Generate a Merkle signature (WOTS signature followed by the Merkle */ -/* authentication path) */ -#define merkle_sign SPX_NAMESPACE(merkle_sign) -void merkle_sign(uint8_t *sig, unsigned char *root, - const spx_ctx *ctx, - uint32_t wots_addr[8], uint32_t tree_addr[8], - uint32_t idx_leaf); - -/* Compute the root node of the top-most subtree. */ -#define merkle_gen_root SPX_NAMESPACE(merkle_gen_root) -void merkle_gen_root(unsigned char *root, const spx_ctx *ctx); - -#endif /* MERKLE_H_ */ diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/nistapi.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/nistapi.h deleted file mode 100644 index 3cb71afad..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/nistapi.h +++ /dev/null @@ -1,87 +0,0 @@ -#ifndef SPX_API_H -#define SPX_API_H - -#include -#include - -#include "params.h" - -#define CRYPTO_ALGNAME "SPHINCS+" - -#define CRYPTO_SECRETKEYBYTES SPX_SK_BYTES -#define CRYPTO_PUBLICKEYBYTES SPX_PK_BYTES -#define CRYPTO_BYTES SPX_BYTES -#define CRYPTO_SEEDBYTES (3*SPX_N) - -/* - * Returns the length of a secret key, in bytes - */ -#define crypto_sign_secretkeybytes SPX_NAMESPACE(crypto_sign_secretkeybytes) -size_t crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -#define crypto_sign_publickeybytes SPX_NAMESPACE(crypto_sign_publickeybytes) -size_t crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -#define crypto_sign_bytes SPX_NAMESPACE(crypto_sign_bytes) -size_t crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -#define crypto_sign_seedbytes SPX_NAMESPACE(crypto_sign_seedbytes) -size_t crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -#define crypto_sign_seed_keypair SPX_NAMESPACE(crypto_sign_seed_keypair) -int crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk, - const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -#define crypto_sign_keypair SPX_NAMESPACE(crypto_sign_keypair) -int crypto_sign_keypair(uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -#define crypto_sign_signature SPX_NAMESPACE(crypto_sign_signature) -int crypto_sign_signature(uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -#define crypto_sign_verify SPX_NAMESPACE(crypto_sign_verify) -int crypto_sign_verify(const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -#define crypto_sign SPX_NAMESPACE(crypto_sign) -int crypto_sign(uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -#define crypto_sign_open SPX_NAMESPACE(crypto_sign_open) -int crypto_sign_open(uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *pk); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/params.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/params.h deleted file mode 100644 index 650f74916..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/params.h +++ /dev/null @@ -1,56 +0,0 @@ -#ifndef SPX_PARAMS_H -#define SPX_PARAMS_H - -#define SPX_NAMESPACE(s) PQCLEAN_SPHINCSSHAKE192SSIMPLE_AARCH64_##s - -/* Hash output length in bytes. */ -#define SPX_N 24 -/* Height of the hypertree. */ -#define SPX_FULL_HEIGHT 63 -/* Number of subtree layer. */ -#define SPX_D 7 -/* FORS tree dimensions. */ -#define SPX_FORS_HEIGHT 14 -#define SPX_FORS_TREES 17 -/* Winternitz parameter, */ -#define SPX_WOTS_W 16 - -/* The hash function is defined by linking a different hash.c file, as opposed - to setting a #define constant. */ - -/* For clarity */ -#define SPX_ADDR_BYTES 32 - -/* WOTS parameters. */ -#define SPX_WOTS_LOGW 4 - -#define SPX_WOTS_LEN1 (8 * SPX_N / SPX_WOTS_LOGW) - -/* SPX_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */ -#define SPX_WOTS_LEN2 3 - -#define SPX_WOTS_LEN (SPX_WOTS_LEN1 + SPX_WOTS_LEN2) -#define SPX_WOTS_BYTES (SPX_WOTS_LEN * SPX_N) -#define SPX_WOTS_PK_BYTES SPX_WOTS_BYTES - -/* Subtree size. */ -#define SPX_TREE_HEIGHT (SPX_FULL_HEIGHT / SPX_D) - -//#if SPX_TREE_HEIGHT * SPX_D != SPX_FULL_HEIGHT -// #error SPX_D should always divide SPX_FULL_HEIGHT -//#endif - -/* FORS parameters. */ -#define SPX_FORS_MSG_BYTES ((SPX_FORS_HEIGHT * SPX_FORS_TREES + 7) / 8) -#define SPX_FORS_BYTES ((SPX_FORS_HEIGHT + 1) * SPX_FORS_TREES * SPX_N) -#define SPX_FORS_PK_BYTES SPX_N - -/* Resulting SPX sizes. */ -#define SPX_BYTES (SPX_N + SPX_FORS_BYTES + SPX_D * SPX_WOTS_BYTES +\ - SPX_FULL_HEIGHT * SPX_N) -#define SPX_PK_BYTES (2 * SPX_N) -#define SPX_SK_BYTES (2 * SPX_N + SPX_PK_BYTES) - -#include "shake_offsets.h" - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/shake_offsets.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/shake_offsets.h deleted file mode 100644 index 6b28d95d9..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/shake_offsets.h +++ /dev/null @@ -1,21 +0,0 @@ -#ifndef SHAKE_OFFSETS_H_ -#define SHAKE_OFFSETS_H_ - -/* - * Offsets of various fields in the address structure when we use SHAKE as - * the Sphincs+ hash function - */ - -#define SPX_OFFSET_LAYER 3 /* The byte used to specify the Merkle tree layer */ -#define SPX_OFFSET_TREE 8 /* The start of the 8 byte field used to specify the tree */ -#define SPX_OFFSET_TYPE 19 /* The byte used to specify the hash type (reason) */ -#define SPX_OFFSET_KP_ADDR2 22 /* The high byte used to specify the key pair (which one-time signature) */ -#define SPX_OFFSET_KP_ADDR1 23 /* The low byte used to specify the key pair */ -#define SPX_OFFSET_CHAIN_ADDR 27 /* The byte used to specify the chain address (which Winternitz chain) */ -#define SPX_OFFSET_HASH_ADDR 31 /* The byte used to specify the hash address (where in the Winternitz chain) */ -#define SPX_OFFSET_TREE_HGT 27 /* The byte used to specify the height of this node in the FORS or Merkle tree */ -#define SPX_OFFSET_TREE_INDEX 28 /* The start of the 4 byte field used to specify the node in the FORS or Merkle tree */ - -#define SPX_SHAKE 1 - -#endif /* SHAKE_OFFSETS_H_ */ diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/sign.c b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/sign.c deleted file mode 100644 index 9d0c7d1b2..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/sign.c +++ /dev/null @@ -1,286 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "context.h" -#include "fors.h" -#include "hash.h" -#include "merkle.h" -#include "nistapi.h" -#include "params.h" -#include "randombytes.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - -/* - * Returns the length of a secret key, in bytes - */ -size_t crypto_sign_secretkeybytes(void) { - return CRYPTO_SECRETKEYBYTES; -} - -/* - * Returns the length of a public key, in bytes - */ -size_t crypto_sign_publickeybytes(void) { - return CRYPTO_PUBLICKEYBYTES; -} - -/* - * Returns the length of a signature, in bytes - */ -size_t crypto_sign_bytes(void) { - return CRYPTO_BYTES; -} - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t crypto_sign_seedbytes(void) { - return CRYPTO_SEEDBYTES; -} - -/* - * Generates an SPX key pair given a seed of length - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk, - const uint8_t *seed) { - spx_ctx ctx; - - /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */ - memcpy(sk, seed, CRYPTO_SEEDBYTES); - - memcpy(pk, sk + 2 * SPX_N, SPX_N); - - memcpy(ctx.pub_seed, pk, SPX_N); - memcpy(ctx.sk_seed, sk, SPX_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - initialize_hash_function(&ctx); - - /* Compute root node of the top-most subtree. */ - merkle_gen_root(sk + 3 * SPX_N, &ctx); - - // cleanup - free_hash_function(&ctx); - - memcpy(pk + SPX_N, sk + 3 * SPX_N, SPX_N); - - return 0; -} - -/* - * Generates an SPX key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { - uint8_t seed[CRYPTO_SEEDBYTES]; - randombytes(seed, CRYPTO_SEEDBYTES); - crypto_sign_seed_keypair(pk, sk, seed); - - return 0; -} - -/** - * Returns an array containing a detached signature. - */ -int crypto_sign_signature(uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - spx_ctx ctx; - - const uint8_t *sk_prf = sk + SPX_N; - const uint8_t *pk = sk + 2 * SPX_N; - - uint8_t optrand[SPX_N]; - uint8_t mhash[SPX_FORS_MSG_BYTES]; - uint8_t root[SPX_N]; - uint32_t i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - - memcpy(ctx.sk_seed, sk, SPX_N); - memcpy(ctx.pub_seed, pk, SPX_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - initialize_hash_function(&ctx); - - set_type(wots_addr, SPX_ADDR_TYPE_WOTS); - set_type(tree_addr, SPX_ADDR_TYPE_HASHTREE); - - /* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ - randombytes(optrand, SPX_N); - /* Compute the digest randomization value. */ - gen_message_random(sig, sk_prf, optrand, m, mlen, &ctx); - - /* Derive the message digest and leaf index from R, PK and M. */ - hash_message(mhash, &tree, &idx_leaf, sig, pk, m, mlen, &ctx); - sig += SPX_N; - - set_tree_addr(wots_addr, tree); - set_keypair_addr(wots_addr, idx_leaf); - - /* Sign the message hash using FORS. */ - fors_sign(sig, root, mhash, &ctx, wots_addr); - sig += SPX_FORS_BYTES; - - for (i = 0; i < SPX_D; i++) { - set_layer_addr(tree_addr, i); - set_tree_addr(tree_addr, tree); - - copy_subtree_addr(wots_addr, tree_addr); - set_keypair_addr(wots_addr, idx_leaf); - - merkle_sign(sig, root, &ctx, wots_addr, tree_addr, idx_leaf); - sig += SPX_WOTS_BYTES + SPX_TREE_HEIGHT * SPX_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << SPX_TREE_HEIGHT) - 1)); - tree = tree >> SPX_TREE_HEIGHT; - } - - free_hash_function(&ctx); - - *siglen = SPX_BYTES; - - return 0; -} - -/** - * Verifies a detached signature and message under a given public key. - */ -int crypto_sign_verify(const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - spx_ctx ctx; - const uint8_t *pub_root = pk + SPX_N; - uint8_t mhash[SPX_FORS_MSG_BYTES]; - uint8_t wots_pk[SPX_WOTS_BYTES]; - uint8_t root[SPX_N]; - uint8_t leaf[SPX_N]; - unsigned int i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - if (siglen != SPX_BYTES) { - return -1; - } - - memcpy(ctx.pub_seed, pk, SPX_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - initialize_hash_function(&ctx); - - set_type(wots_addr, SPX_ADDR_TYPE_WOTS); - set_type(tree_addr, SPX_ADDR_TYPE_HASHTREE); - set_type(wots_pk_addr, SPX_ADDR_TYPE_WOTSPK); - - /* Derive the message digest and leaf index from R || PK || M. */ - /* The additional SPX_N is a result of the hash domain separator. */ - hash_message(mhash, &tree, &idx_leaf, sig, pk, m, mlen, &ctx); - sig += SPX_N; - - /* Layer correctly defaults to 0, so no need to set_layer_addr */ - set_tree_addr(wots_addr, tree); - set_keypair_addr(wots_addr, idx_leaf); - - fors_pk_from_sig(root, sig, mhash, &ctx, wots_addr); - sig += SPX_FORS_BYTES; - - /* For each subtree.. */ - for (i = 0; i < SPX_D; i++) { - set_layer_addr(tree_addr, i); - set_tree_addr(tree_addr, tree); - - copy_subtree_addr(wots_addr, tree_addr); - set_keypair_addr(wots_addr, idx_leaf); - - copy_keypair_addr(wots_pk_addr, wots_addr); - - /* The WOTS public key is only correct if the signature was correct. */ - /* Initially, root is the FORS pk, but on subsequent iterations it is - the root of the subtree below the currently processed subtree. */ - wots_pk_from_sig(wots_pk, sig, root, &ctx, wots_addr); - sig += SPX_WOTS_BYTES; - - /* Compute the leaf node using the WOTS public key. */ - thash(leaf, wots_pk, SPX_WOTS_LEN, &ctx, wots_pk_addr); - - /* Compute the root node of this subtree. */ - compute_root(root, leaf, idx_leaf, 0, sig, SPX_TREE_HEIGHT, - &ctx, tree_addr); - sig += SPX_TREE_HEIGHT * SPX_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << SPX_TREE_HEIGHT) - 1)); - tree = tree >> SPX_TREE_HEIGHT; - } - - // cleanup - free_hash_function(&ctx); - - /* Check if the root node equals the root node in the public key. */ - if (memcmp(root, pub_root, SPX_N) != 0) { - return -1; - } - - return 0; -} - - -/** - * Returns an array containing the signature followed by the message. - */ -int crypto_sign(uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *sk) { - size_t siglen; - - crypto_sign_signature(sm, &siglen, m, mlen, sk); - - memmove(sm + SPX_BYTES, m, mlen); - *smlen = siglen + mlen; - - return 0; -} - -/** - * Verifies a given signature-message pair under a given public key. - */ -int crypto_sign_open(uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *pk) { - /* The API caller does not necessarily know what size a signature should be - but SPHINCS+ signatures are always exactly SPX_BYTES. */ - if (smlen < SPX_BYTES) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - *mlen = smlen - SPX_BYTES; - - if (crypto_sign_verify(sm, SPX_BYTES, sm + SPX_BYTES, *mlen, pk)) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - /* If verification was successful, move the message to the right place. */ - memmove(m, sm + SPX_BYTES, *mlen); - - return 0; -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/thash.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/thash.h deleted file mode 100644 index 8687ccfb4..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/thash.h +++ /dev/null @@ -1,13 +0,0 @@ -#ifndef SPX_THASH_H -#define SPX_THASH_H - -#include "context.h" -#include "params.h" - -#include - -#define thash SPX_NAMESPACE(thash) -void thash(unsigned char *out, const unsigned char *in, unsigned int inblocks, - const spx_ctx *ctx, uint32_t addr[8]); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/thash_shake_simplex2.c b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/thash_shake_simplex2.c deleted file mode 100644 index 892e45369..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/thash_shake_simplex2.c +++ /dev/null @@ -1,83 +0,0 @@ -#include -#include - -#include "thash.h" -#include "thashx2.h" - -#include "address.h" -#include "params.h" -#include "utils.h" - -#include "f1600x2.h" -#include "fips202x2.h" - - -void thash(unsigned char *out, - const unsigned char *in, - unsigned int inblocks, - const spx_ctx *ctx, uint32_t addr[8]) { - uint32_t addrx2 [2 * 8] = { - addr[0], addr[1], addr[2], addr[3], addr[4], addr[5], addr[6], addr[7], - addr[0], addr[1], addr[2], addr[3], addr[4], addr[5], addr[6], addr[7] - }; - thashx2(out, out, in, in, inblocks, ctx, addrx2); -} - -/** - * 2-way parallel version of thash; takes 2x as much input and output - */ -void thashx2(unsigned char *out0, - unsigned char *out1, - const unsigned char *in0, - const unsigned char *in1, - unsigned int inblocks, - const spx_ctx *ctx, uint32_t addrx2[2 * 8]) { - if (inblocks == 1 || inblocks == 2) { - /* As we write and read only a few quadwords, it is more efficient to - * build and extract from the twoway SHAKE256 state by hand. */ - uint64_t state[50] = {0}; - for (int i = 0; i < SPX_N / 8; i++) { - uint64_t x = load64(ctx->pub_seed + 8 * i); - state[2 * i] = x; - state[2 * i + 1] = x; - } - for (int i = 0; i < 4; i++) { - state[2 * (SPX_N / 8 + i)] = (((uint64_t)addrx2[1 + 2 * i]) << 32) - | (uint64_t)addrx2[2 * i]; - state[2 * (SPX_N / 8 + i) + 1] = (((uint64_t)addrx2[8 + 1 + 2 * i]) << 32) - | (uint64_t)addrx2[8 + 2 * i]; - } - - for (unsigned int i = 0; i < (SPX_N / 8) * inblocks; i++) { - state[2 * (SPX_N / 8 + 4 + i)] = load64(in0 + 8 * i); - state[2 * (SPX_N / 8 + 4 + i) + 1] = load64(in1 + 8 * i); - } - - /* Domain separator and padding. */ - state[2 * 16] = 0x80ULL << 56; - state[2 * 16 + 1] = 0x80ULL << 56; - - state[2 * ((SPX_N / 8) * (1 + inblocks) + 4)] ^= 0x1f; - state[2 * ((SPX_N / 8) * (1 + inblocks) + 4) + 1] ^= 0x1f; - - f1600x2(state); - - for (int i = 0; i < SPX_N / 8; i++) { - store64(out0 + 8 * i, state[2 * i]); - store64(out1 + 8 * i, state[2 * i + 1]); - } - } else { - PQCLEAN_VLA(unsigned char, buf0, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N); - PQCLEAN_VLA(unsigned char, buf1, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N); - - memcpy(buf0, ctx->pub_seed, SPX_N); - memcpy(buf1, ctx->pub_seed, SPX_N); - memcpy(buf0 + SPX_N, addrx2 + 0 * 8, SPX_ADDR_BYTES); - memcpy(buf1 + SPX_N, addrx2 + 1 * 8, SPX_ADDR_BYTES); - memcpy(buf0 + SPX_N + SPX_ADDR_BYTES, in0, inblocks * SPX_N); - memcpy(buf1 + SPX_N + SPX_ADDR_BYTES, in1, inblocks * SPX_N); - - shake256x2(out0, out1, SPX_N, - buf0, buf1, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N); - } -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/thashx2.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/thashx2.h deleted file mode 100644 index 040375e61..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/thashx2.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef SPX_THASHX2_H -#define SPX_THASHX2_H - -#include "context.h" -#include "params.h" -#include - -#define thashx2 SPX_NAMESPACE(thashx2) -void thashx2(unsigned char *out0, - unsigned char *out1, - const unsigned char *in0, - const unsigned char *in1, - unsigned int inblocks, - const spx_ctx *ctx, uint32_t addrx2[2 * 8]); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/utils.c b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/utils.c deleted file mode 100644 index 177b541fb..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/utils.c +++ /dev/null @@ -1,148 +0,0 @@ -#include - -#include "utils.h" - -#include "address.h" -#include "hash.h" -#include "params.h" -#include "thash.h" - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void ull_to_bytes(unsigned char *out, unsigned int outlen, - unsigned long long in) { - int i; - - /* Iterate over out in decreasing order, for big-endianness. */ - for (i = (signed int)outlen - 1; i >= 0; i--) { - out[i] = in & 0xff; - in = in >> 8; - } -} - -void u32_to_bytes(unsigned char *out, uint32_t in) { - out[0] = (unsigned char)(in >> 24); - out[1] = (unsigned char)(in >> 16); - out[2] = (unsigned char)(in >> 8); - out[3] = (unsigned char)in; -} - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long bytes_to_ull(const unsigned char *in, unsigned int inlen) { - unsigned long long retval = 0; - unsigned int i; - - for (i = 0; i < inlen; i++) { - retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i)); - } - return retval; -} - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void compute_root(unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const spx_ctx *ctx, uint32_t addr[8]) { - uint32_t i; - unsigned char buffer[2 * SPX_N]; - - /* If leaf_idx is odd (last bit = 1), current path element is a right child - and auth_path has to go left. Otherwise it is the other way around. */ - if (leaf_idx & 1) { - memcpy(buffer + SPX_N, leaf, SPX_N); - memcpy(buffer, auth_path, SPX_N); - } else { - memcpy(buffer, leaf, SPX_N); - memcpy(buffer + SPX_N, auth_path, SPX_N); - } - auth_path += SPX_N; - - for (i = 0; i < tree_height - 1; i++) { - leaf_idx >>= 1; - idx_offset >>= 1; - /* Set the address of the node we're creating. */ - set_tree_height(addr, i + 1); - set_tree_index(addr, leaf_idx + idx_offset); - - /* Pick the right or left neighbor, depending on parity of the node. */ - if (leaf_idx & 1) { - thash(buffer + SPX_N, buffer, 2, ctx, addr); - memcpy(buffer, auth_path, SPX_N); - } else { - thash(buffer, buffer, 2, ctx, addr); - memcpy(buffer + SPX_N, auth_path, SPX_N); - } - auth_path += SPX_N; - } - - /* The last iteration is exceptional; we do not copy an auth_path node. */ - leaf_idx >>= 1; - idx_offset >>= 1; - set_tree_height(addr, tree_height); - set_tree_index(addr, leaf_idx + idx_offset); - thash(root, buffer, 2, ctx, addr); -} - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void treehash(unsigned char *root, unsigned char *auth_path, const spx_ctx *ctx, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const spx_ctx * /* ctx */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */), - uint32_t tree_addr[8]) { - PQCLEAN_VLA(uint8_t, stack, (tree_height + 1)*SPX_N); - PQCLEAN_VLA(unsigned int, heights, tree_height + 1); - unsigned int offset = 0; - uint32_t idx; - uint32_t tree_idx; - - for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) { - /* Add the next leaf node to the stack. */ - gen_leaf(stack + offset * SPX_N, ctx, idx + idx_offset, tree_addr); - offset++; - heights[offset - 1] = 0; - - /* If this is a node we need for the auth path.. */ - if ((leaf_idx ^ 0x1) == idx) { - memcpy(auth_path, stack + (offset - 1)*SPX_N, SPX_N); - } - - /* While the top-most nodes are of equal height.. */ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { - /* Compute index of the new node, in the next layer. */ - tree_idx = (idx >> (heights[offset - 1] + 1)); - - /* Set the address of the node we're creating. */ - set_tree_height(tree_addr, heights[offset - 1] + 1); - set_tree_index(tree_addr, - tree_idx + (idx_offset >> (heights[offset - 1] + 1))); - /* Hash the top-most nodes from the stack together. */ - thash(stack + (offset - 2)*SPX_N, - stack + (offset - 2)*SPX_N, 2, ctx, tree_addr); - offset--; - /* Note that the top-most node is now one layer higher. */ - heights[offset - 1]++; - - /* If this is a node we need for the auth path.. */ - if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) { - memcpy(auth_path + heights[offset - 1]*SPX_N, - stack + (offset - 1)*SPX_N, SPX_N); - } - } - } - memcpy(root, stack, SPX_N); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/utils.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/utils.h deleted file mode 100644 index 64f5d5a53..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/utils.h +++ /dev/null @@ -1,58 +0,0 @@ -#ifndef SPX_UTILS_H -#define SPX_UTILS_H - -#include - -#include "compat.h" -#include "context.h" -#include "params.h" - - -/* To support MSVC use alloca() instead of VLAs. See #20. */ - - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -#define ull_to_bytes SPX_NAMESPACE(ull_to_bytes) -void ull_to_bytes(unsigned char *out, unsigned int outlen, - unsigned long long in); -#define u32_to_bytes SPX_NAMESPACE(u32_to_bytes) -void u32_to_bytes(unsigned char *out, uint32_t in); - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -#define bytes_to_ull SPX_NAMESPACE(bytes_to_ull) -unsigned long long bytes_to_ull(const unsigned char *in, unsigned int inlen); - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -#define compute_root SPX_NAMESPACE(compute_root) -void compute_root(unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const spx_ctx *ctx, uint32_t addr[8]); - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -#define treehash SPX_NAMESPACE(treehash) -void treehash(unsigned char *root, unsigned char *auth_path, - const spx_ctx *ctx, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const spx_ctx *ctx /* ctx */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */), - uint32_t tree_addr[8]); - - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/utilsx2.c b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/utilsx2.c deleted file mode 100644 index 8736474e4..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/utilsx2.c +++ /dev/null @@ -1,130 +0,0 @@ -#include - -#include "utilsx2.h" - -#include "address.h" -#include "params.h" -#include "thashx2.h" -#include "utils.h" - -/* - * Generate the entire Merkle tree, computing the authentication path for leaf_idx, - * and the resulting root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE) - * - * This expects tree_addrx2 to be initialized to 2 parallel addr structures for - * the Merkle tree nodes - * - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - * - * This works by using the standard Merkle tree building algorithm, except - * that each 'node' tracked is actually 2 consecutive nodes in the real tree. - * When we combine two logical nodes AB and WX, we perform the H - * operation on adjacent real nodes, forming the parent logical node - * (AB)(WX) - * - * When we get to the top level of the real tree (where there is only - * one logical node), we continue this operation one more time; the right - * most real node will by the actual root (and the other node will be - * garbage). We follow the same thashx2 logic so that the 'extract - * authentication path components' part of the loop is still executed (and - * to simplify the code somewhat) - */ -void treehashx2(unsigned char *root, unsigned char *auth_path, - const spx_ctx *ctx, - uint32_t leaf_idx, uint32_t idx_offset, - uint32_t tree_height, - void (*gen_leafx2)( - unsigned char * /* Where to write the leaves */, - const spx_ctx *, - uint32_t idx, void *info), - uint32_t tree_addrx2[2 * 8], - void *info) { - /* This is where we keep the intermediate nodes */ - unsigned char stackx2[tree_height * 2 * SPX_N]; - uint32_t left_adj = 0, prev_left_adj = 0; /* When we're doing the top */ - /* level, the left-most part of the tree isn't at the beginning */ - /* of current[]. These give the offset of the actual start */ - - uint32_t idx; - uint32_t max_idx = (1 << (tree_height - 1)) - 1; - for (idx = 0;; idx++) { - unsigned char current[2 * SPX_N]; /* Current logical node */ - gen_leafx2( current, ctx, 2 * idx + idx_offset, - info ); - - /* Now combine the freshly generated right node with previously */ - /* generated left ones */ - uint32_t internal_idx_offset = idx_offset; - uint32_t internal_idx = idx; - uint32_t internal_leaf = leaf_idx; - uint32_t h; /* The height we are in the Merkle tree */ - for (h = 0;; h++, internal_idx >>= 1, internal_leaf >>= 1) { - - /* Special processing if we're at the top of the tree */ - if (h >= tree_height - 1) { - if (h == tree_height) { - /* We hit the root; return it */ - memcpy( root, ¤t[1 * SPX_N], SPX_N ); - return; - } - /* The tree indexing logic is a bit off in this case */ - /* Adjust it so that the left-most node of the part of */ - /* the tree that we're processing has index 0 */ - prev_left_adj = left_adj; - left_adj = 2 - (1 << (tree_height - h - 1)); - } - - /* Check if we hit the top of the tree */ - if (h == tree_height) { - /* We hit the root; return it */ - memcpy( root, ¤t[1 * SPX_N], SPX_N ); - return; - } - - /* - * Check if one of the nodes we have is a part of the - * authentication path; if it is, write it out - */ - if ((((internal_idx << 1) ^ internal_leaf) & ~0x1) == 0) { - memcpy( &auth_path[ h * SPX_N ], - ¤t[(((internal_leaf & 1) ^ 1) + prev_left_adj) * SPX_N], - SPX_N ); - } - - /* - * Check if we're at a left child; if so, stop going up the stack - * Exception: if we've reached the end of the tree, keep on going - * (so we combine the last 2 nodes into the one root node in two - * more iterations) - */ - if ((internal_idx & 1) == 0 && idx < max_idx) { - break; - } - - /* Ok, we're at a right node (or doing the top 3 levels) */ - /* Now combine the left and right logical nodes together */ - - /* Set the address of the node we're creating. */ - int j; - internal_idx_offset >>= 1; - for (j = 0; j < 2; j++) { - set_tree_height(tree_addrx2 + j * 8, h + 1); - set_tree_index(tree_addrx2 + j * 8, - (2 / 2) * (internal_idx & ~1) + j - left_adj + internal_idx_offset ); - } - unsigned char *left = &stackx2[h * 2 * SPX_N]; - thashx2( ¤t[0 * SPX_N], - ¤t[1 * SPX_N], - &left [0 * SPX_N], - ¤t[0 * SPX_N], - 2, ctx, tree_addrx2); - } - - /* We've hit a left child; save the current for when we get the */ - /* corresponding right right */ - memcpy( &stackx2[h * 2 * SPX_N], current, 2 * SPX_N); - } -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/utilsx2.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/utilsx2.h deleted file mode 100644 index e09faddc4..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/utilsx2.h +++ /dev/null @@ -1,30 +0,0 @@ -#ifndef SPX_UTILSX2_H -#define SPX_UTILSX2_H - -#include - -#include "context.h" -#include "params.h" - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - * - * This implementation uses SIMD to compute internal nodes 2 at a time (in - * parallel) - */ -#define treehashx2 SPX_NAMESPACE(treehashx2) -void treehashx2(unsigned char *root, unsigned char *auth_path, - const spx_ctx *ctx, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leafx2)( - unsigned char * /* Where to write the leaves */, - const spx_ctx * /* ctx */, - uint32_t addr_idx, void *info), - uint32_t tree_addrx2[2 * 8], void *info); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/wots.c b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/wots.c deleted file mode 100644 index 3babe45e9..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/wots.c +++ /dev/null @@ -1,259 +0,0 @@ -#include -#include - -#include "wots.h" -#include "wotsx2.h" - -#include "address.h" -#include "hash.h" -#include "hashx2.h" -#include "params.h" -#include "thashx2.h" -#include "utils.h" -#include "utilsx2.h" - -// TODO clarify address expectations, and make them more uniform. -// TODO i.e. do we expect types to be set already? -// TODO and do we expect modifications or copies? - -/** - * Computes up the chains - */ -static void gen_chains( - unsigned char *out, - const unsigned char *in, - unsigned int start[SPX_WOTS_LEN], - const unsigned int steps[SPX_WOTS_LEN], - const spx_ctx *ctx, - uint32_t addr[8]) { - uint32_t i, j, k, idx, watching; - int done; - unsigned char empty[SPX_N]; - unsigned char *bufs[4]; - uint32_t addrs[8 * 2]; - - int l; - uint16_t counts[SPX_WOTS_W] = { 0 }; - uint16_t idxs[SPX_WOTS_LEN]; - uint16_t total, newTotal; - - /* set addrs = {addr, addr} */ - for (j = 0; j < 2; j++) { - memcpy(addrs + j * 8, addr, sizeof(uint32_t) * 8); - } - - /* Initialize out with the value at position 'start'. */ - memcpy(out, in, SPX_WOTS_LEN * SPX_N); - - /* Sort the chains in reverse order by steps using counting sort. */ - for (i = 0; i < SPX_WOTS_LEN; i++) { - counts[steps[i]]++; - } - total = 0; - for (l = SPX_WOTS_W - 1; l >= 0; l--) { - newTotal = counts[l] + total; - counts[l] = total; - total = newTotal; - } - for (i = 0; i < SPX_WOTS_LEN; i++) { - idxs[counts[steps[i]]] = i; - counts[steps[i]]++; - } - - /* We got our work cut out for us: do it! */ - for (i = 0; i < SPX_WOTS_LEN; i += 2) { - for (j = 0; j < 2 && i + j < SPX_WOTS_LEN; j++) { - idx = idxs[i + j]; - set_chain_addr(addrs + j * 8, idx); - bufs[j] = out + SPX_N * idx; - } - - /* As the chains are sorted in reverse order, we know that the first - * chain is the longest and the last one is the shortest. We keep - * an eye on whether the last chain is done and then on the one before, - * et cetera. */ - watching = 1; - done = 0; - while (i + watching >= SPX_WOTS_LEN) { - bufs[watching] = &empty[0]; - watching--; - } - - for (k = 0;; k++) { - while (k == steps[idxs[i + watching]]) { - bufs[watching] = &empty[0]; - if (watching == 0) { - done = 1; - break; - } - watching--; - } - if (done) { - break; - } - for (j = 0; j < watching + 1; j++) { - set_hash_addr(addrs + j * 8, k + start[idxs[i + j]]); - } - - thashx2(bufs[0], bufs[1], - bufs[0], bufs[1], 1, ctx, addrs); - } - } -} - -/** - * base_w algorithm as described in draft. - * Interprets an array of bytes as integers in base w. - * This only works when log_w is a divisor of 8. - */ -static void base_w(unsigned int *output, const int out_len, - const unsigned char *input) { - int in = 0; - int out = 0; - unsigned char total = 0; - int bits = 0; - int consumed; - - for (consumed = 0; consumed < out_len; consumed++) { - if (bits == 0) { - total = input[in]; - in++; - bits += 8; - } - bits -= SPX_WOTS_LOGW; - output[out] = (total >> bits) & (SPX_WOTS_W - 1); - out++; - } -} - -/* Computes the WOTS+ checksum over a message (in base_w). */ -static void wots_checksum(unsigned int *csum_base_w, - const unsigned int *msg_base_w) { - unsigned int csum = 0; - unsigned char csum_bytes[(SPX_WOTS_LEN2 * SPX_WOTS_LOGW + 7) / 8]; - unsigned int i; - - /* Compute checksum. */ - for (i = 0; i < SPX_WOTS_LEN1; i++) { - csum += SPX_WOTS_W - 1 - msg_base_w[i]; - } - - /* Convert checksum to base_w. */ - /* Make sure expected empty zero bits are the least significant bits. */ - csum = csum << ((8 - ((SPX_WOTS_LEN2 * SPX_WOTS_LOGW) % 8)) % 8); - ull_to_bytes(csum_bytes, sizeof(csum_bytes), csum); - base_w(csum_base_w, SPX_WOTS_LEN2, csum_bytes); -} - -/* Takes a message and derives the matching chain lengths. */ -void chain_lengths(unsigned int *lengths, const unsigned char *msg) { - base_w(lengths, SPX_WOTS_LEN1, msg); - wots_checksum(lengths + SPX_WOTS_LEN1, lengths); -} - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void wots_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const spx_ctx *ctx, uint32_t addr[8]) { - unsigned int steps[SPX_WOTS_LEN]; - unsigned int start[SPX_WOTS_LEN]; - uint32_t i; - - chain_lengths(start, msg); - - for (i = 0; i < SPX_WOTS_LEN; i++) { - steps[i] = SPX_WOTS_W - 1 - start[i]; - } - - gen_chains(pk, sig, start, steps, ctx, addr); -} - -/* - * This generates 2 sequential WOTS public keys - * It also generates the WOTS signature if leaf_info indicates - * that we're signing with one of these WOTS keys - */ -void wots_gen_leafx2(unsigned char *dest, - const spx_ctx *ctx, - uint32_t leaf_idx, void *v_info) { - struct leaf_info_x2 *info = v_info; - uint32_t *leaf_addr = info->leaf_addr; - uint32_t *pk_addr = info->pk_addr; - unsigned int i, j, k; - unsigned char pk_buffer[ 2 * SPX_WOTS_BYTES ]; - unsigned wots_offset = SPX_WOTS_BYTES; - unsigned char *buffer; - uint32_t wots_k_mask; - unsigned wots_sign_index; - - if (((leaf_idx ^ info->wots_sign_leaf) & ~1) == 0) { - /* We're traversing the leaf that's signing; generate the WOTS */ - /* signature */ - wots_k_mask = 0; - wots_sign_index = info->wots_sign_leaf & 1; /* Which of of the 2 */ - /* slots do the signatures come from */ - } else { - /* Nope, we're just generating pk's; turn off the signature logic */ - wots_k_mask = ~0; - wots_sign_index = 0; - } - - for (j = 0; j < 2; j++) { - set_keypair_addr( leaf_addr + j * 8, leaf_idx + j ); - set_keypair_addr( pk_addr + j * 8, leaf_idx + j ); - } - - for (i = 0, buffer = pk_buffer; i < SPX_WOTS_LEN; i++, buffer += SPX_N) { - uint32_t wots_k = info->wots_steps[i] | wots_k_mask; /* Set wots_k to */ - /* the step if we're generating a signature, ~0 if we're not */ - - /* Start with the secret seed */ - for (j = 0; j < 2; j++) { - set_chain_addr(leaf_addr + j * 8, i); - set_hash_addr(leaf_addr + j * 8, 0); - set_type(leaf_addr + j * 8, SPX_ADDR_TYPE_WOTSPRF); - } - prf_addrx2(buffer + 0 * wots_offset, - buffer + 1 * wots_offset, - ctx, leaf_addr); - for (j = 0; j < 2; j++) { - set_type(leaf_addr + j * 8, SPX_ADDR_TYPE_WOTS); - } - - /* Iterate down the WOTS chain */ - for (k = 0;; k++) { - /* Check if one of the values we have needs to be saved as a */ - /* part of the WOTS signature */ - if (k == wots_k) { - memcpy( info->wots_sig + i * SPX_N, - buffer + wots_sign_index * wots_offset, SPX_N ); - } - - /* Check if we hit the top of the chain */ - if (k == SPX_WOTS_W - 1) { - break; - } - - /* Iterate one step on all 4 chains */ - for (j = 0; j < 2; j++) { - set_hash_addr(leaf_addr + j * 8, k); - } - thashx2(buffer + 0 * wots_offset, - buffer + 1 * wots_offset, - buffer + 0 * wots_offset, - buffer + 1 * wots_offset, - 1, ctx, leaf_addr); - } - } - - /* Do the final thash to generate the public keys */ - thashx2(dest + 0 * SPX_N, - dest + 1 * SPX_N, - pk_buffer + 0 * wots_offset, - pk_buffer + 1 * wots_offset, - SPX_WOTS_LEN, ctx, pk_addr); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/wots.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/wots.h deleted file mode 100644 index 4e7692eee..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/wots.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef SPX_WOTS_H -#define SPX_WOTS_H - -#include - -#include "context.h" -#include "params.h" - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -#define wots_pk_from_sig SPX_NAMESPACE(wots_pk_from_sig) -void wots_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const spx_ctx *ctx, uint32_t addr[8]); - -/* - * Compute the chain lengths needed for a given message hash - */ -#define chain_lengths SPX_NAMESPACE(chain_lengths) -void chain_lengths(unsigned int *lengths, const unsigned char *msg); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/wotsx2.h b/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/wotsx2.h deleted file mode 100644 index b58bb61f8..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-192s-simple_aarch64/wotsx2.h +++ /dev/null @@ -1,40 +0,0 @@ -#ifndef WOTSX2_H_ -#define WOTSX2_H_ - -#include "params.h" -#include - -/* - * This is here to provide an interface to the internal wots_gen_leafx2 - * routine. While this routine is not referenced in the package outside of - * wots.c, it is called from the stand-alone benchmark code to characterize - * the performance - */ -struct leaf_info_x2 { - unsigned char *wots_sig; - uint32_t wots_sign_leaf; /* The index of the WOTS we're using to sign */ - uint32_t *wots_steps; - uint32_t leaf_addr[2 * 8]; - uint32_t pk_addr[2 * 8]; -}; - -/* Macro to set the leaf_info to something 'benign', that is, it would */ -/* run with the same time as it does during the real signing process */ -/* Used only by the benchmark code */ -#define INITIALIZE_LEAF_INFO_X2(info, addr, step_buffer) { \ - (info).wots_sig = 0; \ - (info).wots_sign_leaf = ~0; \ - (info).wots_steps = step_buffer; \ - int i; \ - for (i=0; i<2; i++) { \ - memcpy( &(info).leaf_addr[8*i], addr, 32 ); \ - memcpy( &(info).pk_addr[8*i], addr, 32 ); \ - } \ - } - -#define wots_gen_leafx2 SPX_NAMESPACE(wots_gen_leafx2) -void wots_gen_leafx2(unsigned char *dest, - const spx_ctx *ctx, - uint32_t leaf_idx, void *v_info); - -#endif /* WOTSX2_H_ */ diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/LICENSE b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/LICENSE deleted file mode 100644 index 670154e35..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/LICENSE +++ /dev/null @@ -1,116 +0,0 @@ -CC0 1.0 Universal - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator and -subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for the -purpose of contributing to a commons of creative, cultural and scientific -works ("Commons") that the public can reliably and without fear of later -claims of infringement build upon, modify, incorporate in other works, reuse -and redistribute as freely as possible in any form whatsoever and for any -purposes, including without limitation commercial purposes. These owners may -contribute to the Commons to promote the ideal of a free culture and the -further production of creative, cultural and scientific works, or to gain -reputation or greater distribution for their Work in part through the use and -efforts of others. - -For these and/or other purposes and motivations, and without any expectation -of additional consideration or compensation, the person associating CC0 with a -Work (the "Affirmer"), to the extent that he or she is an owner of Copyright -and Related Rights in the Work, voluntarily elects to apply CC0 to the Work -and publicly distribute the Work under its terms, with knowledge of his or her -Copyright and Related Rights in the Work and the meaning and intended legal -effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not limited -to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, communicate, - and translate a Work; - - ii. moral rights retained by the original author(s) and/or performer(s); - - iii. publicity and privacy rights pertaining to a person's image or likeness - depicted in a Work; - - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - - v. rights protecting the extraction, dissemination, use and reuse of data in - a Work; - - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation thereof, - including any amended or successor version of such directive); and - - vii. other similar, equivalent or corresponding rights throughout the world - based on applicable law or treaty, and any national implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention of, -applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and -unconditionally waives, abandons, and surrenders all of Affirmer's Copyright -and Related Rights and associated claims and causes of action, whether now -known or unknown (including existing as well as future claims and causes of -action), in the Work (i) in all territories worldwide, (ii) for the maximum -duration provided by applicable law or treaty (including future time -extensions), (iii) in any current or future medium and for any number of -copies, and (iv) for any purpose whatsoever, including without limitation -commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes -the Waiver for the benefit of each member of the public at large and to the -detriment of Affirmer's heirs and successors, fully intending that such Waiver -shall not be subject to revocation, rescission, cancellation, termination, or -any other legal or equitable action to disrupt the quiet enjoyment of the Work -by the public as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason be -judged legally invalid or ineffective under applicable law, then the Waiver -shall be preserved to the maximum extent permitted taking into account -Affirmer's express Statement of Purpose. In addition, to the extent the Waiver -is so judged Affirmer hereby grants to each affected person a royalty-free, -non transferable, non sublicensable, non exclusive, irrevocable and -unconditional license to exercise Affirmer's Copyright and Related Rights in -the Work (i) in all territories worldwide, (ii) for the maximum duration -provided by applicable law or treaty (including future time extensions), (iii) -in any current or future medium and for any number of copies, and (iv) for any -purpose whatsoever, including without limitation commercial, advertising or -promotional purposes (the "License"). The License shall be deemed effective as -of the date CC0 was applied by Affirmer to the Work. Should any part of the -License for any reason be judged legally invalid or ineffective under -applicable law, such partial invalidity or ineffectiveness shall not -invalidate the remainder of the License, and in such case Affirmer hereby -affirms that he or she will not (i) exercise any of his or her remaining -Copyright and Related Rights in the Work or (ii) assert any associated claims -and causes of action with respect to the Work, in either case contrary to -Affirmer's express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - - b. Affirmer offers the Work as-is and makes no representations or warranties - of any kind concerning the Work, express, implied, statutory or otherwise, - including without limitation warranties of title, merchantability, fitness - for a particular purpose, non infringement, or the absence of latent or - other defects, accuracy, or the present or absence of errors, whether or not - discoverable, all to the greatest extent permissible under applicable law. - - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without limitation - any person's Copyright and Related Rights in the Work. Further, Affirmer - disclaims responsibility for obtaining any necessary consents, permissions - or other rights required for any use of the Work. - - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to this - CC0 or use of the Work. - -For more information, please see - diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/address.c b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/address.c deleted file mode 100644 index b956e9cb2..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/address.c +++ /dev/null @@ -1,91 +0,0 @@ -#include -#include - -#include "address.h" -#include "params.h" -#include "utils.h" - -/* - * Specify which level of Merkle tree (the "layer") we're working on - */ -void set_layer_addr(uint32_t addr[8], uint32_t layer) { - ((unsigned char *)addr)[SPX_OFFSET_LAYER] = (unsigned char)layer; -} - -/* - * Specify which Merkle tree within the level (the "tree address") we're working on - */ -void set_tree_addr(uint32_t addr[8], uint64_t tree) { - ull_to_bytes(&((unsigned char *)addr)[SPX_OFFSET_TREE], 8, tree ); -} - -/* - * Specify the reason we'll use this address structure for, that is, what - * hash will we compute with it. This is used so that unrelated types of - * hashes don't accidentally get the same address structure. The type will be - * one of the SPX_ADDR_TYPE constants - */ -void set_type(uint32_t addr[8], uint32_t type) { - ((unsigned char *)addr)[SPX_OFFSET_TYPE] = (unsigned char)type; -} - -/* - * Copy the layer and tree fields of the address structure. This is used - * when we're doing multiple types of hashes within the same Merkle tree - */ -void copy_subtree_addr(uint32_t out[8], const uint32_t in[8]) { - memcpy( out, in, SPX_OFFSET_TREE + 8 ); -} - -/* These functions are used for OTS addresses. */ - -/* - * Specify which Merkle leaf we're working on; that is, which OTS keypair - * we're talking about. - */ -void set_keypair_addr(uint32_t addr[8], uint32_t keypair) { - ((unsigned char *)addr)[SPX_OFFSET_KP_ADDR1] = (unsigned char)keypair; -} - -/* - * Copy the layer, tree and keypair fields of the address structure. This is - * used when we're doing multiple things within the same OTS keypair - */ -void copy_keypair_addr(uint32_t out[8], const uint32_t in[8]) { - memcpy( out, in, SPX_OFFSET_TREE + 8 ); - ((unsigned char *)out)[SPX_OFFSET_KP_ADDR1] = ((unsigned char *)in)[SPX_OFFSET_KP_ADDR1]; -} - -/* - * Specify which Merkle chain within the OTS we're working with - * (the chain address) - */ -void set_chain_addr(uint32_t addr[8], uint32_t chain) { - ((unsigned char *)addr)[SPX_OFFSET_CHAIN_ADDR] = (unsigned char)chain; -} - -/* - * Specify where in the Merkle chain we are -* (the hash address) - */ -void set_hash_addr(uint32_t addr[8], uint32_t hash) { - ((unsigned char *)addr)[SPX_OFFSET_HASH_ADDR] = (unsigned char)hash; -} - -/* These functions are used for all hash tree addresses (including FORS). */ - -/* - * Specify the height of the node in the Merkle/FORS tree we are in - * (the tree height) - */ -void set_tree_height(uint32_t addr[8], uint32_t tree_height) { - ((unsigned char *)addr)[SPX_OFFSET_TREE_HGT] = (unsigned char)tree_height; -} - -/* - * Specify the distance from the left edge of the node in the Merkle/FORS tree - * (the tree index) - */ -void set_tree_index(uint32_t addr[8], uint32_t tree_index) { - u32_to_bytes(&((unsigned char *)addr)[SPX_OFFSET_TREE_INDEX], tree_index ); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/address.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/address.h deleted file mode 100644 index 24a84eb40..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/address.h +++ /dev/null @@ -1,52 +0,0 @@ -#ifndef SPX_ADDRESS_H -#define SPX_ADDRESS_H - -#include - -#include "params.h" - -/* The hash types that are passed to set_type */ -#define SPX_ADDR_TYPE_WOTS 0 -#define SPX_ADDR_TYPE_WOTSPK 1 -#define SPX_ADDR_TYPE_HASHTREE 2 -#define SPX_ADDR_TYPE_FORSTREE 3 -#define SPX_ADDR_TYPE_FORSPK 4 -#define SPX_ADDR_TYPE_WOTSPRF 5 -#define SPX_ADDR_TYPE_FORSPRF 6 - -#define set_layer_addr SPX_NAMESPACE(set_layer_addr) -void set_layer_addr(uint32_t addr[8], uint32_t layer); - -#define set_tree_addr SPX_NAMESPACE(set_tree_addr) -void set_tree_addr(uint32_t addr[8], uint64_t tree); - -#define set_type SPX_NAMESPACE(set_type) -void set_type(uint32_t addr[8], uint32_t type); - -/* Copies the layer and tree part of one address into the other */ -#define copy_subtree_addr SPX_NAMESPACE(copy_subtree_addr) -void copy_subtree_addr(uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for WOTS and FORS addresses. */ - -#define set_keypair_addr SPX_NAMESPACE(set_keypair_addr) -void set_keypair_addr(uint32_t addr[8], uint32_t keypair); - -#define set_chain_addr SPX_NAMESPACE(set_chain_addr) -void set_chain_addr(uint32_t addr[8], uint32_t chain); - -#define set_hash_addr SPX_NAMESPACE(set_hash_addr) -void set_hash_addr(uint32_t addr[8], uint32_t hash); - -#define copy_keypair_addr SPX_NAMESPACE(copy_keypair_addr) -void copy_keypair_addr(uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for all hash tree addresses (including FORS). */ - -#define set_tree_height SPX_NAMESPACE(set_tree_height) -void set_tree_height(uint32_t addr[8], uint32_t tree_height); - -#define set_tree_index SPX_NAMESPACE(set_tree_index) -void set_tree_index(uint32_t addr[8], uint32_t tree_index); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/api.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/api.h deleted file mode 100644 index 3d21ff3df..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/api.h +++ /dev/null @@ -1,77 +0,0 @@ -#ifndef PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_API_H -#define PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_API_H - -#include -#include - -#define PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_CRYPTO_ALGNAME "SPHINCS+-shake-256f-simple" - -#define PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_CRYPTO_SECRETKEYBYTES 128 -#define PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_CRYPTO_PUBLICKEYBYTES 64 -#define PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_CRYPTO_BYTES 49856 - -#define PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_CRYPTO_SEEDBYTES 96 - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk, - const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_crypto_sign_keypair(uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_crypto_sign_signature(uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_crypto_sign_verify(const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, - const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_crypto_sign(uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_crypto_sign_open(uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *pk); -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/context.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/context.h deleted file mode 100644 index 6e0a33f3b..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/context.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef SPX_CONTEXT_H -#define SPX_CONTEXT_H - -#include - -#include "params.h" - -typedef struct { - uint8_t pub_seed[SPX_N]; - uint8_t sk_seed[SPX_N]; -} spx_ctx; - -#define initialize_hash_function SPX_NAMESPACE(initialize_hash_function) -void initialize_hash_function(spx_ctx *ctx); - -#define free_hash_function SPX_NAMESPACE(free_hash_function) -void free_hash_function(spx_ctx *ctx); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/context_shake.c b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/context_shake.c deleted file mode 100644 index 9614a103d..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/context_shake.c +++ /dev/null @@ -1,12 +0,0 @@ -#include "context.h" - -/* For SHAKE256, there is no immediate reason to initialize at the start, - so this function is an empty operation. */ -void initialize_hash_function(spx_ctx *ctx) { - (void)ctx; /* Suppress an 'unused parameter' warning. */ -} - -// in case the hash function api is heap-based. -void free_hash_function(spx_ctx *ctx) { - (void)ctx; -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/f1600x2.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/f1600x2.h deleted file mode 100644 index 70d1af9f1..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/f1600x2.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef SPX_F1600X2_H -#define SPX_F1600X2_H - -#include - -extern uint64_t f1600_RC[24]; -extern void _f1600x2(uint64_t *a, uint64_t *rc); - -#define f1600x2(s) do {_f1600x2((s), f1600_RC);} while(0) - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/f1600x2.s b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/f1600x2.s deleted file mode 100644 index 640ed791e..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/f1600x2.s +++ /dev/null @@ -1,143 +0,0 @@ -# From https://github.com/bwesterb/armed-keccak - -.macro round - # Execute theta, but without xoring into the state yet. - # Compute parities p[i] = a[i] ^ a[5+i] ^ ... ^ a[20+i]. - eor3.16b v25, v0, v5, v10 - eor3.16b v26, v1, v6, v11 - eor3.16b v27, v2, v7, v12 - eor3.16b v28, v3, v8, v13 - eor3.16b v29, v4, v9, v14 - - eor3.16b v25, v25, v15, v20 - eor3.16b v26, v26, v16, v21 - eor3.16b v27, v27, v17, v22 - eor3.16b v28, v28, v18, v23 - eor3.16b v29, v29, v19, v24 - - # d[0] = rotl(p[1], 1) ^ p[4] - rax1.2d v30, v29, v26 - # d[3] = rotl(p[4], 1) ^ p[2] - rax1.2d v29, v27, v29 - # d[1] = rotl(p[2], 1) ^ p[0] - rax1.2d v27, v25, v27 - # d[4] = rotl(p[0], 1) ^ p[3] - rax1.2d v25, v28, v25 - # d[2] = rotl(p[3], 1) ^ p[1] - rax1.2d v28, v26, v28 - - # Xor parities from step theta into the state at the same time - # as executing rho and pi. - eor.16b v0, v0, v30 - mov.16b v31, v1 - xar.2d v1, v6, v27, 20 - xar.2d v6, v9, v25, 44 - xar.2d v9, v22, v28, 3 - xar.2d v22, v14, v25, 25 - xar.2d v14, v20, v30, 46 - xar.2d v20, v2, v28, 2 - xar.2d v2, v12, v28, 21 - xar.2d v12, v13, v29, 39 - xar.2d v13, v19, v25, 56 - xar.2d v19, v23, v29, 8 - xar.2d v23, v15, v30, 23 - xar.2d v15, v4, v25, 37 - xar.2d v4, v24, v25, 50 - xar.2d v24, v21, v27, 62 - xar.2d v21, v8, v29, 9 - xar.2d v8, v16, v27, 19 - xar.2d v16, v5, v30, 28 - xar.2d v5, v3, v29, 36 - xar.2d v3, v18, v29, 43 - xar.2d v18, v17, v28, 49 - xar.2d v17, v11, v27, 54 - xar.2d v11, v7, v28, 58 - xar.2d v7, v10, v30, 61 - xar.2d v10, v31, v27, 63 - - # Chi - bcax.16b v25, v0, v2, v1 - bcax.16b v26, v1, v3, v2 - bcax.16b v2, v2, v4, v3 - bcax.16b v3, v3, v0, v4 - bcax.16b v4, v4, v1, v0 - mov.16b v0, v25 - mov.16b v1, v26 - - bcax.16b v25, v5, v7, v6 - bcax.16b v26, v6, v8, v7 - bcax.16b v7, v7, v9, v8 - bcax.16b v8, v8, v5, v9 - bcax.16b v9, v9, v6, v5 - mov.16b v5, v25 - mov.16b v6, v26 - - bcax.16b v25, v10, v12, v11 - bcax.16b v26, v11, v13, v12 - bcax.16b v12, v12, v14, v13 - bcax.16b v13, v13, v10, v14 - bcax.16b v14, v14, v11, v10 - mov.16b v10, v25 - mov.16b v11, v26 - - bcax.16b v25, v15, v17, v16 - bcax.16b v26, v16, v18, v17 - bcax.16b v17, v17, v19, v18 - bcax.16b v18, v18, v15, v19 - bcax.16b v19, v19, v16, v15 - mov.16b v15, v25 - mov.16b v16, v26 - - bcax.16b v25, v20, v22, v21 - bcax.16b v26, v21, v23, v22 - bcax.16b v22, v22, v24, v23 - bcax.16b v23, v23, v20, v24 - bcax.16b v24, v24, v21, v20 - mov.16b v20, v25 - mov.16b v21, v26 - - # iota - ld1r {v25.2d}, [x1], #8 - eor.16b v0, v0, v25 -.endm - -.align 4 -.global __f1600x2 -__f1600x2: - stp d8, d9, [sp,#-16]! - stp d10, d11, [sp,#-16]! - stp d12, d13, [sp,#-16]! - stp d14, d15, [sp,#-16]! - - mov x2, x0 - mov x3, #24 - - ld1.2d {v0, v1, v2, v3}, [x0], #64 - ld1.2d {v4, v5, v6, v7}, [x0], #64 - ld1.2d {v8, v9, v10, v11}, [x0], #64 - ld1.2d {v12, v13, v14, v15}, [x0], #64 - ld1.2d {v16, v17, v18, v19}, [x0], #64 - ld1.2d {v20, v21, v22, v23}, [x0], #64 - ld1.2d {v24}, [x0] - -loop: - round - - subs x3, x3, #1 - cbnz x3, loop - - mov x0, x2 - st1.2d {v0, v1, v2, v3}, [x0], #64 - st1.2d {v4, v5, v6, v7}, [x0], #64 - st1.2d {v8, v9, v10, v11}, [x0], #64 - st1.2d {v12, v13, v14, v15}, [x0], #64 - st1.2d {v16, v17, v18, v19}, [x0], #64 - st1.2d {v20, v21, v22, v23}, [x0], #64 - st1.2d {v24}, [x0] - - ldp d14, d15, [sp], #16 - ldp d12, d13, [sp], #16 - ldp d10, d11, [sp], #16 - ldp d8, d9, [sp], #16 - - ret lr diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/f1600x2_const.c b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/f1600x2_const.c deleted file mode 100644 index e49c0ba14..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/f1600x2_const.c +++ /dev/null @@ -1,30 +0,0 @@ -#include "f1600x2.h" - -uint64_t f1600_RC[24] = { - 0x0000000000000001, - 0x0000000000008082, - 0x800000000000808A, - 0x8000000080008000, - 0x000000000000808B, - 0x0000000080000001, - 0x8000000080008081, - 0x8000000000008009, - 0x000000000000008A, - 0x0000000000000088, - 0x0000000080008009, - 0x000000008000000A, - 0x000000008000808B, - 0x800000000000008B, - 0x8000000000008089, - 0x8000000000008003, - 0x8000000000008002, - 0x8000000000000080, - 0x000000000000800A, - 0x800000008000000A, - 0x8000000080008081, - 0x8000000000008080, - 0x0000000080000001, - 0x8000000080008008, -}; - - diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/fips202x2.c b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/fips202x2.c deleted file mode 100644 index 4718c343b..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/fips202x2.c +++ /dev/null @@ -1,148 +0,0 @@ -#include -#include - -#include "fips202x2.h" -#include "f1600x2.h" -#include "fips202.h" - -uint64_t load64(const unsigned char *x) { - unsigned long long r = 0, i; - - for (i = 0; i < 8; ++i) { - r |= (unsigned long long)x[i] << 8 * i; - } - return r; -} - -void store64(uint8_t *x, uint64_t u) { - unsigned int i; - - for (i = 0; i < 8; ++i) { - x[i] = (uint8_t)u; - u >>= 8; - } -} - -static void keccak_absorb2x(uint64_t *s, - unsigned int r, - const unsigned char *m0, - const unsigned char *m1, - unsigned long long int mlen, - unsigned char p) { - unsigned long long i; - unsigned char t0[200]; - unsigned char t1[200]; - - while (mlen >= r) { - for (i = 0; i < r / 8; ++i) { - s[2 * i + 0] ^= load64(m0 + 8 * i); - s[2 * i + 1] ^= load64(m1 + 8 * i); - } - - f1600x2(s); - mlen -= r; - m0 += r; - m1 += r; - } - - for (i = 0; i < r; ++i) { - t0[i] = 0; - t1[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t0[i] = m0[i]; - t1[i] = m1[i]; - } - - t0[i] = p; - t1[i] = p; - - t0[r - 1] |= 128; - t1[r - 1] |= 128; - - for (i = 0; i < r / 8; ++i) { - s[2 * i + 0] ^= load64(t0 + 8 * i); - s[2 * i + 1] ^= load64(t1 + 8 * i); - } -} - - -static void keccak_squeezeblocks2x(unsigned char *h0, - unsigned char *h1, - unsigned long long int nblocks, - uint64_t *s, - unsigned int r) { - unsigned int i; - - while (nblocks > 0) { - f1600x2(s); - for (i = 0; i < (r >> 3); i++) { - store64(h0 + 8 * i, s[2 * i + 0]); - store64(h1 + 8 * i, s[2 * i + 1]); - } - h0 += r; - h1 += r; - nblocks--; - } -} - - - -void shake128x2(unsigned char *out0, - unsigned char *out1, - unsigned long long outlen, - unsigned char *in0, - unsigned char *in1, - unsigned long long inlen) { - uint64_t s[50] = {0}; - unsigned char t0[SHAKE128_RATE]; - unsigned char t1[SHAKE128_RATE]; - unsigned int i; - - /* absorb 4 message of identical length in parallel */ - keccak_absorb2x(s, SHAKE128_RATE, in0, in1, inlen, 0x1F); - - /* Squeeze output */ - keccak_squeezeblocks2x(out0, out1, outlen / SHAKE128_RATE, s, SHAKE128_RATE); - - out0 += (outlen / SHAKE128_RATE) * SHAKE128_RATE; - out1 += (outlen / SHAKE128_RATE) * SHAKE128_RATE; - - if (outlen % SHAKE128_RATE) { - keccak_squeezeblocks2x(t0, t1, 1, s, SHAKE128_RATE); - for (i = 0; i < outlen % SHAKE128_RATE; i++) { - out0[i] = t0[i]; - out1[i] = t1[i]; - } - } -} - - -void shake256x2(unsigned char *out0, - unsigned char *out1, - unsigned long long outlen, - unsigned char *in0, - unsigned char *in1, - unsigned long long inlen) { - uint64_t s[50] = {0}; - unsigned char t0[SHAKE256_RATE]; - unsigned char t1[SHAKE256_RATE]; - unsigned int i; - - /* absorb 2 message of identical length in parallel */ - keccak_absorb2x(s, SHAKE256_RATE, in0, in1, inlen, 0x1F); - - /* Squeeze output */ - keccak_squeezeblocks2x(out0, out1, outlen / SHAKE256_RATE, s, SHAKE256_RATE); - - out0 += (outlen / SHAKE256_RATE) * SHAKE256_RATE; - out1 += (outlen / SHAKE256_RATE) * SHAKE256_RATE; - - if (outlen % SHAKE256_RATE) { - keccak_squeezeblocks2x(t0, t1, 1, s, SHAKE256_RATE); - for (i = 0; i < outlen % SHAKE256_RATE; i++) { - out0[i] = t0[i]; - out1[i] = t1[i]; - } - } -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/fips202x2.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/fips202x2.h deleted file mode 100644 index 7ba58b35d..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/fips202x2.h +++ /dev/null @@ -1,24 +0,0 @@ -#ifndef SPX_FIPS202X2_H -#define SPX_FIPS202X2_H - -#include - -uint64_t load64(const unsigned char *x); -void store64(uint8_t *x, uint64_t u); - - -void shake128x2(unsigned char *out0, - unsigned char *out1, - unsigned long long outlen, - unsigned char *in0, - unsigned char *in1, - unsigned long long inlen); - -void shake256x2(unsigned char *out0, - unsigned char *out1, - unsigned long long outlen, - unsigned char *in0, - unsigned char *in1, - unsigned long long inlen); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/fors.c b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/fors.c deleted file mode 100644 index 39193d04e..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/fors.c +++ /dev/null @@ -1,191 +0,0 @@ -#include -#include -#include - -#include "fors.h" - -#include "address.h" -#include "hash.h" -#include "hashx2.h" -#include "thash.h" -#include "thashx2.h" -#include "utils.h" -#include "utilsx2.h" - -static void fors_gen_sk(unsigned char *sk, const spx_ctx *ctx, - uint32_t fors_leaf_addr[8]) { - prf_addr(sk, ctx, fors_leaf_addr); -} - -static void fors_gen_skx2(unsigned char *sk0, - unsigned char *sk1, - const spx_ctx *ctx, - uint32_t fors_leaf_addrx2[2 * 8]) { - prf_addrx2(sk0, sk1, - ctx, fors_leaf_addrx2); -} - -static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk, - const spx_ctx *ctx, - uint32_t fors_leaf_addr[8]) { - thash(leaf, sk, 1, ctx, fors_leaf_addr); -} - -static void fors_sk_to_leafx2(unsigned char *leaf0, - unsigned char *leaf1, - const unsigned char *sk0, - const unsigned char *sk1, - const spx_ctx *ctx, - uint32_t fors_leaf_addrx2[2 * 8]) { - thashx2(leaf0, leaf1, - sk0, sk1, - 1, ctx, fors_leaf_addrx2); -} - -struct fors_gen_leaf_info { - uint32_t leaf_addrx[2 * 8]; -}; - -static void fors_gen_leafx2(unsigned char *leaf, - const spx_ctx *ctx, - uint32_t addr_idx, void *info) { - struct fors_gen_leaf_info *fors_info = info; - uint32_t *fors_leaf_addrx2 = fors_info->leaf_addrx; - unsigned int j; - - /* Only set the parts that the caller doesn't set */ - for (j = 0; j < 2; j++) { - set_tree_index(fors_leaf_addrx2 + j * 8, addr_idx + j); - set_type(fors_leaf_addrx2 + j * 8, SPX_ADDR_TYPE_FORSPRF); - } - - fors_gen_skx2(leaf + 0 * SPX_N, - leaf + 1 * SPX_N, - ctx, fors_leaf_addrx2); - - for (j = 0; j < 2; j++) { - set_type(fors_leaf_addrx2 + j * 8, SPX_ADDR_TYPE_FORSTREE); - } - - fors_sk_to_leafx2(leaf + 0 * SPX_N, - leaf + 1 * SPX_N, - leaf + 0 * SPX_N, - leaf + 1 * SPX_N, - ctx, fors_leaf_addrx2); -} - -/** - * Interprets m as SPX_FORS_HEIGHT-bit unsigned integers. - * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits. - * Assumes indices has space for SPX_FORS_TREES integers. - */ -static void message_to_indices(uint32_t *indices, const unsigned char *m) { - unsigned int i, j; - unsigned int offset = 0; - - for (i = 0; i < SPX_FORS_TREES; i++) { - indices[i] = 0; - for (j = 0; j < SPX_FORS_HEIGHT; j++) { - indices[i] ^= (uint32_t)(((m[offset >> 3] >> (offset & 0x7)) & 0x1) << j); - offset++; - } - } -} - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits. - */ -void fors_sign(unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const spx_ctx *ctx, - const uint32_t fors_addr[8]) { - uint32_t indices[SPX_FORS_TREES]; - unsigned char roots[SPX_FORS_TREES * SPX_N]; - uint32_t fors_tree_addr[2 * 8] = {0}; - struct fors_gen_leaf_info fors_info = {0}; - uint32_t *fors_leaf_addr = fors_info.leaf_addrx; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - for (i = 0; i < 2; i++) { - copy_keypair_addr(fors_tree_addr + 8 * i, fors_addr); - set_type(fors_tree_addr + 8 * i, SPX_ADDR_TYPE_FORSTREE); - copy_keypair_addr(fors_leaf_addr + 8 * i, fors_addr); - } - copy_keypair_addr(fors_pk_addr, fors_addr); - set_type(fors_pk_addr, SPX_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < SPX_FORS_TREES; i++) { - idx_offset = i * (1 << SPX_FORS_HEIGHT); - - set_tree_height(fors_tree_addr, 0); - set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Include the secret key part that produces the selected leaf node. */ - set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSPRF); - fors_gen_sk(sig, ctx, fors_tree_addr); - set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSTREE); - sig += SPX_N; - - /* Compute the authentication path for this leaf node. */ - treehashx2(roots + i * SPX_N, sig, ctx, - indices[i], idx_offset, SPX_FORS_HEIGHT, fors_gen_leafx2, - fors_tree_addr, &fors_info); - - sig += SPX_N * SPX_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - thash(pk, roots, SPX_FORS_TREES, ctx, fors_pk_addr); -} - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits. - */ -void fors_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const spx_ctx *ctx, - const uint32_t fors_addr[8]) { - uint32_t indices[SPX_FORS_TREES]; - unsigned char roots[SPX_FORS_TREES * SPX_N]; - unsigned char leaf[SPX_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - copy_keypair_addr(fors_tree_addr, fors_addr); - copy_keypair_addr(fors_pk_addr, fors_addr); - - set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSTREE); - set_type(fors_pk_addr, SPX_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < SPX_FORS_TREES; i++) { - idx_offset = i * (1 << SPX_FORS_HEIGHT); - - set_tree_height(fors_tree_addr, 0); - set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Derive the leaf from the included secret key part. */ - fors_sk_to_leaf(leaf, sig, ctx, fors_tree_addr); - sig += SPX_N; - - /* Derive the corresponding root node of this tree. */ - compute_root(roots + i * SPX_N, leaf, indices[i], idx_offset, - sig, SPX_FORS_HEIGHT, ctx, fors_tree_addr); - sig += SPX_N * SPX_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - thash(pk, roots, SPX_FORS_TREES, ctx, fors_pk_addr); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/fors.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/fors.h deleted file mode 100644 index 509140a17..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/fors.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef SPX_FORS_H -#define SPX_FORS_H - -#include - -#include "context.h" -#include "params.h" - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits. - */ -#define fors_sign SPX_NAMESPACE(fors_sign) -void fors_sign(unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const spx_ctx *ctx, - const uint32_t fors_addr[8]); - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits. - */ -#define fors_pk_from_sig SPX_NAMESPACE(fors_pk_from_sig) -void fors_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const spx_ctx *ctx, - const uint32_t fors_addr[8]); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/hash.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/hash.h deleted file mode 100644 index f7c87d4c3..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/hash.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef SPX_HASH_H -#define SPX_HASH_H - -#include -#include - -#include "context.h" -#include "params.h" - -#define prf_addr SPX_NAMESPACE(prf_addr) -void prf_addr(unsigned char *out, const spx_ctx *ctx, - const uint32_t addr[8]); - -#define gen_message_random SPX_NAMESPACE(gen_message_random) -void gen_message_random(unsigned char *R, const unsigned char *sk_prf, - const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const spx_ctx *ctx); - -#define hash_message SPX_NAMESPACE(hash_message) -void hash_message(unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const spx_ctx *ctx); - - - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/hash_shake.c b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/hash_shake.c deleted file mode 100644 index ff5e7ec91..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/hash_shake.c +++ /dev/null @@ -1,83 +0,0 @@ -#include -#include - -#include "hash.h" - -#include "address.h" -#include "fips202.h" -#include "params.h" -#include "utils.h" - -/* - * Computes PRF(pk_seed, sk_seed, addr) - */ -void prf_addr(unsigned char *out, const spx_ctx *ctx, - const uint32_t addr[8]) { - unsigned char buf[2 * SPX_N + SPX_ADDR_BYTES]; - - memcpy(buf, ctx->pub_seed, SPX_N); - memcpy(buf + SPX_N, addr, SPX_ADDR_BYTES); - memcpy(buf + SPX_N + SPX_ADDR_BYTES, ctx->sk_seed, SPX_N); - - shake256(out, SPX_N, buf, 2 * SPX_N + SPX_ADDR_BYTES); -} - -/** - * Computes the message-dependent randomness R, using a secret seed and an - * optional randomization value as well as the message. - */ -void gen_message_random(unsigned char *R, const unsigned char *sk_prf, - const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const spx_ctx *ctx) { - (void)ctx; - shake256incctx s_inc; - - shake256_inc_init(&s_inc); - shake256_inc_absorb(&s_inc, sk_prf, SPX_N); - shake256_inc_absorb(&s_inc, optrand, SPX_N); - shake256_inc_absorb(&s_inc, m, mlen); - shake256_inc_finalize(&s_inc); - shake256_inc_squeeze(R, SPX_N, &s_inc); - shake256_inc_ctx_release(&s_inc); -} - -/** - * Computes the message hash using R, the public key, and the message. - * Outputs the message digest and the index of the leaf. The index is split in - * the tree index and the leaf index, for convenient copying to an address. - */ -void hash_message(unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const spx_ctx *ctx) { - (void)ctx; -#define SPX_TREE_BITS (SPX_TREE_HEIGHT * (SPX_D - 1)) -#define SPX_TREE_BYTES ((SPX_TREE_BITS + 7) / 8) -#define SPX_LEAF_BITS SPX_TREE_HEIGHT -#define SPX_LEAF_BYTES ((SPX_LEAF_BITS + 7) / 8) -#define SPX_DGST_BYTES (SPX_FORS_MSG_BYTES + SPX_TREE_BYTES + SPX_LEAF_BYTES) - - unsigned char buf[SPX_DGST_BYTES]; - unsigned char *bufp = buf; - shake256incctx s_inc; - - shake256_inc_init(&s_inc); - shake256_inc_absorb(&s_inc, R, SPX_N); - shake256_inc_absorb(&s_inc, pk, SPX_PK_BYTES); - shake256_inc_absorb(&s_inc, m, mlen); - shake256_inc_finalize(&s_inc); - shake256_inc_squeeze(buf, SPX_DGST_BYTES, &s_inc); - shake256_inc_ctx_release(&s_inc); - - memcpy(digest, bufp, SPX_FORS_MSG_BYTES); - bufp += SPX_FORS_MSG_BYTES; - - - *tree = bytes_to_ull(bufp, SPX_TREE_BYTES); - *tree &= (~(uint64_t)0) >> (64 - SPX_TREE_BITS); - bufp += SPX_TREE_BYTES; - - *leaf_idx = (uint32_t)bytes_to_ull(bufp, SPX_LEAF_BYTES); - *leaf_idx &= (~(uint32_t)0) >> (32 - SPX_LEAF_BITS); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/hash_shakex2.c b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/hash_shakex2.c deleted file mode 100644 index 99571916a..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/hash_shakex2.c +++ /dev/null @@ -1,52 +0,0 @@ -#include -#include - -#include "hashx2.h" - -#include "address.h" -#include "f1600x2.h" -#include "fips202x2.h" -#include "params.h" - -/* - * 2-way parallel version of prf_addr; takes 2x as much input and output - */ -void prf_addrx2(unsigned char *out0, - unsigned char *out1, - const spx_ctx *ctx, - const uint32_t addrx2[2 * 8]) { - /* As we write and read only a few quadwords, it is more efficient to - * build and extract from the fourway SHAKE256 state by hand. */ - uint64_t state[50] = {0}; - - for (int i = 0; i < SPX_N / 8; i++) { - uint64_t x = load64(ctx->pub_seed + 8 * i); - state[2 * i] = x; - state[2 * i + 1] = x; - } - for (int i = 0; i < 4; i++) { - state[2 * (SPX_N / 8 + i)] = (((uint64_t)addrx2[1 + 2 * i]) << 32) - | (uint64_t)addrx2[2 * i]; - state[2 * (SPX_N / 8 + i) + 1] = (((uint64_t)addrx2[8 + 1 + 2 * i]) << 32) - | (uint64_t)addrx2[8 + 2 * i]; - } - for (int i = 0; i < SPX_N / 8; i++) { - uint64_t x = load64(ctx->sk_seed + 8 * i); - state[2 * (SPX_N / 8 + i + 4)] = x; - state[2 * (SPX_N / 8 + i + 4) + 1] = x; - } - - /* SHAKE domain separator and padding. */ - state[2 * (SPX_N / 4 + 4)] = 0x1f; - state[2 * (SPX_N / 4 + 4) + 1] = 0x1f; - - state[2 * 16] = 0x80ULL << 56; - state[2 * 16 + 1] = 0x80ULL << 56; - - f1600x2(state); - - for (int i = 0; i < SPX_N / 8; i++) { - store64(out0 + 8 * i, state[2 * i]); - store64(out1 + 8 * i, state[2 * i + 1]); - } -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/hashx2.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/hashx2.h deleted file mode 100644 index 99b8873a9..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/hashx2.h +++ /dev/null @@ -1,14 +0,0 @@ -#ifndef SPX_HASHX2_H -#define SPX_HASHX2_H - -#include "context.h" -#include "params.h" -#include - -#define prf_addrx2 SPX_NAMESPACE(prf_addrx2) -void prf_addrx2(unsigned char *out0, - unsigned char *out1, - const spx_ctx *ctx, - const uint32_t addrx2[2 * 8]); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/merkle.c b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/merkle.c deleted file mode 100644 index c94ee2393..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/merkle.c +++ /dev/null @@ -1,64 +0,0 @@ -#include -#include - -#include "merkle.h" - -#include "address.h" -#include "params.h" -#include "utils.h" -#include "utilsx2.h" -#include "wots.h" -#include "wotsx2.h" - -/* - * This generates a Merkle signature (WOTS signature followed by the Merkle - * authentication path). - */ -void merkle_sign(uint8_t *sig, unsigned char *root, - const spx_ctx *ctx, - uint32_t wots_addr[8], uint32_t tree_addr[8], - uint32_t idx_leaf) { - unsigned char *auth_path = sig + SPX_WOTS_BYTES; - uint32_t tree_addrx2[2 * 8] = { 0 }; - int j; - struct leaf_info_x2 info = { 0 }; - unsigned steps[ SPX_WOTS_LEN ]; - - info.wots_sig = sig; - chain_lengths(steps, root); - info.wots_steps = steps; - - for (j = 0; j < 2; j++) { - set_type(&tree_addrx2[8 * j], SPX_ADDR_TYPE_HASHTREE); - set_type(&info.leaf_addr[8 * j], SPX_ADDR_TYPE_WOTS); - set_type(&info.pk_addr[8 * j], SPX_ADDR_TYPE_WOTSPK); - copy_subtree_addr(&tree_addrx2[8 * j], tree_addr); - copy_subtree_addr(&info.leaf_addr[8 * j], wots_addr); - copy_subtree_addr(&info.pk_addr[8 * j], wots_addr); - } - - info.wots_sign_leaf = idx_leaf; - - treehashx2(root, auth_path, ctx, - idx_leaf, 0, - SPX_TREE_HEIGHT, - wots_gen_leafx2, - tree_addrx2, &info); -} - -/* Compute root node of the top-most subtree. */ -void merkle_gen_root(unsigned char *root, const spx_ctx *ctx) { - /* We do not need the auth path in key generation, but it simplifies the - code to have just one treehash routine that computes both root and path - in one function. */ - unsigned char auth_path[SPX_TREE_HEIGHT * SPX_N + SPX_WOTS_BYTES]; - uint32_t top_tree_addr[8] = {0}; - uint32_t wots_addr[8] = {0}; - - set_layer_addr(top_tree_addr, SPX_D - 1); - set_layer_addr(wots_addr, SPX_D - 1); - - merkle_sign(auth_path, root, ctx, - wots_addr, top_tree_addr, - ~0 /* ~0 means "don't bother generating an auth path */ ); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/merkle.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/merkle.h deleted file mode 100644 index 769cf2e97..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/merkle.h +++ /dev/null @@ -1,21 +0,0 @@ -#ifndef MERKLE_H_ -#define MERKLE_H_ - -#include - -#include "context.h" -#include "params.h" - -/* Generate a Merkle signature (WOTS signature followed by the Merkle */ -/* authentication path) */ -#define merkle_sign SPX_NAMESPACE(merkle_sign) -void merkle_sign(uint8_t *sig, unsigned char *root, - const spx_ctx *ctx, - uint32_t wots_addr[8], uint32_t tree_addr[8], - uint32_t idx_leaf); - -/* Compute the root node of the top-most subtree. */ -#define merkle_gen_root SPX_NAMESPACE(merkle_gen_root) -void merkle_gen_root(unsigned char *root, const spx_ctx *ctx); - -#endif /* MERKLE_H_ */ diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/nistapi.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/nistapi.h deleted file mode 100644 index 3cb71afad..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/nistapi.h +++ /dev/null @@ -1,87 +0,0 @@ -#ifndef SPX_API_H -#define SPX_API_H - -#include -#include - -#include "params.h" - -#define CRYPTO_ALGNAME "SPHINCS+" - -#define CRYPTO_SECRETKEYBYTES SPX_SK_BYTES -#define CRYPTO_PUBLICKEYBYTES SPX_PK_BYTES -#define CRYPTO_BYTES SPX_BYTES -#define CRYPTO_SEEDBYTES (3*SPX_N) - -/* - * Returns the length of a secret key, in bytes - */ -#define crypto_sign_secretkeybytes SPX_NAMESPACE(crypto_sign_secretkeybytes) -size_t crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -#define crypto_sign_publickeybytes SPX_NAMESPACE(crypto_sign_publickeybytes) -size_t crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -#define crypto_sign_bytes SPX_NAMESPACE(crypto_sign_bytes) -size_t crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -#define crypto_sign_seedbytes SPX_NAMESPACE(crypto_sign_seedbytes) -size_t crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -#define crypto_sign_seed_keypair SPX_NAMESPACE(crypto_sign_seed_keypair) -int crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk, - const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -#define crypto_sign_keypair SPX_NAMESPACE(crypto_sign_keypair) -int crypto_sign_keypair(uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -#define crypto_sign_signature SPX_NAMESPACE(crypto_sign_signature) -int crypto_sign_signature(uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -#define crypto_sign_verify SPX_NAMESPACE(crypto_sign_verify) -int crypto_sign_verify(const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -#define crypto_sign SPX_NAMESPACE(crypto_sign) -int crypto_sign(uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -#define crypto_sign_open SPX_NAMESPACE(crypto_sign_open) -int crypto_sign_open(uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *pk); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/params.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/params.h deleted file mode 100644 index 218f392da..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/params.h +++ /dev/null @@ -1,56 +0,0 @@ -#ifndef SPX_PARAMS_H -#define SPX_PARAMS_H - -#define SPX_NAMESPACE(s) PQCLEAN_SPHINCSSHAKE256FSIMPLE_AARCH64_##s - -/* Hash output length in bytes. */ -#define SPX_N 32 -/* Height of the hypertree. */ -#define SPX_FULL_HEIGHT 68 -/* Number of subtree layer. */ -#define SPX_D 17 -/* FORS tree dimensions. */ -#define SPX_FORS_HEIGHT 9 -#define SPX_FORS_TREES 35 -/* Winternitz parameter, */ -#define SPX_WOTS_W 16 - -/* The hash function is defined by linking a different hash.c file, as opposed - to setting a #define constant. */ - -/* For clarity */ -#define SPX_ADDR_BYTES 32 - -/* WOTS parameters. */ -#define SPX_WOTS_LOGW 4 - -#define SPX_WOTS_LEN1 (8 * SPX_N / SPX_WOTS_LOGW) - -/* SPX_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */ -#define SPX_WOTS_LEN2 3 - -#define SPX_WOTS_LEN (SPX_WOTS_LEN1 + SPX_WOTS_LEN2) -#define SPX_WOTS_BYTES (SPX_WOTS_LEN * SPX_N) -#define SPX_WOTS_PK_BYTES SPX_WOTS_BYTES - -/* Subtree size. */ -#define SPX_TREE_HEIGHT (SPX_FULL_HEIGHT / SPX_D) - -//#if SPX_TREE_HEIGHT * SPX_D != SPX_FULL_HEIGHT -// #error SPX_D should always divide SPX_FULL_HEIGHT -//#endif - -/* FORS parameters. */ -#define SPX_FORS_MSG_BYTES ((SPX_FORS_HEIGHT * SPX_FORS_TREES + 7) / 8) -#define SPX_FORS_BYTES ((SPX_FORS_HEIGHT + 1) * SPX_FORS_TREES * SPX_N) -#define SPX_FORS_PK_BYTES SPX_N - -/* Resulting SPX sizes. */ -#define SPX_BYTES (SPX_N + SPX_FORS_BYTES + SPX_D * SPX_WOTS_BYTES +\ - SPX_FULL_HEIGHT * SPX_N) -#define SPX_PK_BYTES (2 * SPX_N) -#define SPX_SK_BYTES (2 * SPX_N + SPX_PK_BYTES) - -#include "shake_offsets.h" - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/shake_offsets.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/shake_offsets.h deleted file mode 100644 index 6b28d95d9..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/shake_offsets.h +++ /dev/null @@ -1,21 +0,0 @@ -#ifndef SHAKE_OFFSETS_H_ -#define SHAKE_OFFSETS_H_ - -/* - * Offsets of various fields in the address structure when we use SHAKE as - * the Sphincs+ hash function - */ - -#define SPX_OFFSET_LAYER 3 /* The byte used to specify the Merkle tree layer */ -#define SPX_OFFSET_TREE 8 /* The start of the 8 byte field used to specify the tree */ -#define SPX_OFFSET_TYPE 19 /* The byte used to specify the hash type (reason) */ -#define SPX_OFFSET_KP_ADDR2 22 /* The high byte used to specify the key pair (which one-time signature) */ -#define SPX_OFFSET_KP_ADDR1 23 /* The low byte used to specify the key pair */ -#define SPX_OFFSET_CHAIN_ADDR 27 /* The byte used to specify the chain address (which Winternitz chain) */ -#define SPX_OFFSET_HASH_ADDR 31 /* The byte used to specify the hash address (where in the Winternitz chain) */ -#define SPX_OFFSET_TREE_HGT 27 /* The byte used to specify the height of this node in the FORS or Merkle tree */ -#define SPX_OFFSET_TREE_INDEX 28 /* The start of the 4 byte field used to specify the node in the FORS or Merkle tree */ - -#define SPX_SHAKE 1 - -#endif /* SHAKE_OFFSETS_H_ */ diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/sign.c b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/sign.c deleted file mode 100644 index 9d0c7d1b2..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/sign.c +++ /dev/null @@ -1,286 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "context.h" -#include "fors.h" -#include "hash.h" -#include "merkle.h" -#include "nistapi.h" -#include "params.h" -#include "randombytes.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - -/* - * Returns the length of a secret key, in bytes - */ -size_t crypto_sign_secretkeybytes(void) { - return CRYPTO_SECRETKEYBYTES; -} - -/* - * Returns the length of a public key, in bytes - */ -size_t crypto_sign_publickeybytes(void) { - return CRYPTO_PUBLICKEYBYTES; -} - -/* - * Returns the length of a signature, in bytes - */ -size_t crypto_sign_bytes(void) { - return CRYPTO_BYTES; -} - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t crypto_sign_seedbytes(void) { - return CRYPTO_SEEDBYTES; -} - -/* - * Generates an SPX key pair given a seed of length - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk, - const uint8_t *seed) { - spx_ctx ctx; - - /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */ - memcpy(sk, seed, CRYPTO_SEEDBYTES); - - memcpy(pk, sk + 2 * SPX_N, SPX_N); - - memcpy(ctx.pub_seed, pk, SPX_N); - memcpy(ctx.sk_seed, sk, SPX_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - initialize_hash_function(&ctx); - - /* Compute root node of the top-most subtree. */ - merkle_gen_root(sk + 3 * SPX_N, &ctx); - - // cleanup - free_hash_function(&ctx); - - memcpy(pk + SPX_N, sk + 3 * SPX_N, SPX_N); - - return 0; -} - -/* - * Generates an SPX key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { - uint8_t seed[CRYPTO_SEEDBYTES]; - randombytes(seed, CRYPTO_SEEDBYTES); - crypto_sign_seed_keypair(pk, sk, seed); - - return 0; -} - -/** - * Returns an array containing a detached signature. - */ -int crypto_sign_signature(uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - spx_ctx ctx; - - const uint8_t *sk_prf = sk + SPX_N; - const uint8_t *pk = sk + 2 * SPX_N; - - uint8_t optrand[SPX_N]; - uint8_t mhash[SPX_FORS_MSG_BYTES]; - uint8_t root[SPX_N]; - uint32_t i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - - memcpy(ctx.sk_seed, sk, SPX_N); - memcpy(ctx.pub_seed, pk, SPX_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - initialize_hash_function(&ctx); - - set_type(wots_addr, SPX_ADDR_TYPE_WOTS); - set_type(tree_addr, SPX_ADDR_TYPE_HASHTREE); - - /* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ - randombytes(optrand, SPX_N); - /* Compute the digest randomization value. */ - gen_message_random(sig, sk_prf, optrand, m, mlen, &ctx); - - /* Derive the message digest and leaf index from R, PK and M. */ - hash_message(mhash, &tree, &idx_leaf, sig, pk, m, mlen, &ctx); - sig += SPX_N; - - set_tree_addr(wots_addr, tree); - set_keypair_addr(wots_addr, idx_leaf); - - /* Sign the message hash using FORS. */ - fors_sign(sig, root, mhash, &ctx, wots_addr); - sig += SPX_FORS_BYTES; - - for (i = 0; i < SPX_D; i++) { - set_layer_addr(tree_addr, i); - set_tree_addr(tree_addr, tree); - - copy_subtree_addr(wots_addr, tree_addr); - set_keypair_addr(wots_addr, idx_leaf); - - merkle_sign(sig, root, &ctx, wots_addr, tree_addr, idx_leaf); - sig += SPX_WOTS_BYTES + SPX_TREE_HEIGHT * SPX_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << SPX_TREE_HEIGHT) - 1)); - tree = tree >> SPX_TREE_HEIGHT; - } - - free_hash_function(&ctx); - - *siglen = SPX_BYTES; - - return 0; -} - -/** - * Verifies a detached signature and message under a given public key. - */ -int crypto_sign_verify(const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - spx_ctx ctx; - const uint8_t *pub_root = pk + SPX_N; - uint8_t mhash[SPX_FORS_MSG_BYTES]; - uint8_t wots_pk[SPX_WOTS_BYTES]; - uint8_t root[SPX_N]; - uint8_t leaf[SPX_N]; - unsigned int i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - if (siglen != SPX_BYTES) { - return -1; - } - - memcpy(ctx.pub_seed, pk, SPX_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - initialize_hash_function(&ctx); - - set_type(wots_addr, SPX_ADDR_TYPE_WOTS); - set_type(tree_addr, SPX_ADDR_TYPE_HASHTREE); - set_type(wots_pk_addr, SPX_ADDR_TYPE_WOTSPK); - - /* Derive the message digest and leaf index from R || PK || M. */ - /* The additional SPX_N is a result of the hash domain separator. */ - hash_message(mhash, &tree, &idx_leaf, sig, pk, m, mlen, &ctx); - sig += SPX_N; - - /* Layer correctly defaults to 0, so no need to set_layer_addr */ - set_tree_addr(wots_addr, tree); - set_keypair_addr(wots_addr, idx_leaf); - - fors_pk_from_sig(root, sig, mhash, &ctx, wots_addr); - sig += SPX_FORS_BYTES; - - /* For each subtree.. */ - for (i = 0; i < SPX_D; i++) { - set_layer_addr(tree_addr, i); - set_tree_addr(tree_addr, tree); - - copy_subtree_addr(wots_addr, tree_addr); - set_keypair_addr(wots_addr, idx_leaf); - - copy_keypair_addr(wots_pk_addr, wots_addr); - - /* The WOTS public key is only correct if the signature was correct. */ - /* Initially, root is the FORS pk, but on subsequent iterations it is - the root of the subtree below the currently processed subtree. */ - wots_pk_from_sig(wots_pk, sig, root, &ctx, wots_addr); - sig += SPX_WOTS_BYTES; - - /* Compute the leaf node using the WOTS public key. */ - thash(leaf, wots_pk, SPX_WOTS_LEN, &ctx, wots_pk_addr); - - /* Compute the root node of this subtree. */ - compute_root(root, leaf, idx_leaf, 0, sig, SPX_TREE_HEIGHT, - &ctx, tree_addr); - sig += SPX_TREE_HEIGHT * SPX_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << SPX_TREE_HEIGHT) - 1)); - tree = tree >> SPX_TREE_HEIGHT; - } - - // cleanup - free_hash_function(&ctx); - - /* Check if the root node equals the root node in the public key. */ - if (memcmp(root, pub_root, SPX_N) != 0) { - return -1; - } - - return 0; -} - - -/** - * Returns an array containing the signature followed by the message. - */ -int crypto_sign(uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *sk) { - size_t siglen; - - crypto_sign_signature(sm, &siglen, m, mlen, sk); - - memmove(sm + SPX_BYTES, m, mlen); - *smlen = siglen + mlen; - - return 0; -} - -/** - * Verifies a given signature-message pair under a given public key. - */ -int crypto_sign_open(uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *pk) { - /* The API caller does not necessarily know what size a signature should be - but SPHINCS+ signatures are always exactly SPX_BYTES. */ - if (smlen < SPX_BYTES) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - *mlen = smlen - SPX_BYTES; - - if (crypto_sign_verify(sm, SPX_BYTES, sm + SPX_BYTES, *mlen, pk)) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - /* If verification was successful, move the message to the right place. */ - memmove(m, sm + SPX_BYTES, *mlen); - - return 0; -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/thash.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/thash.h deleted file mode 100644 index 8687ccfb4..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/thash.h +++ /dev/null @@ -1,13 +0,0 @@ -#ifndef SPX_THASH_H -#define SPX_THASH_H - -#include "context.h" -#include "params.h" - -#include - -#define thash SPX_NAMESPACE(thash) -void thash(unsigned char *out, const unsigned char *in, unsigned int inblocks, - const spx_ctx *ctx, uint32_t addr[8]); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/thash_shake_simplex2.c b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/thash_shake_simplex2.c deleted file mode 100644 index 892e45369..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/thash_shake_simplex2.c +++ /dev/null @@ -1,83 +0,0 @@ -#include -#include - -#include "thash.h" -#include "thashx2.h" - -#include "address.h" -#include "params.h" -#include "utils.h" - -#include "f1600x2.h" -#include "fips202x2.h" - - -void thash(unsigned char *out, - const unsigned char *in, - unsigned int inblocks, - const spx_ctx *ctx, uint32_t addr[8]) { - uint32_t addrx2 [2 * 8] = { - addr[0], addr[1], addr[2], addr[3], addr[4], addr[5], addr[6], addr[7], - addr[0], addr[1], addr[2], addr[3], addr[4], addr[5], addr[6], addr[7] - }; - thashx2(out, out, in, in, inblocks, ctx, addrx2); -} - -/** - * 2-way parallel version of thash; takes 2x as much input and output - */ -void thashx2(unsigned char *out0, - unsigned char *out1, - const unsigned char *in0, - const unsigned char *in1, - unsigned int inblocks, - const spx_ctx *ctx, uint32_t addrx2[2 * 8]) { - if (inblocks == 1 || inblocks == 2) { - /* As we write and read only a few quadwords, it is more efficient to - * build and extract from the twoway SHAKE256 state by hand. */ - uint64_t state[50] = {0}; - for (int i = 0; i < SPX_N / 8; i++) { - uint64_t x = load64(ctx->pub_seed + 8 * i); - state[2 * i] = x; - state[2 * i + 1] = x; - } - for (int i = 0; i < 4; i++) { - state[2 * (SPX_N / 8 + i)] = (((uint64_t)addrx2[1 + 2 * i]) << 32) - | (uint64_t)addrx2[2 * i]; - state[2 * (SPX_N / 8 + i) + 1] = (((uint64_t)addrx2[8 + 1 + 2 * i]) << 32) - | (uint64_t)addrx2[8 + 2 * i]; - } - - for (unsigned int i = 0; i < (SPX_N / 8) * inblocks; i++) { - state[2 * (SPX_N / 8 + 4 + i)] = load64(in0 + 8 * i); - state[2 * (SPX_N / 8 + 4 + i) + 1] = load64(in1 + 8 * i); - } - - /* Domain separator and padding. */ - state[2 * 16] = 0x80ULL << 56; - state[2 * 16 + 1] = 0x80ULL << 56; - - state[2 * ((SPX_N / 8) * (1 + inblocks) + 4)] ^= 0x1f; - state[2 * ((SPX_N / 8) * (1 + inblocks) + 4) + 1] ^= 0x1f; - - f1600x2(state); - - for (int i = 0; i < SPX_N / 8; i++) { - store64(out0 + 8 * i, state[2 * i]); - store64(out1 + 8 * i, state[2 * i + 1]); - } - } else { - PQCLEAN_VLA(unsigned char, buf0, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N); - PQCLEAN_VLA(unsigned char, buf1, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N); - - memcpy(buf0, ctx->pub_seed, SPX_N); - memcpy(buf1, ctx->pub_seed, SPX_N); - memcpy(buf0 + SPX_N, addrx2 + 0 * 8, SPX_ADDR_BYTES); - memcpy(buf1 + SPX_N, addrx2 + 1 * 8, SPX_ADDR_BYTES); - memcpy(buf0 + SPX_N + SPX_ADDR_BYTES, in0, inblocks * SPX_N); - memcpy(buf1 + SPX_N + SPX_ADDR_BYTES, in1, inblocks * SPX_N); - - shake256x2(out0, out1, SPX_N, - buf0, buf1, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N); - } -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/thashx2.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/thashx2.h deleted file mode 100644 index 040375e61..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/thashx2.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef SPX_THASHX2_H -#define SPX_THASHX2_H - -#include "context.h" -#include "params.h" -#include - -#define thashx2 SPX_NAMESPACE(thashx2) -void thashx2(unsigned char *out0, - unsigned char *out1, - const unsigned char *in0, - const unsigned char *in1, - unsigned int inblocks, - const spx_ctx *ctx, uint32_t addrx2[2 * 8]); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/utils.c b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/utils.c deleted file mode 100644 index 177b541fb..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/utils.c +++ /dev/null @@ -1,148 +0,0 @@ -#include - -#include "utils.h" - -#include "address.h" -#include "hash.h" -#include "params.h" -#include "thash.h" - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void ull_to_bytes(unsigned char *out, unsigned int outlen, - unsigned long long in) { - int i; - - /* Iterate over out in decreasing order, for big-endianness. */ - for (i = (signed int)outlen - 1; i >= 0; i--) { - out[i] = in & 0xff; - in = in >> 8; - } -} - -void u32_to_bytes(unsigned char *out, uint32_t in) { - out[0] = (unsigned char)(in >> 24); - out[1] = (unsigned char)(in >> 16); - out[2] = (unsigned char)(in >> 8); - out[3] = (unsigned char)in; -} - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long bytes_to_ull(const unsigned char *in, unsigned int inlen) { - unsigned long long retval = 0; - unsigned int i; - - for (i = 0; i < inlen; i++) { - retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i)); - } - return retval; -} - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void compute_root(unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const spx_ctx *ctx, uint32_t addr[8]) { - uint32_t i; - unsigned char buffer[2 * SPX_N]; - - /* If leaf_idx is odd (last bit = 1), current path element is a right child - and auth_path has to go left. Otherwise it is the other way around. */ - if (leaf_idx & 1) { - memcpy(buffer + SPX_N, leaf, SPX_N); - memcpy(buffer, auth_path, SPX_N); - } else { - memcpy(buffer, leaf, SPX_N); - memcpy(buffer + SPX_N, auth_path, SPX_N); - } - auth_path += SPX_N; - - for (i = 0; i < tree_height - 1; i++) { - leaf_idx >>= 1; - idx_offset >>= 1; - /* Set the address of the node we're creating. */ - set_tree_height(addr, i + 1); - set_tree_index(addr, leaf_idx + idx_offset); - - /* Pick the right or left neighbor, depending on parity of the node. */ - if (leaf_idx & 1) { - thash(buffer + SPX_N, buffer, 2, ctx, addr); - memcpy(buffer, auth_path, SPX_N); - } else { - thash(buffer, buffer, 2, ctx, addr); - memcpy(buffer + SPX_N, auth_path, SPX_N); - } - auth_path += SPX_N; - } - - /* The last iteration is exceptional; we do not copy an auth_path node. */ - leaf_idx >>= 1; - idx_offset >>= 1; - set_tree_height(addr, tree_height); - set_tree_index(addr, leaf_idx + idx_offset); - thash(root, buffer, 2, ctx, addr); -} - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void treehash(unsigned char *root, unsigned char *auth_path, const spx_ctx *ctx, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const spx_ctx * /* ctx */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */), - uint32_t tree_addr[8]) { - PQCLEAN_VLA(uint8_t, stack, (tree_height + 1)*SPX_N); - PQCLEAN_VLA(unsigned int, heights, tree_height + 1); - unsigned int offset = 0; - uint32_t idx; - uint32_t tree_idx; - - for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) { - /* Add the next leaf node to the stack. */ - gen_leaf(stack + offset * SPX_N, ctx, idx + idx_offset, tree_addr); - offset++; - heights[offset - 1] = 0; - - /* If this is a node we need for the auth path.. */ - if ((leaf_idx ^ 0x1) == idx) { - memcpy(auth_path, stack + (offset - 1)*SPX_N, SPX_N); - } - - /* While the top-most nodes are of equal height.. */ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { - /* Compute index of the new node, in the next layer. */ - tree_idx = (idx >> (heights[offset - 1] + 1)); - - /* Set the address of the node we're creating. */ - set_tree_height(tree_addr, heights[offset - 1] + 1); - set_tree_index(tree_addr, - tree_idx + (idx_offset >> (heights[offset - 1] + 1))); - /* Hash the top-most nodes from the stack together. */ - thash(stack + (offset - 2)*SPX_N, - stack + (offset - 2)*SPX_N, 2, ctx, tree_addr); - offset--; - /* Note that the top-most node is now one layer higher. */ - heights[offset - 1]++; - - /* If this is a node we need for the auth path.. */ - if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) { - memcpy(auth_path + heights[offset - 1]*SPX_N, - stack + (offset - 1)*SPX_N, SPX_N); - } - } - } - memcpy(root, stack, SPX_N); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/utils.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/utils.h deleted file mode 100644 index 64f5d5a53..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/utils.h +++ /dev/null @@ -1,58 +0,0 @@ -#ifndef SPX_UTILS_H -#define SPX_UTILS_H - -#include - -#include "compat.h" -#include "context.h" -#include "params.h" - - -/* To support MSVC use alloca() instead of VLAs. See #20. */ - - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -#define ull_to_bytes SPX_NAMESPACE(ull_to_bytes) -void ull_to_bytes(unsigned char *out, unsigned int outlen, - unsigned long long in); -#define u32_to_bytes SPX_NAMESPACE(u32_to_bytes) -void u32_to_bytes(unsigned char *out, uint32_t in); - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -#define bytes_to_ull SPX_NAMESPACE(bytes_to_ull) -unsigned long long bytes_to_ull(const unsigned char *in, unsigned int inlen); - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -#define compute_root SPX_NAMESPACE(compute_root) -void compute_root(unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const spx_ctx *ctx, uint32_t addr[8]); - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -#define treehash SPX_NAMESPACE(treehash) -void treehash(unsigned char *root, unsigned char *auth_path, - const spx_ctx *ctx, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const spx_ctx *ctx /* ctx */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */), - uint32_t tree_addr[8]); - - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/utilsx2.c b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/utilsx2.c deleted file mode 100644 index 8736474e4..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/utilsx2.c +++ /dev/null @@ -1,130 +0,0 @@ -#include - -#include "utilsx2.h" - -#include "address.h" -#include "params.h" -#include "thashx2.h" -#include "utils.h" - -/* - * Generate the entire Merkle tree, computing the authentication path for leaf_idx, - * and the resulting root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE) - * - * This expects tree_addrx2 to be initialized to 2 parallel addr structures for - * the Merkle tree nodes - * - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - * - * This works by using the standard Merkle tree building algorithm, except - * that each 'node' tracked is actually 2 consecutive nodes in the real tree. - * When we combine two logical nodes AB and WX, we perform the H - * operation on adjacent real nodes, forming the parent logical node - * (AB)(WX) - * - * When we get to the top level of the real tree (where there is only - * one logical node), we continue this operation one more time; the right - * most real node will by the actual root (and the other node will be - * garbage). We follow the same thashx2 logic so that the 'extract - * authentication path components' part of the loop is still executed (and - * to simplify the code somewhat) - */ -void treehashx2(unsigned char *root, unsigned char *auth_path, - const spx_ctx *ctx, - uint32_t leaf_idx, uint32_t idx_offset, - uint32_t tree_height, - void (*gen_leafx2)( - unsigned char * /* Where to write the leaves */, - const spx_ctx *, - uint32_t idx, void *info), - uint32_t tree_addrx2[2 * 8], - void *info) { - /* This is where we keep the intermediate nodes */ - unsigned char stackx2[tree_height * 2 * SPX_N]; - uint32_t left_adj = 0, prev_left_adj = 0; /* When we're doing the top */ - /* level, the left-most part of the tree isn't at the beginning */ - /* of current[]. These give the offset of the actual start */ - - uint32_t idx; - uint32_t max_idx = (1 << (tree_height - 1)) - 1; - for (idx = 0;; idx++) { - unsigned char current[2 * SPX_N]; /* Current logical node */ - gen_leafx2( current, ctx, 2 * idx + idx_offset, - info ); - - /* Now combine the freshly generated right node with previously */ - /* generated left ones */ - uint32_t internal_idx_offset = idx_offset; - uint32_t internal_idx = idx; - uint32_t internal_leaf = leaf_idx; - uint32_t h; /* The height we are in the Merkle tree */ - for (h = 0;; h++, internal_idx >>= 1, internal_leaf >>= 1) { - - /* Special processing if we're at the top of the tree */ - if (h >= tree_height - 1) { - if (h == tree_height) { - /* We hit the root; return it */ - memcpy( root, ¤t[1 * SPX_N], SPX_N ); - return; - } - /* The tree indexing logic is a bit off in this case */ - /* Adjust it so that the left-most node of the part of */ - /* the tree that we're processing has index 0 */ - prev_left_adj = left_adj; - left_adj = 2 - (1 << (tree_height - h - 1)); - } - - /* Check if we hit the top of the tree */ - if (h == tree_height) { - /* We hit the root; return it */ - memcpy( root, ¤t[1 * SPX_N], SPX_N ); - return; - } - - /* - * Check if one of the nodes we have is a part of the - * authentication path; if it is, write it out - */ - if ((((internal_idx << 1) ^ internal_leaf) & ~0x1) == 0) { - memcpy( &auth_path[ h * SPX_N ], - ¤t[(((internal_leaf & 1) ^ 1) + prev_left_adj) * SPX_N], - SPX_N ); - } - - /* - * Check if we're at a left child; if so, stop going up the stack - * Exception: if we've reached the end of the tree, keep on going - * (so we combine the last 2 nodes into the one root node in two - * more iterations) - */ - if ((internal_idx & 1) == 0 && idx < max_idx) { - break; - } - - /* Ok, we're at a right node (or doing the top 3 levels) */ - /* Now combine the left and right logical nodes together */ - - /* Set the address of the node we're creating. */ - int j; - internal_idx_offset >>= 1; - for (j = 0; j < 2; j++) { - set_tree_height(tree_addrx2 + j * 8, h + 1); - set_tree_index(tree_addrx2 + j * 8, - (2 / 2) * (internal_idx & ~1) + j - left_adj + internal_idx_offset ); - } - unsigned char *left = &stackx2[h * 2 * SPX_N]; - thashx2( ¤t[0 * SPX_N], - ¤t[1 * SPX_N], - &left [0 * SPX_N], - ¤t[0 * SPX_N], - 2, ctx, tree_addrx2); - } - - /* We've hit a left child; save the current for when we get the */ - /* corresponding right right */ - memcpy( &stackx2[h * 2 * SPX_N], current, 2 * SPX_N); - } -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/utilsx2.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/utilsx2.h deleted file mode 100644 index e09faddc4..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/utilsx2.h +++ /dev/null @@ -1,30 +0,0 @@ -#ifndef SPX_UTILSX2_H -#define SPX_UTILSX2_H - -#include - -#include "context.h" -#include "params.h" - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - * - * This implementation uses SIMD to compute internal nodes 2 at a time (in - * parallel) - */ -#define treehashx2 SPX_NAMESPACE(treehashx2) -void treehashx2(unsigned char *root, unsigned char *auth_path, - const spx_ctx *ctx, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leafx2)( - unsigned char * /* Where to write the leaves */, - const spx_ctx * /* ctx */, - uint32_t addr_idx, void *info), - uint32_t tree_addrx2[2 * 8], void *info); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/wots.c b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/wots.c deleted file mode 100644 index 3babe45e9..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/wots.c +++ /dev/null @@ -1,259 +0,0 @@ -#include -#include - -#include "wots.h" -#include "wotsx2.h" - -#include "address.h" -#include "hash.h" -#include "hashx2.h" -#include "params.h" -#include "thashx2.h" -#include "utils.h" -#include "utilsx2.h" - -// TODO clarify address expectations, and make them more uniform. -// TODO i.e. do we expect types to be set already? -// TODO and do we expect modifications or copies? - -/** - * Computes up the chains - */ -static void gen_chains( - unsigned char *out, - const unsigned char *in, - unsigned int start[SPX_WOTS_LEN], - const unsigned int steps[SPX_WOTS_LEN], - const spx_ctx *ctx, - uint32_t addr[8]) { - uint32_t i, j, k, idx, watching; - int done; - unsigned char empty[SPX_N]; - unsigned char *bufs[4]; - uint32_t addrs[8 * 2]; - - int l; - uint16_t counts[SPX_WOTS_W] = { 0 }; - uint16_t idxs[SPX_WOTS_LEN]; - uint16_t total, newTotal; - - /* set addrs = {addr, addr} */ - for (j = 0; j < 2; j++) { - memcpy(addrs + j * 8, addr, sizeof(uint32_t) * 8); - } - - /* Initialize out with the value at position 'start'. */ - memcpy(out, in, SPX_WOTS_LEN * SPX_N); - - /* Sort the chains in reverse order by steps using counting sort. */ - for (i = 0; i < SPX_WOTS_LEN; i++) { - counts[steps[i]]++; - } - total = 0; - for (l = SPX_WOTS_W - 1; l >= 0; l--) { - newTotal = counts[l] + total; - counts[l] = total; - total = newTotal; - } - for (i = 0; i < SPX_WOTS_LEN; i++) { - idxs[counts[steps[i]]] = i; - counts[steps[i]]++; - } - - /* We got our work cut out for us: do it! */ - for (i = 0; i < SPX_WOTS_LEN; i += 2) { - for (j = 0; j < 2 && i + j < SPX_WOTS_LEN; j++) { - idx = idxs[i + j]; - set_chain_addr(addrs + j * 8, idx); - bufs[j] = out + SPX_N * idx; - } - - /* As the chains are sorted in reverse order, we know that the first - * chain is the longest and the last one is the shortest. We keep - * an eye on whether the last chain is done and then on the one before, - * et cetera. */ - watching = 1; - done = 0; - while (i + watching >= SPX_WOTS_LEN) { - bufs[watching] = &empty[0]; - watching--; - } - - for (k = 0;; k++) { - while (k == steps[idxs[i + watching]]) { - bufs[watching] = &empty[0]; - if (watching == 0) { - done = 1; - break; - } - watching--; - } - if (done) { - break; - } - for (j = 0; j < watching + 1; j++) { - set_hash_addr(addrs + j * 8, k + start[idxs[i + j]]); - } - - thashx2(bufs[0], bufs[1], - bufs[0], bufs[1], 1, ctx, addrs); - } - } -} - -/** - * base_w algorithm as described in draft. - * Interprets an array of bytes as integers in base w. - * This only works when log_w is a divisor of 8. - */ -static void base_w(unsigned int *output, const int out_len, - const unsigned char *input) { - int in = 0; - int out = 0; - unsigned char total = 0; - int bits = 0; - int consumed; - - for (consumed = 0; consumed < out_len; consumed++) { - if (bits == 0) { - total = input[in]; - in++; - bits += 8; - } - bits -= SPX_WOTS_LOGW; - output[out] = (total >> bits) & (SPX_WOTS_W - 1); - out++; - } -} - -/* Computes the WOTS+ checksum over a message (in base_w). */ -static void wots_checksum(unsigned int *csum_base_w, - const unsigned int *msg_base_w) { - unsigned int csum = 0; - unsigned char csum_bytes[(SPX_WOTS_LEN2 * SPX_WOTS_LOGW + 7) / 8]; - unsigned int i; - - /* Compute checksum. */ - for (i = 0; i < SPX_WOTS_LEN1; i++) { - csum += SPX_WOTS_W - 1 - msg_base_w[i]; - } - - /* Convert checksum to base_w. */ - /* Make sure expected empty zero bits are the least significant bits. */ - csum = csum << ((8 - ((SPX_WOTS_LEN2 * SPX_WOTS_LOGW) % 8)) % 8); - ull_to_bytes(csum_bytes, sizeof(csum_bytes), csum); - base_w(csum_base_w, SPX_WOTS_LEN2, csum_bytes); -} - -/* Takes a message and derives the matching chain lengths. */ -void chain_lengths(unsigned int *lengths, const unsigned char *msg) { - base_w(lengths, SPX_WOTS_LEN1, msg); - wots_checksum(lengths + SPX_WOTS_LEN1, lengths); -} - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void wots_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const spx_ctx *ctx, uint32_t addr[8]) { - unsigned int steps[SPX_WOTS_LEN]; - unsigned int start[SPX_WOTS_LEN]; - uint32_t i; - - chain_lengths(start, msg); - - for (i = 0; i < SPX_WOTS_LEN; i++) { - steps[i] = SPX_WOTS_W - 1 - start[i]; - } - - gen_chains(pk, sig, start, steps, ctx, addr); -} - -/* - * This generates 2 sequential WOTS public keys - * It also generates the WOTS signature if leaf_info indicates - * that we're signing with one of these WOTS keys - */ -void wots_gen_leafx2(unsigned char *dest, - const spx_ctx *ctx, - uint32_t leaf_idx, void *v_info) { - struct leaf_info_x2 *info = v_info; - uint32_t *leaf_addr = info->leaf_addr; - uint32_t *pk_addr = info->pk_addr; - unsigned int i, j, k; - unsigned char pk_buffer[ 2 * SPX_WOTS_BYTES ]; - unsigned wots_offset = SPX_WOTS_BYTES; - unsigned char *buffer; - uint32_t wots_k_mask; - unsigned wots_sign_index; - - if (((leaf_idx ^ info->wots_sign_leaf) & ~1) == 0) { - /* We're traversing the leaf that's signing; generate the WOTS */ - /* signature */ - wots_k_mask = 0; - wots_sign_index = info->wots_sign_leaf & 1; /* Which of of the 2 */ - /* slots do the signatures come from */ - } else { - /* Nope, we're just generating pk's; turn off the signature logic */ - wots_k_mask = ~0; - wots_sign_index = 0; - } - - for (j = 0; j < 2; j++) { - set_keypair_addr( leaf_addr + j * 8, leaf_idx + j ); - set_keypair_addr( pk_addr + j * 8, leaf_idx + j ); - } - - for (i = 0, buffer = pk_buffer; i < SPX_WOTS_LEN; i++, buffer += SPX_N) { - uint32_t wots_k = info->wots_steps[i] | wots_k_mask; /* Set wots_k to */ - /* the step if we're generating a signature, ~0 if we're not */ - - /* Start with the secret seed */ - for (j = 0; j < 2; j++) { - set_chain_addr(leaf_addr + j * 8, i); - set_hash_addr(leaf_addr + j * 8, 0); - set_type(leaf_addr + j * 8, SPX_ADDR_TYPE_WOTSPRF); - } - prf_addrx2(buffer + 0 * wots_offset, - buffer + 1 * wots_offset, - ctx, leaf_addr); - for (j = 0; j < 2; j++) { - set_type(leaf_addr + j * 8, SPX_ADDR_TYPE_WOTS); - } - - /* Iterate down the WOTS chain */ - for (k = 0;; k++) { - /* Check if one of the values we have needs to be saved as a */ - /* part of the WOTS signature */ - if (k == wots_k) { - memcpy( info->wots_sig + i * SPX_N, - buffer + wots_sign_index * wots_offset, SPX_N ); - } - - /* Check if we hit the top of the chain */ - if (k == SPX_WOTS_W - 1) { - break; - } - - /* Iterate one step on all 4 chains */ - for (j = 0; j < 2; j++) { - set_hash_addr(leaf_addr + j * 8, k); - } - thashx2(buffer + 0 * wots_offset, - buffer + 1 * wots_offset, - buffer + 0 * wots_offset, - buffer + 1 * wots_offset, - 1, ctx, leaf_addr); - } - } - - /* Do the final thash to generate the public keys */ - thashx2(dest + 0 * SPX_N, - dest + 1 * SPX_N, - pk_buffer + 0 * wots_offset, - pk_buffer + 1 * wots_offset, - SPX_WOTS_LEN, ctx, pk_addr); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/wots.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/wots.h deleted file mode 100644 index 4e7692eee..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/wots.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef SPX_WOTS_H -#define SPX_WOTS_H - -#include - -#include "context.h" -#include "params.h" - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -#define wots_pk_from_sig SPX_NAMESPACE(wots_pk_from_sig) -void wots_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const spx_ctx *ctx, uint32_t addr[8]); - -/* - * Compute the chain lengths needed for a given message hash - */ -#define chain_lengths SPX_NAMESPACE(chain_lengths) -void chain_lengths(unsigned int *lengths, const unsigned char *msg); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/wotsx2.h b/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/wotsx2.h deleted file mode 100644 index b58bb61f8..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256f-simple_aarch64/wotsx2.h +++ /dev/null @@ -1,40 +0,0 @@ -#ifndef WOTSX2_H_ -#define WOTSX2_H_ - -#include "params.h" -#include - -/* - * This is here to provide an interface to the internal wots_gen_leafx2 - * routine. While this routine is not referenced in the package outside of - * wots.c, it is called from the stand-alone benchmark code to characterize - * the performance - */ -struct leaf_info_x2 { - unsigned char *wots_sig; - uint32_t wots_sign_leaf; /* The index of the WOTS we're using to sign */ - uint32_t *wots_steps; - uint32_t leaf_addr[2 * 8]; - uint32_t pk_addr[2 * 8]; -}; - -/* Macro to set the leaf_info to something 'benign', that is, it would */ -/* run with the same time as it does during the real signing process */ -/* Used only by the benchmark code */ -#define INITIALIZE_LEAF_INFO_X2(info, addr, step_buffer) { \ - (info).wots_sig = 0; \ - (info).wots_sign_leaf = ~0; \ - (info).wots_steps = step_buffer; \ - int i; \ - for (i=0; i<2; i++) { \ - memcpy( &(info).leaf_addr[8*i], addr, 32 ); \ - memcpy( &(info).pk_addr[8*i], addr, 32 ); \ - } \ - } - -#define wots_gen_leafx2 SPX_NAMESPACE(wots_gen_leafx2) -void wots_gen_leafx2(unsigned char *dest, - const spx_ctx *ctx, - uint32_t leaf_idx, void *v_info); - -#endif /* WOTSX2_H_ */ diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/LICENSE b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/LICENSE deleted file mode 100644 index 670154e35..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/LICENSE +++ /dev/null @@ -1,116 +0,0 @@ -CC0 1.0 Universal - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator and -subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for the -purpose of contributing to a commons of creative, cultural and scientific -works ("Commons") that the public can reliably and without fear of later -claims of infringement build upon, modify, incorporate in other works, reuse -and redistribute as freely as possible in any form whatsoever and for any -purposes, including without limitation commercial purposes. These owners may -contribute to the Commons to promote the ideal of a free culture and the -further production of creative, cultural and scientific works, or to gain -reputation or greater distribution for their Work in part through the use and -efforts of others. - -For these and/or other purposes and motivations, and without any expectation -of additional consideration or compensation, the person associating CC0 with a -Work (the "Affirmer"), to the extent that he or she is an owner of Copyright -and Related Rights in the Work, voluntarily elects to apply CC0 to the Work -and publicly distribute the Work under its terms, with knowledge of his or her -Copyright and Related Rights in the Work and the meaning and intended legal -effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not limited -to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, communicate, - and translate a Work; - - ii. moral rights retained by the original author(s) and/or performer(s); - - iii. publicity and privacy rights pertaining to a person's image or likeness - depicted in a Work; - - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - - v. rights protecting the extraction, dissemination, use and reuse of data in - a Work; - - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation thereof, - including any amended or successor version of such directive); and - - vii. other similar, equivalent or corresponding rights throughout the world - based on applicable law or treaty, and any national implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention of, -applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and -unconditionally waives, abandons, and surrenders all of Affirmer's Copyright -and Related Rights and associated claims and causes of action, whether now -known or unknown (including existing as well as future claims and causes of -action), in the Work (i) in all territories worldwide, (ii) for the maximum -duration provided by applicable law or treaty (including future time -extensions), (iii) in any current or future medium and for any number of -copies, and (iv) for any purpose whatsoever, including without limitation -commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes -the Waiver for the benefit of each member of the public at large and to the -detriment of Affirmer's heirs and successors, fully intending that such Waiver -shall not be subject to revocation, rescission, cancellation, termination, or -any other legal or equitable action to disrupt the quiet enjoyment of the Work -by the public as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason be -judged legally invalid or ineffective under applicable law, then the Waiver -shall be preserved to the maximum extent permitted taking into account -Affirmer's express Statement of Purpose. In addition, to the extent the Waiver -is so judged Affirmer hereby grants to each affected person a royalty-free, -non transferable, non sublicensable, non exclusive, irrevocable and -unconditional license to exercise Affirmer's Copyright and Related Rights in -the Work (i) in all territories worldwide, (ii) for the maximum duration -provided by applicable law or treaty (including future time extensions), (iii) -in any current or future medium and for any number of copies, and (iv) for any -purpose whatsoever, including without limitation commercial, advertising or -promotional purposes (the "License"). The License shall be deemed effective as -of the date CC0 was applied by Affirmer to the Work. Should any part of the -License for any reason be judged legally invalid or ineffective under -applicable law, such partial invalidity or ineffectiveness shall not -invalidate the remainder of the License, and in such case Affirmer hereby -affirms that he or she will not (i) exercise any of his or her remaining -Copyright and Related Rights in the Work or (ii) assert any associated claims -and causes of action with respect to the Work, in either case contrary to -Affirmer's express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - - b. Affirmer offers the Work as-is and makes no representations or warranties - of any kind concerning the Work, express, implied, statutory or otherwise, - including without limitation warranties of title, merchantability, fitness - for a particular purpose, non infringement, or the absence of latent or - other defects, accuracy, or the present or absence of errors, whether or not - discoverable, all to the greatest extent permissible under applicable law. - - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without limitation - any person's Copyright and Related Rights in the Work. Further, Affirmer - disclaims responsibility for obtaining any necessary consents, permissions - or other rights required for any use of the Work. - - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to this - CC0 or use of the Work. - -For more information, please see - diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/address.c b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/address.c deleted file mode 100644 index b956e9cb2..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/address.c +++ /dev/null @@ -1,91 +0,0 @@ -#include -#include - -#include "address.h" -#include "params.h" -#include "utils.h" - -/* - * Specify which level of Merkle tree (the "layer") we're working on - */ -void set_layer_addr(uint32_t addr[8], uint32_t layer) { - ((unsigned char *)addr)[SPX_OFFSET_LAYER] = (unsigned char)layer; -} - -/* - * Specify which Merkle tree within the level (the "tree address") we're working on - */ -void set_tree_addr(uint32_t addr[8], uint64_t tree) { - ull_to_bytes(&((unsigned char *)addr)[SPX_OFFSET_TREE], 8, tree ); -} - -/* - * Specify the reason we'll use this address structure for, that is, what - * hash will we compute with it. This is used so that unrelated types of - * hashes don't accidentally get the same address structure. The type will be - * one of the SPX_ADDR_TYPE constants - */ -void set_type(uint32_t addr[8], uint32_t type) { - ((unsigned char *)addr)[SPX_OFFSET_TYPE] = (unsigned char)type; -} - -/* - * Copy the layer and tree fields of the address structure. This is used - * when we're doing multiple types of hashes within the same Merkle tree - */ -void copy_subtree_addr(uint32_t out[8], const uint32_t in[8]) { - memcpy( out, in, SPX_OFFSET_TREE + 8 ); -} - -/* These functions are used for OTS addresses. */ - -/* - * Specify which Merkle leaf we're working on; that is, which OTS keypair - * we're talking about. - */ -void set_keypair_addr(uint32_t addr[8], uint32_t keypair) { - ((unsigned char *)addr)[SPX_OFFSET_KP_ADDR1] = (unsigned char)keypair; -} - -/* - * Copy the layer, tree and keypair fields of the address structure. This is - * used when we're doing multiple things within the same OTS keypair - */ -void copy_keypair_addr(uint32_t out[8], const uint32_t in[8]) { - memcpy( out, in, SPX_OFFSET_TREE + 8 ); - ((unsigned char *)out)[SPX_OFFSET_KP_ADDR1] = ((unsigned char *)in)[SPX_OFFSET_KP_ADDR1]; -} - -/* - * Specify which Merkle chain within the OTS we're working with - * (the chain address) - */ -void set_chain_addr(uint32_t addr[8], uint32_t chain) { - ((unsigned char *)addr)[SPX_OFFSET_CHAIN_ADDR] = (unsigned char)chain; -} - -/* - * Specify where in the Merkle chain we are -* (the hash address) - */ -void set_hash_addr(uint32_t addr[8], uint32_t hash) { - ((unsigned char *)addr)[SPX_OFFSET_HASH_ADDR] = (unsigned char)hash; -} - -/* These functions are used for all hash tree addresses (including FORS). */ - -/* - * Specify the height of the node in the Merkle/FORS tree we are in - * (the tree height) - */ -void set_tree_height(uint32_t addr[8], uint32_t tree_height) { - ((unsigned char *)addr)[SPX_OFFSET_TREE_HGT] = (unsigned char)tree_height; -} - -/* - * Specify the distance from the left edge of the node in the Merkle/FORS tree - * (the tree index) - */ -void set_tree_index(uint32_t addr[8], uint32_t tree_index) { - u32_to_bytes(&((unsigned char *)addr)[SPX_OFFSET_TREE_INDEX], tree_index ); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/address.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/address.h deleted file mode 100644 index 24a84eb40..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/address.h +++ /dev/null @@ -1,52 +0,0 @@ -#ifndef SPX_ADDRESS_H -#define SPX_ADDRESS_H - -#include - -#include "params.h" - -/* The hash types that are passed to set_type */ -#define SPX_ADDR_TYPE_WOTS 0 -#define SPX_ADDR_TYPE_WOTSPK 1 -#define SPX_ADDR_TYPE_HASHTREE 2 -#define SPX_ADDR_TYPE_FORSTREE 3 -#define SPX_ADDR_TYPE_FORSPK 4 -#define SPX_ADDR_TYPE_WOTSPRF 5 -#define SPX_ADDR_TYPE_FORSPRF 6 - -#define set_layer_addr SPX_NAMESPACE(set_layer_addr) -void set_layer_addr(uint32_t addr[8], uint32_t layer); - -#define set_tree_addr SPX_NAMESPACE(set_tree_addr) -void set_tree_addr(uint32_t addr[8], uint64_t tree); - -#define set_type SPX_NAMESPACE(set_type) -void set_type(uint32_t addr[8], uint32_t type); - -/* Copies the layer and tree part of one address into the other */ -#define copy_subtree_addr SPX_NAMESPACE(copy_subtree_addr) -void copy_subtree_addr(uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for WOTS and FORS addresses. */ - -#define set_keypair_addr SPX_NAMESPACE(set_keypair_addr) -void set_keypair_addr(uint32_t addr[8], uint32_t keypair); - -#define set_chain_addr SPX_NAMESPACE(set_chain_addr) -void set_chain_addr(uint32_t addr[8], uint32_t chain); - -#define set_hash_addr SPX_NAMESPACE(set_hash_addr) -void set_hash_addr(uint32_t addr[8], uint32_t hash); - -#define copy_keypair_addr SPX_NAMESPACE(copy_keypair_addr) -void copy_keypair_addr(uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for all hash tree addresses (including FORS). */ - -#define set_tree_height SPX_NAMESPACE(set_tree_height) -void set_tree_height(uint32_t addr[8], uint32_t tree_height); - -#define set_tree_index SPX_NAMESPACE(set_tree_index) -void set_tree_index(uint32_t addr[8], uint32_t tree_index); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/api.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/api.h deleted file mode 100644 index 00b9ae165..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/api.h +++ /dev/null @@ -1,77 +0,0 @@ -#ifndef PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_API_H -#define PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_API_H - -#include -#include - -#define PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_CRYPTO_ALGNAME "SPHINCS+-shake-256s-simple" - -#define PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_CRYPTO_SECRETKEYBYTES 128 -#define PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_CRYPTO_PUBLICKEYBYTES 64 -#define PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_CRYPTO_BYTES 29792 - -#define PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_CRYPTO_SEEDBYTES 96 - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk, - const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_crypto_sign_keypair(uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_crypto_sign_signature(uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_crypto_sign_verify(const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, - const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_crypto_sign(uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_crypto_sign_open(uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *pk); -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/context.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/context.h deleted file mode 100644 index 6e0a33f3b..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/context.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef SPX_CONTEXT_H -#define SPX_CONTEXT_H - -#include - -#include "params.h" - -typedef struct { - uint8_t pub_seed[SPX_N]; - uint8_t sk_seed[SPX_N]; -} spx_ctx; - -#define initialize_hash_function SPX_NAMESPACE(initialize_hash_function) -void initialize_hash_function(spx_ctx *ctx); - -#define free_hash_function SPX_NAMESPACE(free_hash_function) -void free_hash_function(spx_ctx *ctx); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/context_shake.c b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/context_shake.c deleted file mode 100644 index 9614a103d..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/context_shake.c +++ /dev/null @@ -1,12 +0,0 @@ -#include "context.h" - -/* For SHAKE256, there is no immediate reason to initialize at the start, - so this function is an empty operation. */ -void initialize_hash_function(spx_ctx *ctx) { - (void)ctx; /* Suppress an 'unused parameter' warning. */ -} - -// in case the hash function api is heap-based. -void free_hash_function(spx_ctx *ctx) { - (void)ctx; -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/f1600x2.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/f1600x2.h deleted file mode 100644 index 70d1af9f1..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/f1600x2.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef SPX_F1600X2_H -#define SPX_F1600X2_H - -#include - -extern uint64_t f1600_RC[24]; -extern void _f1600x2(uint64_t *a, uint64_t *rc); - -#define f1600x2(s) do {_f1600x2((s), f1600_RC);} while(0) - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/f1600x2.s b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/f1600x2.s deleted file mode 100644 index 640ed791e..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/f1600x2.s +++ /dev/null @@ -1,143 +0,0 @@ -# From https://github.com/bwesterb/armed-keccak - -.macro round - # Execute theta, but without xoring into the state yet. - # Compute parities p[i] = a[i] ^ a[5+i] ^ ... ^ a[20+i]. - eor3.16b v25, v0, v5, v10 - eor3.16b v26, v1, v6, v11 - eor3.16b v27, v2, v7, v12 - eor3.16b v28, v3, v8, v13 - eor3.16b v29, v4, v9, v14 - - eor3.16b v25, v25, v15, v20 - eor3.16b v26, v26, v16, v21 - eor3.16b v27, v27, v17, v22 - eor3.16b v28, v28, v18, v23 - eor3.16b v29, v29, v19, v24 - - # d[0] = rotl(p[1], 1) ^ p[4] - rax1.2d v30, v29, v26 - # d[3] = rotl(p[4], 1) ^ p[2] - rax1.2d v29, v27, v29 - # d[1] = rotl(p[2], 1) ^ p[0] - rax1.2d v27, v25, v27 - # d[4] = rotl(p[0], 1) ^ p[3] - rax1.2d v25, v28, v25 - # d[2] = rotl(p[3], 1) ^ p[1] - rax1.2d v28, v26, v28 - - # Xor parities from step theta into the state at the same time - # as executing rho and pi. - eor.16b v0, v0, v30 - mov.16b v31, v1 - xar.2d v1, v6, v27, 20 - xar.2d v6, v9, v25, 44 - xar.2d v9, v22, v28, 3 - xar.2d v22, v14, v25, 25 - xar.2d v14, v20, v30, 46 - xar.2d v20, v2, v28, 2 - xar.2d v2, v12, v28, 21 - xar.2d v12, v13, v29, 39 - xar.2d v13, v19, v25, 56 - xar.2d v19, v23, v29, 8 - xar.2d v23, v15, v30, 23 - xar.2d v15, v4, v25, 37 - xar.2d v4, v24, v25, 50 - xar.2d v24, v21, v27, 62 - xar.2d v21, v8, v29, 9 - xar.2d v8, v16, v27, 19 - xar.2d v16, v5, v30, 28 - xar.2d v5, v3, v29, 36 - xar.2d v3, v18, v29, 43 - xar.2d v18, v17, v28, 49 - xar.2d v17, v11, v27, 54 - xar.2d v11, v7, v28, 58 - xar.2d v7, v10, v30, 61 - xar.2d v10, v31, v27, 63 - - # Chi - bcax.16b v25, v0, v2, v1 - bcax.16b v26, v1, v3, v2 - bcax.16b v2, v2, v4, v3 - bcax.16b v3, v3, v0, v4 - bcax.16b v4, v4, v1, v0 - mov.16b v0, v25 - mov.16b v1, v26 - - bcax.16b v25, v5, v7, v6 - bcax.16b v26, v6, v8, v7 - bcax.16b v7, v7, v9, v8 - bcax.16b v8, v8, v5, v9 - bcax.16b v9, v9, v6, v5 - mov.16b v5, v25 - mov.16b v6, v26 - - bcax.16b v25, v10, v12, v11 - bcax.16b v26, v11, v13, v12 - bcax.16b v12, v12, v14, v13 - bcax.16b v13, v13, v10, v14 - bcax.16b v14, v14, v11, v10 - mov.16b v10, v25 - mov.16b v11, v26 - - bcax.16b v25, v15, v17, v16 - bcax.16b v26, v16, v18, v17 - bcax.16b v17, v17, v19, v18 - bcax.16b v18, v18, v15, v19 - bcax.16b v19, v19, v16, v15 - mov.16b v15, v25 - mov.16b v16, v26 - - bcax.16b v25, v20, v22, v21 - bcax.16b v26, v21, v23, v22 - bcax.16b v22, v22, v24, v23 - bcax.16b v23, v23, v20, v24 - bcax.16b v24, v24, v21, v20 - mov.16b v20, v25 - mov.16b v21, v26 - - # iota - ld1r {v25.2d}, [x1], #8 - eor.16b v0, v0, v25 -.endm - -.align 4 -.global __f1600x2 -__f1600x2: - stp d8, d9, [sp,#-16]! - stp d10, d11, [sp,#-16]! - stp d12, d13, [sp,#-16]! - stp d14, d15, [sp,#-16]! - - mov x2, x0 - mov x3, #24 - - ld1.2d {v0, v1, v2, v3}, [x0], #64 - ld1.2d {v4, v5, v6, v7}, [x0], #64 - ld1.2d {v8, v9, v10, v11}, [x0], #64 - ld1.2d {v12, v13, v14, v15}, [x0], #64 - ld1.2d {v16, v17, v18, v19}, [x0], #64 - ld1.2d {v20, v21, v22, v23}, [x0], #64 - ld1.2d {v24}, [x0] - -loop: - round - - subs x3, x3, #1 - cbnz x3, loop - - mov x0, x2 - st1.2d {v0, v1, v2, v3}, [x0], #64 - st1.2d {v4, v5, v6, v7}, [x0], #64 - st1.2d {v8, v9, v10, v11}, [x0], #64 - st1.2d {v12, v13, v14, v15}, [x0], #64 - st1.2d {v16, v17, v18, v19}, [x0], #64 - st1.2d {v20, v21, v22, v23}, [x0], #64 - st1.2d {v24}, [x0] - - ldp d14, d15, [sp], #16 - ldp d12, d13, [sp], #16 - ldp d10, d11, [sp], #16 - ldp d8, d9, [sp], #16 - - ret lr diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/f1600x2_const.c b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/f1600x2_const.c deleted file mode 100644 index e49c0ba14..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/f1600x2_const.c +++ /dev/null @@ -1,30 +0,0 @@ -#include "f1600x2.h" - -uint64_t f1600_RC[24] = { - 0x0000000000000001, - 0x0000000000008082, - 0x800000000000808A, - 0x8000000080008000, - 0x000000000000808B, - 0x0000000080000001, - 0x8000000080008081, - 0x8000000000008009, - 0x000000000000008A, - 0x0000000000000088, - 0x0000000080008009, - 0x000000008000000A, - 0x000000008000808B, - 0x800000000000008B, - 0x8000000000008089, - 0x8000000000008003, - 0x8000000000008002, - 0x8000000000000080, - 0x000000000000800A, - 0x800000008000000A, - 0x8000000080008081, - 0x8000000000008080, - 0x0000000080000001, - 0x8000000080008008, -}; - - diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/fips202x2.c b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/fips202x2.c deleted file mode 100644 index 4718c343b..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/fips202x2.c +++ /dev/null @@ -1,148 +0,0 @@ -#include -#include - -#include "fips202x2.h" -#include "f1600x2.h" -#include "fips202.h" - -uint64_t load64(const unsigned char *x) { - unsigned long long r = 0, i; - - for (i = 0; i < 8; ++i) { - r |= (unsigned long long)x[i] << 8 * i; - } - return r; -} - -void store64(uint8_t *x, uint64_t u) { - unsigned int i; - - for (i = 0; i < 8; ++i) { - x[i] = (uint8_t)u; - u >>= 8; - } -} - -static void keccak_absorb2x(uint64_t *s, - unsigned int r, - const unsigned char *m0, - const unsigned char *m1, - unsigned long long int mlen, - unsigned char p) { - unsigned long long i; - unsigned char t0[200]; - unsigned char t1[200]; - - while (mlen >= r) { - for (i = 0; i < r / 8; ++i) { - s[2 * i + 0] ^= load64(m0 + 8 * i); - s[2 * i + 1] ^= load64(m1 + 8 * i); - } - - f1600x2(s); - mlen -= r; - m0 += r; - m1 += r; - } - - for (i = 0; i < r; ++i) { - t0[i] = 0; - t1[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t0[i] = m0[i]; - t1[i] = m1[i]; - } - - t0[i] = p; - t1[i] = p; - - t0[r - 1] |= 128; - t1[r - 1] |= 128; - - for (i = 0; i < r / 8; ++i) { - s[2 * i + 0] ^= load64(t0 + 8 * i); - s[2 * i + 1] ^= load64(t1 + 8 * i); - } -} - - -static void keccak_squeezeblocks2x(unsigned char *h0, - unsigned char *h1, - unsigned long long int nblocks, - uint64_t *s, - unsigned int r) { - unsigned int i; - - while (nblocks > 0) { - f1600x2(s); - for (i = 0; i < (r >> 3); i++) { - store64(h0 + 8 * i, s[2 * i + 0]); - store64(h1 + 8 * i, s[2 * i + 1]); - } - h0 += r; - h1 += r; - nblocks--; - } -} - - - -void shake128x2(unsigned char *out0, - unsigned char *out1, - unsigned long long outlen, - unsigned char *in0, - unsigned char *in1, - unsigned long long inlen) { - uint64_t s[50] = {0}; - unsigned char t0[SHAKE128_RATE]; - unsigned char t1[SHAKE128_RATE]; - unsigned int i; - - /* absorb 4 message of identical length in parallel */ - keccak_absorb2x(s, SHAKE128_RATE, in0, in1, inlen, 0x1F); - - /* Squeeze output */ - keccak_squeezeblocks2x(out0, out1, outlen / SHAKE128_RATE, s, SHAKE128_RATE); - - out0 += (outlen / SHAKE128_RATE) * SHAKE128_RATE; - out1 += (outlen / SHAKE128_RATE) * SHAKE128_RATE; - - if (outlen % SHAKE128_RATE) { - keccak_squeezeblocks2x(t0, t1, 1, s, SHAKE128_RATE); - for (i = 0; i < outlen % SHAKE128_RATE; i++) { - out0[i] = t0[i]; - out1[i] = t1[i]; - } - } -} - - -void shake256x2(unsigned char *out0, - unsigned char *out1, - unsigned long long outlen, - unsigned char *in0, - unsigned char *in1, - unsigned long long inlen) { - uint64_t s[50] = {0}; - unsigned char t0[SHAKE256_RATE]; - unsigned char t1[SHAKE256_RATE]; - unsigned int i; - - /* absorb 2 message of identical length in parallel */ - keccak_absorb2x(s, SHAKE256_RATE, in0, in1, inlen, 0x1F); - - /* Squeeze output */ - keccak_squeezeblocks2x(out0, out1, outlen / SHAKE256_RATE, s, SHAKE256_RATE); - - out0 += (outlen / SHAKE256_RATE) * SHAKE256_RATE; - out1 += (outlen / SHAKE256_RATE) * SHAKE256_RATE; - - if (outlen % SHAKE256_RATE) { - keccak_squeezeblocks2x(t0, t1, 1, s, SHAKE256_RATE); - for (i = 0; i < outlen % SHAKE256_RATE; i++) { - out0[i] = t0[i]; - out1[i] = t1[i]; - } - } -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/fips202x2.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/fips202x2.h deleted file mode 100644 index 7ba58b35d..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/fips202x2.h +++ /dev/null @@ -1,24 +0,0 @@ -#ifndef SPX_FIPS202X2_H -#define SPX_FIPS202X2_H - -#include - -uint64_t load64(const unsigned char *x); -void store64(uint8_t *x, uint64_t u); - - -void shake128x2(unsigned char *out0, - unsigned char *out1, - unsigned long long outlen, - unsigned char *in0, - unsigned char *in1, - unsigned long long inlen); - -void shake256x2(unsigned char *out0, - unsigned char *out1, - unsigned long long outlen, - unsigned char *in0, - unsigned char *in1, - unsigned long long inlen); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/fors.c b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/fors.c deleted file mode 100644 index 39193d04e..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/fors.c +++ /dev/null @@ -1,191 +0,0 @@ -#include -#include -#include - -#include "fors.h" - -#include "address.h" -#include "hash.h" -#include "hashx2.h" -#include "thash.h" -#include "thashx2.h" -#include "utils.h" -#include "utilsx2.h" - -static void fors_gen_sk(unsigned char *sk, const spx_ctx *ctx, - uint32_t fors_leaf_addr[8]) { - prf_addr(sk, ctx, fors_leaf_addr); -} - -static void fors_gen_skx2(unsigned char *sk0, - unsigned char *sk1, - const spx_ctx *ctx, - uint32_t fors_leaf_addrx2[2 * 8]) { - prf_addrx2(sk0, sk1, - ctx, fors_leaf_addrx2); -} - -static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk, - const spx_ctx *ctx, - uint32_t fors_leaf_addr[8]) { - thash(leaf, sk, 1, ctx, fors_leaf_addr); -} - -static void fors_sk_to_leafx2(unsigned char *leaf0, - unsigned char *leaf1, - const unsigned char *sk0, - const unsigned char *sk1, - const spx_ctx *ctx, - uint32_t fors_leaf_addrx2[2 * 8]) { - thashx2(leaf0, leaf1, - sk0, sk1, - 1, ctx, fors_leaf_addrx2); -} - -struct fors_gen_leaf_info { - uint32_t leaf_addrx[2 * 8]; -}; - -static void fors_gen_leafx2(unsigned char *leaf, - const spx_ctx *ctx, - uint32_t addr_idx, void *info) { - struct fors_gen_leaf_info *fors_info = info; - uint32_t *fors_leaf_addrx2 = fors_info->leaf_addrx; - unsigned int j; - - /* Only set the parts that the caller doesn't set */ - for (j = 0; j < 2; j++) { - set_tree_index(fors_leaf_addrx2 + j * 8, addr_idx + j); - set_type(fors_leaf_addrx2 + j * 8, SPX_ADDR_TYPE_FORSPRF); - } - - fors_gen_skx2(leaf + 0 * SPX_N, - leaf + 1 * SPX_N, - ctx, fors_leaf_addrx2); - - for (j = 0; j < 2; j++) { - set_type(fors_leaf_addrx2 + j * 8, SPX_ADDR_TYPE_FORSTREE); - } - - fors_sk_to_leafx2(leaf + 0 * SPX_N, - leaf + 1 * SPX_N, - leaf + 0 * SPX_N, - leaf + 1 * SPX_N, - ctx, fors_leaf_addrx2); -} - -/** - * Interprets m as SPX_FORS_HEIGHT-bit unsigned integers. - * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits. - * Assumes indices has space for SPX_FORS_TREES integers. - */ -static void message_to_indices(uint32_t *indices, const unsigned char *m) { - unsigned int i, j; - unsigned int offset = 0; - - for (i = 0; i < SPX_FORS_TREES; i++) { - indices[i] = 0; - for (j = 0; j < SPX_FORS_HEIGHT; j++) { - indices[i] ^= (uint32_t)(((m[offset >> 3] >> (offset & 0x7)) & 0x1) << j); - offset++; - } - } -} - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits. - */ -void fors_sign(unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const spx_ctx *ctx, - const uint32_t fors_addr[8]) { - uint32_t indices[SPX_FORS_TREES]; - unsigned char roots[SPX_FORS_TREES * SPX_N]; - uint32_t fors_tree_addr[2 * 8] = {0}; - struct fors_gen_leaf_info fors_info = {0}; - uint32_t *fors_leaf_addr = fors_info.leaf_addrx; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - for (i = 0; i < 2; i++) { - copy_keypair_addr(fors_tree_addr + 8 * i, fors_addr); - set_type(fors_tree_addr + 8 * i, SPX_ADDR_TYPE_FORSTREE); - copy_keypair_addr(fors_leaf_addr + 8 * i, fors_addr); - } - copy_keypair_addr(fors_pk_addr, fors_addr); - set_type(fors_pk_addr, SPX_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < SPX_FORS_TREES; i++) { - idx_offset = i * (1 << SPX_FORS_HEIGHT); - - set_tree_height(fors_tree_addr, 0); - set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Include the secret key part that produces the selected leaf node. */ - set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSPRF); - fors_gen_sk(sig, ctx, fors_tree_addr); - set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSTREE); - sig += SPX_N; - - /* Compute the authentication path for this leaf node. */ - treehashx2(roots + i * SPX_N, sig, ctx, - indices[i], idx_offset, SPX_FORS_HEIGHT, fors_gen_leafx2, - fors_tree_addr, &fors_info); - - sig += SPX_N * SPX_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - thash(pk, roots, SPX_FORS_TREES, ctx, fors_pk_addr); -} - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits. - */ -void fors_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const spx_ctx *ctx, - const uint32_t fors_addr[8]) { - uint32_t indices[SPX_FORS_TREES]; - unsigned char roots[SPX_FORS_TREES * SPX_N]; - unsigned char leaf[SPX_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - copy_keypair_addr(fors_tree_addr, fors_addr); - copy_keypair_addr(fors_pk_addr, fors_addr); - - set_type(fors_tree_addr, SPX_ADDR_TYPE_FORSTREE); - set_type(fors_pk_addr, SPX_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < SPX_FORS_TREES; i++) { - idx_offset = i * (1 << SPX_FORS_HEIGHT); - - set_tree_height(fors_tree_addr, 0); - set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Derive the leaf from the included secret key part. */ - fors_sk_to_leaf(leaf, sig, ctx, fors_tree_addr); - sig += SPX_N; - - /* Derive the corresponding root node of this tree. */ - compute_root(roots + i * SPX_N, leaf, indices[i], idx_offset, - sig, SPX_FORS_HEIGHT, ctx, fors_tree_addr); - sig += SPX_N * SPX_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - thash(pk, roots, SPX_FORS_TREES, ctx, fors_pk_addr); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/fors.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/fors.h deleted file mode 100644 index 509140a17..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/fors.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef SPX_FORS_H -#define SPX_FORS_H - -#include - -#include "context.h" -#include "params.h" - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits. - */ -#define fors_sign SPX_NAMESPACE(fors_sign) -void fors_sign(unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const spx_ctx *ctx, - const uint32_t fors_addr[8]); - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits. - */ -#define fors_pk_from_sig SPX_NAMESPACE(fors_pk_from_sig) -void fors_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const spx_ctx *ctx, - const uint32_t fors_addr[8]); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/hash.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/hash.h deleted file mode 100644 index f7c87d4c3..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/hash.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef SPX_HASH_H -#define SPX_HASH_H - -#include -#include - -#include "context.h" -#include "params.h" - -#define prf_addr SPX_NAMESPACE(prf_addr) -void prf_addr(unsigned char *out, const spx_ctx *ctx, - const uint32_t addr[8]); - -#define gen_message_random SPX_NAMESPACE(gen_message_random) -void gen_message_random(unsigned char *R, const unsigned char *sk_prf, - const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const spx_ctx *ctx); - -#define hash_message SPX_NAMESPACE(hash_message) -void hash_message(unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const spx_ctx *ctx); - - - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/hash_shake.c b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/hash_shake.c deleted file mode 100644 index ff5e7ec91..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/hash_shake.c +++ /dev/null @@ -1,83 +0,0 @@ -#include -#include - -#include "hash.h" - -#include "address.h" -#include "fips202.h" -#include "params.h" -#include "utils.h" - -/* - * Computes PRF(pk_seed, sk_seed, addr) - */ -void prf_addr(unsigned char *out, const spx_ctx *ctx, - const uint32_t addr[8]) { - unsigned char buf[2 * SPX_N + SPX_ADDR_BYTES]; - - memcpy(buf, ctx->pub_seed, SPX_N); - memcpy(buf + SPX_N, addr, SPX_ADDR_BYTES); - memcpy(buf + SPX_N + SPX_ADDR_BYTES, ctx->sk_seed, SPX_N); - - shake256(out, SPX_N, buf, 2 * SPX_N + SPX_ADDR_BYTES); -} - -/** - * Computes the message-dependent randomness R, using a secret seed and an - * optional randomization value as well as the message. - */ -void gen_message_random(unsigned char *R, const unsigned char *sk_prf, - const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const spx_ctx *ctx) { - (void)ctx; - shake256incctx s_inc; - - shake256_inc_init(&s_inc); - shake256_inc_absorb(&s_inc, sk_prf, SPX_N); - shake256_inc_absorb(&s_inc, optrand, SPX_N); - shake256_inc_absorb(&s_inc, m, mlen); - shake256_inc_finalize(&s_inc); - shake256_inc_squeeze(R, SPX_N, &s_inc); - shake256_inc_ctx_release(&s_inc); -} - -/** - * Computes the message hash using R, the public key, and the message. - * Outputs the message digest and the index of the leaf. The index is split in - * the tree index and the leaf index, for convenient copying to an address. - */ -void hash_message(unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const spx_ctx *ctx) { - (void)ctx; -#define SPX_TREE_BITS (SPX_TREE_HEIGHT * (SPX_D - 1)) -#define SPX_TREE_BYTES ((SPX_TREE_BITS + 7) / 8) -#define SPX_LEAF_BITS SPX_TREE_HEIGHT -#define SPX_LEAF_BYTES ((SPX_LEAF_BITS + 7) / 8) -#define SPX_DGST_BYTES (SPX_FORS_MSG_BYTES + SPX_TREE_BYTES + SPX_LEAF_BYTES) - - unsigned char buf[SPX_DGST_BYTES]; - unsigned char *bufp = buf; - shake256incctx s_inc; - - shake256_inc_init(&s_inc); - shake256_inc_absorb(&s_inc, R, SPX_N); - shake256_inc_absorb(&s_inc, pk, SPX_PK_BYTES); - shake256_inc_absorb(&s_inc, m, mlen); - shake256_inc_finalize(&s_inc); - shake256_inc_squeeze(buf, SPX_DGST_BYTES, &s_inc); - shake256_inc_ctx_release(&s_inc); - - memcpy(digest, bufp, SPX_FORS_MSG_BYTES); - bufp += SPX_FORS_MSG_BYTES; - - - *tree = bytes_to_ull(bufp, SPX_TREE_BYTES); - *tree &= (~(uint64_t)0) >> (64 - SPX_TREE_BITS); - bufp += SPX_TREE_BYTES; - - *leaf_idx = (uint32_t)bytes_to_ull(bufp, SPX_LEAF_BYTES); - *leaf_idx &= (~(uint32_t)0) >> (32 - SPX_LEAF_BITS); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/hash_shakex2.c b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/hash_shakex2.c deleted file mode 100644 index 99571916a..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/hash_shakex2.c +++ /dev/null @@ -1,52 +0,0 @@ -#include -#include - -#include "hashx2.h" - -#include "address.h" -#include "f1600x2.h" -#include "fips202x2.h" -#include "params.h" - -/* - * 2-way parallel version of prf_addr; takes 2x as much input and output - */ -void prf_addrx2(unsigned char *out0, - unsigned char *out1, - const spx_ctx *ctx, - const uint32_t addrx2[2 * 8]) { - /* As we write and read only a few quadwords, it is more efficient to - * build and extract from the fourway SHAKE256 state by hand. */ - uint64_t state[50] = {0}; - - for (int i = 0; i < SPX_N / 8; i++) { - uint64_t x = load64(ctx->pub_seed + 8 * i); - state[2 * i] = x; - state[2 * i + 1] = x; - } - for (int i = 0; i < 4; i++) { - state[2 * (SPX_N / 8 + i)] = (((uint64_t)addrx2[1 + 2 * i]) << 32) - | (uint64_t)addrx2[2 * i]; - state[2 * (SPX_N / 8 + i) + 1] = (((uint64_t)addrx2[8 + 1 + 2 * i]) << 32) - | (uint64_t)addrx2[8 + 2 * i]; - } - for (int i = 0; i < SPX_N / 8; i++) { - uint64_t x = load64(ctx->sk_seed + 8 * i); - state[2 * (SPX_N / 8 + i + 4)] = x; - state[2 * (SPX_N / 8 + i + 4) + 1] = x; - } - - /* SHAKE domain separator and padding. */ - state[2 * (SPX_N / 4 + 4)] = 0x1f; - state[2 * (SPX_N / 4 + 4) + 1] = 0x1f; - - state[2 * 16] = 0x80ULL << 56; - state[2 * 16 + 1] = 0x80ULL << 56; - - f1600x2(state); - - for (int i = 0; i < SPX_N / 8; i++) { - store64(out0 + 8 * i, state[2 * i]); - store64(out1 + 8 * i, state[2 * i + 1]); - } -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/hashx2.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/hashx2.h deleted file mode 100644 index 99b8873a9..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/hashx2.h +++ /dev/null @@ -1,14 +0,0 @@ -#ifndef SPX_HASHX2_H -#define SPX_HASHX2_H - -#include "context.h" -#include "params.h" -#include - -#define prf_addrx2 SPX_NAMESPACE(prf_addrx2) -void prf_addrx2(unsigned char *out0, - unsigned char *out1, - const spx_ctx *ctx, - const uint32_t addrx2[2 * 8]); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/merkle.c b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/merkle.c deleted file mode 100644 index c94ee2393..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/merkle.c +++ /dev/null @@ -1,64 +0,0 @@ -#include -#include - -#include "merkle.h" - -#include "address.h" -#include "params.h" -#include "utils.h" -#include "utilsx2.h" -#include "wots.h" -#include "wotsx2.h" - -/* - * This generates a Merkle signature (WOTS signature followed by the Merkle - * authentication path). - */ -void merkle_sign(uint8_t *sig, unsigned char *root, - const spx_ctx *ctx, - uint32_t wots_addr[8], uint32_t tree_addr[8], - uint32_t idx_leaf) { - unsigned char *auth_path = sig + SPX_WOTS_BYTES; - uint32_t tree_addrx2[2 * 8] = { 0 }; - int j; - struct leaf_info_x2 info = { 0 }; - unsigned steps[ SPX_WOTS_LEN ]; - - info.wots_sig = sig; - chain_lengths(steps, root); - info.wots_steps = steps; - - for (j = 0; j < 2; j++) { - set_type(&tree_addrx2[8 * j], SPX_ADDR_TYPE_HASHTREE); - set_type(&info.leaf_addr[8 * j], SPX_ADDR_TYPE_WOTS); - set_type(&info.pk_addr[8 * j], SPX_ADDR_TYPE_WOTSPK); - copy_subtree_addr(&tree_addrx2[8 * j], tree_addr); - copy_subtree_addr(&info.leaf_addr[8 * j], wots_addr); - copy_subtree_addr(&info.pk_addr[8 * j], wots_addr); - } - - info.wots_sign_leaf = idx_leaf; - - treehashx2(root, auth_path, ctx, - idx_leaf, 0, - SPX_TREE_HEIGHT, - wots_gen_leafx2, - tree_addrx2, &info); -} - -/* Compute root node of the top-most subtree. */ -void merkle_gen_root(unsigned char *root, const spx_ctx *ctx) { - /* We do not need the auth path in key generation, but it simplifies the - code to have just one treehash routine that computes both root and path - in one function. */ - unsigned char auth_path[SPX_TREE_HEIGHT * SPX_N + SPX_WOTS_BYTES]; - uint32_t top_tree_addr[8] = {0}; - uint32_t wots_addr[8] = {0}; - - set_layer_addr(top_tree_addr, SPX_D - 1); - set_layer_addr(wots_addr, SPX_D - 1); - - merkle_sign(auth_path, root, ctx, - wots_addr, top_tree_addr, - ~0 /* ~0 means "don't bother generating an auth path */ ); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/merkle.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/merkle.h deleted file mode 100644 index 769cf2e97..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/merkle.h +++ /dev/null @@ -1,21 +0,0 @@ -#ifndef MERKLE_H_ -#define MERKLE_H_ - -#include - -#include "context.h" -#include "params.h" - -/* Generate a Merkle signature (WOTS signature followed by the Merkle */ -/* authentication path) */ -#define merkle_sign SPX_NAMESPACE(merkle_sign) -void merkle_sign(uint8_t *sig, unsigned char *root, - const spx_ctx *ctx, - uint32_t wots_addr[8], uint32_t tree_addr[8], - uint32_t idx_leaf); - -/* Compute the root node of the top-most subtree. */ -#define merkle_gen_root SPX_NAMESPACE(merkle_gen_root) -void merkle_gen_root(unsigned char *root, const spx_ctx *ctx); - -#endif /* MERKLE_H_ */ diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/nistapi.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/nistapi.h deleted file mode 100644 index 3cb71afad..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/nistapi.h +++ /dev/null @@ -1,87 +0,0 @@ -#ifndef SPX_API_H -#define SPX_API_H - -#include -#include - -#include "params.h" - -#define CRYPTO_ALGNAME "SPHINCS+" - -#define CRYPTO_SECRETKEYBYTES SPX_SK_BYTES -#define CRYPTO_PUBLICKEYBYTES SPX_PK_BYTES -#define CRYPTO_BYTES SPX_BYTES -#define CRYPTO_SEEDBYTES (3*SPX_N) - -/* - * Returns the length of a secret key, in bytes - */ -#define crypto_sign_secretkeybytes SPX_NAMESPACE(crypto_sign_secretkeybytes) -size_t crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -#define crypto_sign_publickeybytes SPX_NAMESPACE(crypto_sign_publickeybytes) -size_t crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -#define crypto_sign_bytes SPX_NAMESPACE(crypto_sign_bytes) -size_t crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -#define crypto_sign_seedbytes SPX_NAMESPACE(crypto_sign_seedbytes) -size_t crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -#define crypto_sign_seed_keypair SPX_NAMESPACE(crypto_sign_seed_keypair) -int crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk, - const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -#define crypto_sign_keypair SPX_NAMESPACE(crypto_sign_keypair) -int crypto_sign_keypair(uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -#define crypto_sign_signature SPX_NAMESPACE(crypto_sign_signature) -int crypto_sign_signature(uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -#define crypto_sign_verify SPX_NAMESPACE(crypto_sign_verify) -int crypto_sign_verify(const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -#define crypto_sign SPX_NAMESPACE(crypto_sign) -int crypto_sign(uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -#define crypto_sign_open SPX_NAMESPACE(crypto_sign_open) -int crypto_sign_open(uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *pk); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/params.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/params.h deleted file mode 100644 index 354180338..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/params.h +++ /dev/null @@ -1,56 +0,0 @@ -#ifndef SPX_PARAMS_H -#define SPX_PARAMS_H - -#define SPX_NAMESPACE(s) PQCLEAN_SPHINCSSHAKE256SSIMPLE_AARCH64_##s - -/* Hash output length in bytes. */ -#define SPX_N 32 -/* Height of the hypertree. */ -#define SPX_FULL_HEIGHT 64 -/* Number of subtree layer. */ -#define SPX_D 8 -/* FORS tree dimensions. */ -#define SPX_FORS_HEIGHT 14 -#define SPX_FORS_TREES 22 -/* Winternitz parameter, */ -#define SPX_WOTS_W 16 - -/* The hash function is defined by linking a different hash.c file, as opposed - to setting a #define constant. */ - -/* For clarity */ -#define SPX_ADDR_BYTES 32 - -/* WOTS parameters. */ -#define SPX_WOTS_LOGW 4 - -#define SPX_WOTS_LEN1 (8 * SPX_N / SPX_WOTS_LOGW) - -/* SPX_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */ -#define SPX_WOTS_LEN2 3 - -#define SPX_WOTS_LEN (SPX_WOTS_LEN1 + SPX_WOTS_LEN2) -#define SPX_WOTS_BYTES (SPX_WOTS_LEN * SPX_N) -#define SPX_WOTS_PK_BYTES SPX_WOTS_BYTES - -/* Subtree size. */ -#define SPX_TREE_HEIGHT (SPX_FULL_HEIGHT / SPX_D) - -//#if SPX_TREE_HEIGHT * SPX_D != SPX_FULL_HEIGHT -// #error SPX_D should always divide SPX_FULL_HEIGHT -//#endif - -/* FORS parameters. */ -#define SPX_FORS_MSG_BYTES ((SPX_FORS_HEIGHT * SPX_FORS_TREES + 7) / 8) -#define SPX_FORS_BYTES ((SPX_FORS_HEIGHT + 1) * SPX_FORS_TREES * SPX_N) -#define SPX_FORS_PK_BYTES SPX_N - -/* Resulting SPX sizes. */ -#define SPX_BYTES (SPX_N + SPX_FORS_BYTES + SPX_D * SPX_WOTS_BYTES +\ - SPX_FULL_HEIGHT * SPX_N) -#define SPX_PK_BYTES (2 * SPX_N) -#define SPX_SK_BYTES (2 * SPX_N + SPX_PK_BYTES) - -#include "shake_offsets.h" - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/shake_offsets.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/shake_offsets.h deleted file mode 100644 index 6b28d95d9..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/shake_offsets.h +++ /dev/null @@ -1,21 +0,0 @@ -#ifndef SHAKE_OFFSETS_H_ -#define SHAKE_OFFSETS_H_ - -/* - * Offsets of various fields in the address structure when we use SHAKE as - * the Sphincs+ hash function - */ - -#define SPX_OFFSET_LAYER 3 /* The byte used to specify the Merkle tree layer */ -#define SPX_OFFSET_TREE 8 /* The start of the 8 byte field used to specify the tree */ -#define SPX_OFFSET_TYPE 19 /* The byte used to specify the hash type (reason) */ -#define SPX_OFFSET_KP_ADDR2 22 /* The high byte used to specify the key pair (which one-time signature) */ -#define SPX_OFFSET_KP_ADDR1 23 /* The low byte used to specify the key pair */ -#define SPX_OFFSET_CHAIN_ADDR 27 /* The byte used to specify the chain address (which Winternitz chain) */ -#define SPX_OFFSET_HASH_ADDR 31 /* The byte used to specify the hash address (where in the Winternitz chain) */ -#define SPX_OFFSET_TREE_HGT 27 /* The byte used to specify the height of this node in the FORS or Merkle tree */ -#define SPX_OFFSET_TREE_INDEX 28 /* The start of the 4 byte field used to specify the node in the FORS or Merkle tree */ - -#define SPX_SHAKE 1 - -#endif /* SHAKE_OFFSETS_H_ */ diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/sign.c b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/sign.c deleted file mode 100644 index 9d0c7d1b2..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/sign.c +++ /dev/null @@ -1,286 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "context.h" -#include "fors.h" -#include "hash.h" -#include "merkle.h" -#include "nistapi.h" -#include "params.h" -#include "randombytes.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - -/* - * Returns the length of a secret key, in bytes - */ -size_t crypto_sign_secretkeybytes(void) { - return CRYPTO_SECRETKEYBYTES; -} - -/* - * Returns the length of a public key, in bytes - */ -size_t crypto_sign_publickeybytes(void) { - return CRYPTO_PUBLICKEYBYTES; -} - -/* - * Returns the length of a signature, in bytes - */ -size_t crypto_sign_bytes(void) { - return CRYPTO_BYTES; -} - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t crypto_sign_seedbytes(void) { - return CRYPTO_SEEDBYTES; -} - -/* - * Generates an SPX key pair given a seed of length - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int crypto_sign_seed_keypair(uint8_t *pk, uint8_t *sk, - const uint8_t *seed) { - spx_ctx ctx; - - /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */ - memcpy(sk, seed, CRYPTO_SEEDBYTES); - - memcpy(pk, sk + 2 * SPX_N, SPX_N); - - memcpy(ctx.pub_seed, pk, SPX_N); - memcpy(ctx.sk_seed, sk, SPX_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - initialize_hash_function(&ctx); - - /* Compute root node of the top-most subtree. */ - merkle_gen_root(sk + 3 * SPX_N, &ctx); - - // cleanup - free_hash_function(&ctx); - - memcpy(pk + SPX_N, sk + 3 * SPX_N, SPX_N); - - return 0; -} - -/* - * Generates an SPX key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { - uint8_t seed[CRYPTO_SEEDBYTES]; - randombytes(seed, CRYPTO_SEEDBYTES); - crypto_sign_seed_keypair(pk, sk, seed); - - return 0; -} - -/** - * Returns an array containing a detached signature. - */ -int crypto_sign_signature(uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - spx_ctx ctx; - - const uint8_t *sk_prf = sk + SPX_N; - const uint8_t *pk = sk + 2 * SPX_N; - - uint8_t optrand[SPX_N]; - uint8_t mhash[SPX_FORS_MSG_BYTES]; - uint8_t root[SPX_N]; - uint32_t i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - - memcpy(ctx.sk_seed, sk, SPX_N); - memcpy(ctx.pub_seed, pk, SPX_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - initialize_hash_function(&ctx); - - set_type(wots_addr, SPX_ADDR_TYPE_WOTS); - set_type(tree_addr, SPX_ADDR_TYPE_HASHTREE); - - /* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ - randombytes(optrand, SPX_N); - /* Compute the digest randomization value. */ - gen_message_random(sig, sk_prf, optrand, m, mlen, &ctx); - - /* Derive the message digest and leaf index from R, PK and M. */ - hash_message(mhash, &tree, &idx_leaf, sig, pk, m, mlen, &ctx); - sig += SPX_N; - - set_tree_addr(wots_addr, tree); - set_keypair_addr(wots_addr, idx_leaf); - - /* Sign the message hash using FORS. */ - fors_sign(sig, root, mhash, &ctx, wots_addr); - sig += SPX_FORS_BYTES; - - for (i = 0; i < SPX_D; i++) { - set_layer_addr(tree_addr, i); - set_tree_addr(tree_addr, tree); - - copy_subtree_addr(wots_addr, tree_addr); - set_keypair_addr(wots_addr, idx_leaf); - - merkle_sign(sig, root, &ctx, wots_addr, tree_addr, idx_leaf); - sig += SPX_WOTS_BYTES + SPX_TREE_HEIGHT * SPX_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << SPX_TREE_HEIGHT) - 1)); - tree = tree >> SPX_TREE_HEIGHT; - } - - free_hash_function(&ctx); - - *siglen = SPX_BYTES; - - return 0; -} - -/** - * Verifies a detached signature and message under a given public key. - */ -int crypto_sign_verify(const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - spx_ctx ctx; - const uint8_t *pub_root = pk + SPX_N; - uint8_t mhash[SPX_FORS_MSG_BYTES]; - uint8_t wots_pk[SPX_WOTS_BYTES]; - uint8_t root[SPX_N]; - uint8_t leaf[SPX_N]; - unsigned int i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - if (siglen != SPX_BYTES) { - return -1; - } - - memcpy(ctx.pub_seed, pk, SPX_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - initialize_hash_function(&ctx); - - set_type(wots_addr, SPX_ADDR_TYPE_WOTS); - set_type(tree_addr, SPX_ADDR_TYPE_HASHTREE); - set_type(wots_pk_addr, SPX_ADDR_TYPE_WOTSPK); - - /* Derive the message digest and leaf index from R || PK || M. */ - /* The additional SPX_N is a result of the hash domain separator. */ - hash_message(mhash, &tree, &idx_leaf, sig, pk, m, mlen, &ctx); - sig += SPX_N; - - /* Layer correctly defaults to 0, so no need to set_layer_addr */ - set_tree_addr(wots_addr, tree); - set_keypair_addr(wots_addr, idx_leaf); - - fors_pk_from_sig(root, sig, mhash, &ctx, wots_addr); - sig += SPX_FORS_BYTES; - - /* For each subtree.. */ - for (i = 0; i < SPX_D; i++) { - set_layer_addr(tree_addr, i); - set_tree_addr(tree_addr, tree); - - copy_subtree_addr(wots_addr, tree_addr); - set_keypair_addr(wots_addr, idx_leaf); - - copy_keypair_addr(wots_pk_addr, wots_addr); - - /* The WOTS public key is only correct if the signature was correct. */ - /* Initially, root is the FORS pk, but on subsequent iterations it is - the root of the subtree below the currently processed subtree. */ - wots_pk_from_sig(wots_pk, sig, root, &ctx, wots_addr); - sig += SPX_WOTS_BYTES; - - /* Compute the leaf node using the WOTS public key. */ - thash(leaf, wots_pk, SPX_WOTS_LEN, &ctx, wots_pk_addr); - - /* Compute the root node of this subtree. */ - compute_root(root, leaf, idx_leaf, 0, sig, SPX_TREE_HEIGHT, - &ctx, tree_addr); - sig += SPX_TREE_HEIGHT * SPX_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << SPX_TREE_HEIGHT) - 1)); - tree = tree >> SPX_TREE_HEIGHT; - } - - // cleanup - free_hash_function(&ctx); - - /* Check if the root node equals the root node in the public key. */ - if (memcmp(root, pub_root, SPX_N) != 0) { - return -1; - } - - return 0; -} - - -/** - * Returns an array containing the signature followed by the message. - */ -int crypto_sign(uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *sk) { - size_t siglen; - - crypto_sign_signature(sm, &siglen, m, mlen, sk); - - memmove(sm + SPX_BYTES, m, mlen); - *smlen = siglen + mlen; - - return 0; -} - -/** - * Verifies a given signature-message pair under a given public key. - */ -int crypto_sign_open(uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *pk) { - /* The API caller does not necessarily know what size a signature should be - but SPHINCS+ signatures are always exactly SPX_BYTES. */ - if (smlen < SPX_BYTES) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - *mlen = smlen - SPX_BYTES; - - if (crypto_sign_verify(sm, SPX_BYTES, sm + SPX_BYTES, *mlen, pk)) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - /* If verification was successful, move the message to the right place. */ - memmove(m, sm + SPX_BYTES, *mlen); - - return 0; -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/thash.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/thash.h deleted file mode 100644 index 8687ccfb4..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/thash.h +++ /dev/null @@ -1,13 +0,0 @@ -#ifndef SPX_THASH_H -#define SPX_THASH_H - -#include "context.h" -#include "params.h" - -#include - -#define thash SPX_NAMESPACE(thash) -void thash(unsigned char *out, const unsigned char *in, unsigned int inblocks, - const spx_ctx *ctx, uint32_t addr[8]); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/thash_shake_simplex2.c b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/thash_shake_simplex2.c deleted file mode 100644 index 892e45369..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/thash_shake_simplex2.c +++ /dev/null @@ -1,83 +0,0 @@ -#include -#include - -#include "thash.h" -#include "thashx2.h" - -#include "address.h" -#include "params.h" -#include "utils.h" - -#include "f1600x2.h" -#include "fips202x2.h" - - -void thash(unsigned char *out, - const unsigned char *in, - unsigned int inblocks, - const spx_ctx *ctx, uint32_t addr[8]) { - uint32_t addrx2 [2 * 8] = { - addr[0], addr[1], addr[2], addr[3], addr[4], addr[5], addr[6], addr[7], - addr[0], addr[1], addr[2], addr[3], addr[4], addr[5], addr[6], addr[7] - }; - thashx2(out, out, in, in, inblocks, ctx, addrx2); -} - -/** - * 2-way parallel version of thash; takes 2x as much input and output - */ -void thashx2(unsigned char *out0, - unsigned char *out1, - const unsigned char *in0, - const unsigned char *in1, - unsigned int inblocks, - const spx_ctx *ctx, uint32_t addrx2[2 * 8]) { - if (inblocks == 1 || inblocks == 2) { - /* As we write and read only a few quadwords, it is more efficient to - * build and extract from the twoway SHAKE256 state by hand. */ - uint64_t state[50] = {0}; - for (int i = 0; i < SPX_N / 8; i++) { - uint64_t x = load64(ctx->pub_seed + 8 * i); - state[2 * i] = x; - state[2 * i + 1] = x; - } - for (int i = 0; i < 4; i++) { - state[2 * (SPX_N / 8 + i)] = (((uint64_t)addrx2[1 + 2 * i]) << 32) - | (uint64_t)addrx2[2 * i]; - state[2 * (SPX_N / 8 + i) + 1] = (((uint64_t)addrx2[8 + 1 + 2 * i]) << 32) - | (uint64_t)addrx2[8 + 2 * i]; - } - - for (unsigned int i = 0; i < (SPX_N / 8) * inblocks; i++) { - state[2 * (SPX_N / 8 + 4 + i)] = load64(in0 + 8 * i); - state[2 * (SPX_N / 8 + 4 + i) + 1] = load64(in1 + 8 * i); - } - - /* Domain separator and padding. */ - state[2 * 16] = 0x80ULL << 56; - state[2 * 16 + 1] = 0x80ULL << 56; - - state[2 * ((SPX_N / 8) * (1 + inblocks) + 4)] ^= 0x1f; - state[2 * ((SPX_N / 8) * (1 + inblocks) + 4) + 1] ^= 0x1f; - - f1600x2(state); - - for (int i = 0; i < SPX_N / 8; i++) { - store64(out0 + 8 * i, state[2 * i]); - store64(out1 + 8 * i, state[2 * i + 1]); - } - } else { - PQCLEAN_VLA(unsigned char, buf0, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N); - PQCLEAN_VLA(unsigned char, buf1, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N); - - memcpy(buf0, ctx->pub_seed, SPX_N); - memcpy(buf1, ctx->pub_seed, SPX_N); - memcpy(buf0 + SPX_N, addrx2 + 0 * 8, SPX_ADDR_BYTES); - memcpy(buf1 + SPX_N, addrx2 + 1 * 8, SPX_ADDR_BYTES); - memcpy(buf0 + SPX_N + SPX_ADDR_BYTES, in0, inblocks * SPX_N); - memcpy(buf1 + SPX_N + SPX_ADDR_BYTES, in1, inblocks * SPX_N); - - shake256x2(out0, out1, SPX_N, - buf0, buf1, SPX_N + SPX_ADDR_BYTES + inblocks * SPX_N); - } -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/thashx2.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/thashx2.h deleted file mode 100644 index 040375e61..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/thashx2.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef SPX_THASHX2_H -#define SPX_THASHX2_H - -#include "context.h" -#include "params.h" -#include - -#define thashx2 SPX_NAMESPACE(thashx2) -void thashx2(unsigned char *out0, - unsigned char *out1, - const unsigned char *in0, - const unsigned char *in1, - unsigned int inblocks, - const spx_ctx *ctx, uint32_t addrx2[2 * 8]); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/utils.c b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/utils.c deleted file mode 100644 index 177b541fb..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/utils.c +++ /dev/null @@ -1,148 +0,0 @@ -#include - -#include "utils.h" - -#include "address.h" -#include "hash.h" -#include "params.h" -#include "thash.h" - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void ull_to_bytes(unsigned char *out, unsigned int outlen, - unsigned long long in) { - int i; - - /* Iterate over out in decreasing order, for big-endianness. */ - for (i = (signed int)outlen - 1; i >= 0; i--) { - out[i] = in & 0xff; - in = in >> 8; - } -} - -void u32_to_bytes(unsigned char *out, uint32_t in) { - out[0] = (unsigned char)(in >> 24); - out[1] = (unsigned char)(in >> 16); - out[2] = (unsigned char)(in >> 8); - out[3] = (unsigned char)in; -} - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long bytes_to_ull(const unsigned char *in, unsigned int inlen) { - unsigned long long retval = 0; - unsigned int i; - - for (i = 0; i < inlen; i++) { - retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i)); - } - return retval; -} - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void compute_root(unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const spx_ctx *ctx, uint32_t addr[8]) { - uint32_t i; - unsigned char buffer[2 * SPX_N]; - - /* If leaf_idx is odd (last bit = 1), current path element is a right child - and auth_path has to go left. Otherwise it is the other way around. */ - if (leaf_idx & 1) { - memcpy(buffer + SPX_N, leaf, SPX_N); - memcpy(buffer, auth_path, SPX_N); - } else { - memcpy(buffer, leaf, SPX_N); - memcpy(buffer + SPX_N, auth_path, SPX_N); - } - auth_path += SPX_N; - - for (i = 0; i < tree_height - 1; i++) { - leaf_idx >>= 1; - idx_offset >>= 1; - /* Set the address of the node we're creating. */ - set_tree_height(addr, i + 1); - set_tree_index(addr, leaf_idx + idx_offset); - - /* Pick the right or left neighbor, depending on parity of the node. */ - if (leaf_idx & 1) { - thash(buffer + SPX_N, buffer, 2, ctx, addr); - memcpy(buffer, auth_path, SPX_N); - } else { - thash(buffer, buffer, 2, ctx, addr); - memcpy(buffer + SPX_N, auth_path, SPX_N); - } - auth_path += SPX_N; - } - - /* The last iteration is exceptional; we do not copy an auth_path node. */ - leaf_idx >>= 1; - idx_offset >>= 1; - set_tree_height(addr, tree_height); - set_tree_index(addr, leaf_idx + idx_offset); - thash(root, buffer, 2, ctx, addr); -} - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void treehash(unsigned char *root, unsigned char *auth_path, const spx_ctx *ctx, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const spx_ctx * /* ctx */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */), - uint32_t tree_addr[8]) { - PQCLEAN_VLA(uint8_t, stack, (tree_height + 1)*SPX_N); - PQCLEAN_VLA(unsigned int, heights, tree_height + 1); - unsigned int offset = 0; - uint32_t idx; - uint32_t tree_idx; - - for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) { - /* Add the next leaf node to the stack. */ - gen_leaf(stack + offset * SPX_N, ctx, idx + idx_offset, tree_addr); - offset++; - heights[offset - 1] = 0; - - /* If this is a node we need for the auth path.. */ - if ((leaf_idx ^ 0x1) == idx) { - memcpy(auth_path, stack + (offset - 1)*SPX_N, SPX_N); - } - - /* While the top-most nodes are of equal height.. */ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { - /* Compute index of the new node, in the next layer. */ - tree_idx = (idx >> (heights[offset - 1] + 1)); - - /* Set the address of the node we're creating. */ - set_tree_height(tree_addr, heights[offset - 1] + 1); - set_tree_index(tree_addr, - tree_idx + (idx_offset >> (heights[offset - 1] + 1))); - /* Hash the top-most nodes from the stack together. */ - thash(stack + (offset - 2)*SPX_N, - stack + (offset - 2)*SPX_N, 2, ctx, tree_addr); - offset--; - /* Note that the top-most node is now one layer higher. */ - heights[offset - 1]++; - - /* If this is a node we need for the auth path.. */ - if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) { - memcpy(auth_path + heights[offset - 1]*SPX_N, - stack + (offset - 1)*SPX_N, SPX_N); - } - } - } - memcpy(root, stack, SPX_N); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/utils.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/utils.h deleted file mode 100644 index 64f5d5a53..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/utils.h +++ /dev/null @@ -1,58 +0,0 @@ -#ifndef SPX_UTILS_H -#define SPX_UTILS_H - -#include - -#include "compat.h" -#include "context.h" -#include "params.h" - - -/* To support MSVC use alloca() instead of VLAs. See #20. */ - - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -#define ull_to_bytes SPX_NAMESPACE(ull_to_bytes) -void ull_to_bytes(unsigned char *out, unsigned int outlen, - unsigned long long in); -#define u32_to_bytes SPX_NAMESPACE(u32_to_bytes) -void u32_to_bytes(unsigned char *out, uint32_t in); - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -#define bytes_to_ull SPX_NAMESPACE(bytes_to_ull) -unsigned long long bytes_to_ull(const unsigned char *in, unsigned int inlen); - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -#define compute_root SPX_NAMESPACE(compute_root) -void compute_root(unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const spx_ctx *ctx, uint32_t addr[8]); - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -#define treehash SPX_NAMESPACE(treehash) -void treehash(unsigned char *root, unsigned char *auth_path, - const spx_ctx *ctx, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const spx_ctx *ctx /* ctx */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */), - uint32_t tree_addr[8]); - - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/utilsx2.c b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/utilsx2.c deleted file mode 100644 index 8736474e4..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/utilsx2.c +++ /dev/null @@ -1,130 +0,0 @@ -#include - -#include "utilsx2.h" - -#include "address.h" -#include "params.h" -#include "thashx2.h" -#include "utils.h" - -/* - * Generate the entire Merkle tree, computing the authentication path for leaf_idx, - * and the resulting root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE) - * - * This expects tree_addrx2 to be initialized to 2 parallel addr structures for - * the Merkle tree nodes - * - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - * - * This works by using the standard Merkle tree building algorithm, except - * that each 'node' tracked is actually 2 consecutive nodes in the real tree. - * When we combine two logical nodes AB and WX, we perform the H - * operation on adjacent real nodes, forming the parent logical node - * (AB)(WX) - * - * When we get to the top level of the real tree (where there is only - * one logical node), we continue this operation one more time; the right - * most real node will by the actual root (and the other node will be - * garbage). We follow the same thashx2 logic so that the 'extract - * authentication path components' part of the loop is still executed (and - * to simplify the code somewhat) - */ -void treehashx2(unsigned char *root, unsigned char *auth_path, - const spx_ctx *ctx, - uint32_t leaf_idx, uint32_t idx_offset, - uint32_t tree_height, - void (*gen_leafx2)( - unsigned char * /* Where to write the leaves */, - const spx_ctx *, - uint32_t idx, void *info), - uint32_t tree_addrx2[2 * 8], - void *info) { - /* This is where we keep the intermediate nodes */ - unsigned char stackx2[tree_height * 2 * SPX_N]; - uint32_t left_adj = 0, prev_left_adj = 0; /* When we're doing the top */ - /* level, the left-most part of the tree isn't at the beginning */ - /* of current[]. These give the offset of the actual start */ - - uint32_t idx; - uint32_t max_idx = (1 << (tree_height - 1)) - 1; - for (idx = 0;; idx++) { - unsigned char current[2 * SPX_N]; /* Current logical node */ - gen_leafx2( current, ctx, 2 * idx + idx_offset, - info ); - - /* Now combine the freshly generated right node with previously */ - /* generated left ones */ - uint32_t internal_idx_offset = idx_offset; - uint32_t internal_idx = idx; - uint32_t internal_leaf = leaf_idx; - uint32_t h; /* The height we are in the Merkle tree */ - for (h = 0;; h++, internal_idx >>= 1, internal_leaf >>= 1) { - - /* Special processing if we're at the top of the tree */ - if (h >= tree_height - 1) { - if (h == tree_height) { - /* We hit the root; return it */ - memcpy( root, ¤t[1 * SPX_N], SPX_N ); - return; - } - /* The tree indexing logic is a bit off in this case */ - /* Adjust it so that the left-most node of the part of */ - /* the tree that we're processing has index 0 */ - prev_left_adj = left_adj; - left_adj = 2 - (1 << (tree_height - h - 1)); - } - - /* Check if we hit the top of the tree */ - if (h == tree_height) { - /* We hit the root; return it */ - memcpy( root, ¤t[1 * SPX_N], SPX_N ); - return; - } - - /* - * Check if one of the nodes we have is a part of the - * authentication path; if it is, write it out - */ - if ((((internal_idx << 1) ^ internal_leaf) & ~0x1) == 0) { - memcpy( &auth_path[ h * SPX_N ], - ¤t[(((internal_leaf & 1) ^ 1) + prev_left_adj) * SPX_N], - SPX_N ); - } - - /* - * Check if we're at a left child; if so, stop going up the stack - * Exception: if we've reached the end of the tree, keep on going - * (so we combine the last 2 nodes into the one root node in two - * more iterations) - */ - if ((internal_idx & 1) == 0 && idx < max_idx) { - break; - } - - /* Ok, we're at a right node (or doing the top 3 levels) */ - /* Now combine the left and right logical nodes together */ - - /* Set the address of the node we're creating. */ - int j; - internal_idx_offset >>= 1; - for (j = 0; j < 2; j++) { - set_tree_height(tree_addrx2 + j * 8, h + 1); - set_tree_index(tree_addrx2 + j * 8, - (2 / 2) * (internal_idx & ~1) + j - left_adj + internal_idx_offset ); - } - unsigned char *left = &stackx2[h * 2 * SPX_N]; - thashx2( ¤t[0 * SPX_N], - ¤t[1 * SPX_N], - &left [0 * SPX_N], - ¤t[0 * SPX_N], - 2, ctx, tree_addrx2); - } - - /* We've hit a left child; save the current for when we get the */ - /* corresponding right right */ - memcpy( &stackx2[h * 2 * SPX_N], current, 2 * SPX_N); - } -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/utilsx2.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/utilsx2.h deleted file mode 100644 index e09faddc4..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/utilsx2.h +++ /dev/null @@ -1,30 +0,0 @@ -#ifndef SPX_UTILSX2_H -#define SPX_UTILSX2_H - -#include - -#include "context.h" -#include "params.h" - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. SPX_ADDR_TYPE_HASHTREE or SPX_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - * - * This implementation uses SIMD to compute internal nodes 2 at a time (in - * parallel) - */ -#define treehashx2 SPX_NAMESPACE(treehashx2) -void treehashx2(unsigned char *root, unsigned char *auth_path, - const spx_ctx *ctx, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leafx2)( - unsigned char * /* Where to write the leaves */, - const spx_ctx * /* ctx */, - uint32_t addr_idx, void *info), - uint32_t tree_addrx2[2 * 8], void *info); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/wots.c b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/wots.c deleted file mode 100644 index 3babe45e9..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/wots.c +++ /dev/null @@ -1,259 +0,0 @@ -#include -#include - -#include "wots.h" -#include "wotsx2.h" - -#include "address.h" -#include "hash.h" -#include "hashx2.h" -#include "params.h" -#include "thashx2.h" -#include "utils.h" -#include "utilsx2.h" - -// TODO clarify address expectations, and make them more uniform. -// TODO i.e. do we expect types to be set already? -// TODO and do we expect modifications or copies? - -/** - * Computes up the chains - */ -static void gen_chains( - unsigned char *out, - const unsigned char *in, - unsigned int start[SPX_WOTS_LEN], - const unsigned int steps[SPX_WOTS_LEN], - const spx_ctx *ctx, - uint32_t addr[8]) { - uint32_t i, j, k, idx, watching; - int done; - unsigned char empty[SPX_N]; - unsigned char *bufs[4]; - uint32_t addrs[8 * 2]; - - int l; - uint16_t counts[SPX_WOTS_W] = { 0 }; - uint16_t idxs[SPX_WOTS_LEN]; - uint16_t total, newTotal; - - /* set addrs = {addr, addr} */ - for (j = 0; j < 2; j++) { - memcpy(addrs + j * 8, addr, sizeof(uint32_t) * 8); - } - - /* Initialize out with the value at position 'start'. */ - memcpy(out, in, SPX_WOTS_LEN * SPX_N); - - /* Sort the chains in reverse order by steps using counting sort. */ - for (i = 0; i < SPX_WOTS_LEN; i++) { - counts[steps[i]]++; - } - total = 0; - for (l = SPX_WOTS_W - 1; l >= 0; l--) { - newTotal = counts[l] + total; - counts[l] = total; - total = newTotal; - } - for (i = 0; i < SPX_WOTS_LEN; i++) { - idxs[counts[steps[i]]] = i; - counts[steps[i]]++; - } - - /* We got our work cut out for us: do it! */ - for (i = 0; i < SPX_WOTS_LEN; i += 2) { - for (j = 0; j < 2 && i + j < SPX_WOTS_LEN; j++) { - idx = idxs[i + j]; - set_chain_addr(addrs + j * 8, idx); - bufs[j] = out + SPX_N * idx; - } - - /* As the chains are sorted in reverse order, we know that the first - * chain is the longest and the last one is the shortest. We keep - * an eye on whether the last chain is done and then on the one before, - * et cetera. */ - watching = 1; - done = 0; - while (i + watching >= SPX_WOTS_LEN) { - bufs[watching] = &empty[0]; - watching--; - } - - for (k = 0;; k++) { - while (k == steps[idxs[i + watching]]) { - bufs[watching] = &empty[0]; - if (watching == 0) { - done = 1; - break; - } - watching--; - } - if (done) { - break; - } - for (j = 0; j < watching + 1; j++) { - set_hash_addr(addrs + j * 8, k + start[idxs[i + j]]); - } - - thashx2(bufs[0], bufs[1], - bufs[0], bufs[1], 1, ctx, addrs); - } - } -} - -/** - * base_w algorithm as described in draft. - * Interprets an array of bytes as integers in base w. - * This only works when log_w is a divisor of 8. - */ -static void base_w(unsigned int *output, const int out_len, - const unsigned char *input) { - int in = 0; - int out = 0; - unsigned char total = 0; - int bits = 0; - int consumed; - - for (consumed = 0; consumed < out_len; consumed++) { - if (bits == 0) { - total = input[in]; - in++; - bits += 8; - } - bits -= SPX_WOTS_LOGW; - output[out] = (total >> bits) & (SPX_WOTS_W - 1); - out++; - } -} - -/* Computes the WOTS+ checksum over a message (in base_w). */ -static void wots_checksum(unsigned int *csum_base_w, - const unsigned int *msg_base_w) { - unsigned int csum = 0; - unsigned char csum_bytes[(SPX_WOTS_LEN2 * SPX_WOTS_LOGW + 7) / 8]; - unsigned int i; - - /* Compute checksum. */ - for (i = 0; i < SPX_WOTS_LEN1; i++) { - csum += SPX_WOTS_W - 1 - msg_base_w[i]; - } - - /* Convert checksum to base_w. */ - /* Make sure expected empty zero bits are the least significant bits. */ - csum = csum << ((8 - ((SPX_WOTS_LEN2 * SPX_WOTS_LOGW) % 8)) % 8); - ull_to_bytes(csum_bytes, sizeof(csum_bytes), csum); - base_w(csum_base_w, SPX_WOTS_LEN2, csum_bytes); -} - -/* Takes a message and derives the matching chain lengths. */ -void chain_lengths(unsigned int *lengths, const unsigned char *msg) { - base_w(lengths, SPX_WOTS_LEN1, msg); - wots_checksum(lengths + SPX_WOTS_LEN1, lengths); -} - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void wots_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const spx_ctx *ctx, uint32_t addr[8]) { - unsigned int steps[SPX_WOTS_LEN]; - unsigned int start[SPX_WOTS_LEN]; - uint32_t i; - - chain_lengths(start, msg); - - for (i = 0; i < SPX_WOTS_LEN; i++) { - steps[i] = SPX_WOTS_W - 1 - start[i]; - } - - gen_chains(pk, sig, start, steps, ctx, addr); -} - -/* - * This generates 2 sequential WOTS public keys - * It also generates the WOTS signature if leaf_info indicates - * that we're signing with one of these WOTS keys - */ -void wots_gen_leafx2(unsigned char *dest, - const spx_ctx *ctx, - uint32_t leaf_idx, void *v_info) { - struct leaf_info_x2 *info = v_info; - uint32_t *leaf_addr = info->leaf_addr; - uint32_t *pk_addr = info->pk_addr; - unsigned int i, j, k; - unsigned char pk_buffer[ 2 * SPX_WOTS_BYTES ]; - unsigned wots_offset = SPX_WOTS_BYTES; - unsigned char *buffer; - uint32_t wots_k_mask; - unsigned wots_sign_index; - - if (((leaf_idx ^ info->wots_sign_leaf) & ~1) == 0) { - /* We're traversing the leaf that's signing; generate the WOTS */ - /* signature */ - wots_k_mask = 0; - wots_sign_index = info->wots_sign_leaf & 1; /* Which of of the 2 */ - /* slots do the signatures come from */ - } else { - /* Nope, we're just generating pk's; turn off the signature logic */ - wots_k_mask = ~0; - wots_sign_index = 0; - } - - for (j = 0; j < 2; j++) { - set_keypair_addr( leaf_addr + j * 8, leaf_idx + j ); - set_keypair_addr( pk_addr + j * 8, leaf_idx + j ); - } - - for (i = 0, buffer = pk_buffer; i < SPX_WOTS_LEN; i++, buffer += SPX_N) { - uint32_t wots_k = info->wots_steps[i] | wots_k_mask; /* Set wots_k to */ - /* the step if we're generating a signature, ~0 if we're not */ - - /* Start with the secret seed */ - for (j = 0; j < 2; j++) { - set_chain_addr(leaf_addr + j * 8, i); - set_hash_addr(leaf_addr + j * 8, 0); - set_type(leaf_addr + j * 8, SPX_ADDR_TYPE_WOTSPRF); - } - prf_addrx2(buffer + 0 * wots_offset, - buffer + 1 * wots_offset, - ctx, leaf_addr); - for (j = 0; j < 2; j++) { - set_type(leaf_addr + j * 8, SPX_ADDR_TYPE_WOTS); - } - - /* Iterate down the WOTS chain */ - for (k = 0;; k++) { - /* Check if one of the values we have needs to be saved as a */ - /* part of the WOTS signature */ - if (k == wots_k) { - memcpy( info->wots_sig + i * SPX_N, - buffer + wots_sign_index * wots_offset, SPX_N ); - } - - /* Check if we hit the top of the chain */ - if (k == SPX_WOTS_W - 1) { - break; - } - - /* Iterate one step on all 4 chains */ - for (j = 0; j < 2; j++) { - set_hash_addr(leaf_addr + j * 8, k); - } - thashx2(buffer + 0 * wots_offset, - buffer + 1 * wots_offset, - buffer + 0 * wots_offset, - buffer + 1 * wots_offset, - 1, ctx, leaf_addr); - } - } - - /* Do the final thash to generate the public keys */ - thashx2(dest + 0 * SPX_N, - dest + 1 * SPX_N, - pk_buffer + 0 * wots_offset, - pk_buffer + 1 * wots_offset, - SPX_WOTS_LEN, ctx, pk_addr); -} diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/wots.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/wots.h deleted file mode 100644 index 4e7692eee..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/wots.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef SPX_WOTS_H -#define SPX_WOTS_H - -#include - -#include "context.h" -#include "params.h" - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -#define wots_pk_from_sig SPX_NAMESPACE(wots_pk_from_sig) -void wots_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const spx_ctx *ctx, uint32_t addr[8]); - -/* - * Compute the chain lengths needed for a given message hash - */ -#define chain_lengths SPX_NAMESPACE(chain_lengths) -void chain_lengths(unsigned int *lengths, const unsigned char *msg); - -#endif diff --git a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/wotsx2.h b/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/wotsx2.h deleted file mode 100644 index b58bb61f8..000000000 --- a/src/sig/sphincs/pqclean_sphincs-shake-256s-simple_aarch64/wotsx2.h +++ /dev/null @@ -1,40 +0,0 @@ -#ifndef WOTSX2_H_ -#define WOTSX2_H_ - -#include "params.h" -#include - -/* - * This is here to provide an interface to the internal wots_gen_leafx2 - * routine. While this routine is not referenced in the package outside of - * wots.c, it is called from the stand-alone benchmark code to characterize - * the performance - */ -struct leaf_info_x2 { - unsigned char *wots_sig; - uint32_t wots_sign_leaf; /* The index of the WOTS we're using to sign */ - uint32_t *wots_steps; - uint32_t leaf_addr[2 * 8]; - uint32_t pk_addr[2 * 8]; -}; - -/* Macro to set the leaf_info to something 'benign', that is, it would */ -/* run with the same time as it does during the real signing process */ -/* Used only by the benchmark code */ -#define INITIALIZE_LEAF_INFO_X2(info, addr, step_buffer) { \ - (info).wots_sig = 0; \ - (info).wots_sign_leaf = ~0; \ - (info).wots_steps = step_buffer; \ - int i; \ - for (i=0; i<2; i++) { \ - memcpy( &(info).leaf_addr[8*i], addr, 32 ); \ - memcpy( &(info).pk_addr[8*i], addr, 32 ); \ - } \ - } - -#define wots_gen_leafx2 SPX_NAMESPACE(wots_gen_leafx2) -void wots_gen_leafx2(unsigned char *dest, - const spx_ctx *ctx, - uint32_t leaf_idx, void *v_info); - -#endif /* WOTSX2_H_ */