From 5227cc7cd2a58e6749d7a0efd6119ca821ccd8fe Mon Sep 17 00:00:00 2001 From: Douglas Stebila Date: Mon, 1 Jul 2019 21:02:25 -0400 Subject: [PATCH] Add MQDSS from PQClean --- Makefile.am | 5 + VisualStudio/oqs/dll.def | 8 +- VisualStudio/oqs/oqs.vcxproj | 17 + VisualStudio/oqs/oqs.vcxproj.filters | 36 ++ VisualStudio/winconfig.h | 2 + config/features.m4 | 5 + configure.ac | 1 + .../copy_from_pqclean/copy_from_pqclean.yml | 18 + src/sig/mqdss/Makefile.am | 13 + src/sig/mqdss/pqclean_mqdss-48_clean/LICENSE | 116 ++++++ src/sig/mqdss/pqclean_mqdss-48_clean/api.h | 47 +++ src/sig/mqdss/pqclean_mqdss-48_clean/gf31.c | 133 ++++++ src/sig/mqdss/pqclean_mqdss-48_clean/gf31.h | 40 ++ src/sig/mqdss/pqclean_mqdss-48_clean/mq.c | 81 ++++ src/sig/mqdss/pqclean_mqdss-48_clean/mq.h | 18 + src/sig/mqdss/pqclean_mqdss-48_clean/params.h | 25 ++ src/sig/mqdss/pqclean_mqdss-48_clean/sign.c | 384 ++++++++++++++++++ src/sig/mqdss/pqclean_mqdss-64_clean/LICENSE | 116 ++++++ src/sig/mqdss/pqclean_mqdss-64_clean/api.h | 47 +++ src/sig/mqdss/pqclean_mqdss-64_clean/gf31.c | 133 ++++++ src/sig/mqdss/pqclean_mqdss-64_clean/gf31.h | 40 ++ src/sig/mqdss/pqclean_mqdss-64_clean/mq.c | 81 ++++ src/sig/mqdss/pqclean_mqdss-64_clean/mq.h | 18 + src/sig/mqdss/pqclean_mqdss-64_clean/params.h | 25 ++ src/sig/mqdss/pqclean_mqdss-64_clean/sign.c | 384 ++++++++++++++++++ src/sig/mqdss/sig_mqdss.h | 28 ++ src/sig/mqdss/sig_mqdss_31_48.c | 44 ++ src/sig/mqdss/sig_mqdss_31_64.c | 44 ++ src/sig/sig.c | 13 + src/sig/sig.h | 7 +- 30 files changed, 1927 insertions(+), 2 deletions(-) create mode 100644 src/sig/mqdss/Makefile.am create mode 100644 src/sig/mqdss/pqclean_mqdss-48_clean/LICENSE create mode 100644 src/sig/mqdss/pqclean_mqdss-48_clean/api.h create mode 100644 src/sig/mqdss/pqclean_mqdss-48_clean/gf31.c create mode 100644 src/sig/mqdss/pqclean_mqdss-48_clean/gf31.h create mode 100644 src/sig/mqdss/pqclean_mqdss-48_clean/mq.c create mode 100644 src/sig/mqdss/pqclean_mqdss-48_clean/mq.h create mode 100644 src/sig/mqdss/pqclean_mqdss-48_clean/params.h create mode 100644 src/sig/mqdss/pqclean_mqdss-48_clean/sign.c create mode 100644 src/sig/mqdss/pqclean_mqdss-64_clean/LICENSE create mode 100644 src/sig/mqdss/pqclean_mqdss-64_clean/api.h create mode 100644 src/sig/mqdss/pqclean_mqdss-64_clean/gf31.c create mode 100644 src/sig/mqdss/pqclean_mqdss-64_clean/gf31.h create mode 100644 src/sig/mqdss/pqclean_mqdss-64_clean/mq.c create mode 100644 src/sig/mqdss/pqclean_mqdss-64_clean/mq.h create mode 100644 src/sig/mqdss/pqclean_mqdss-64_clean/params.h create mode 100644 src/sig/mqdss/pqclean_mqdss-64_clean/sign.c create mode 100644 src/sig/mqdss/sig_mqdss.h create mode 100644 src/sig/mqdss/sig_mqdss_31_48.c create mode 100644 src/sig/mqdss/sig_mqdss_31_64.c diff --git a/Makefile.am b/Makefile.am index 671aac5c5..c6b3e39fb 100644 --- a/Makefile.am +++ b/Makefile.am @@ -44,6 +44,9 @@ endif if ENABLE_SIG_DILITHIUM liboqs_la_LIBADD += src/sig/dilithium/libsigdilithium.la endif +if ENABLE_SIG_MQDSS +liboqs_la_LIBADD += src/sig/mqdss/libsigmqdss.la +endif ##### OQS_COPY_FROM_PQCLEAN_FRAGMENT_IF_ENABLE_END if ENABLE_KEM_FRODOKEM liboqs_la_LIBADD += src/kem/frodokem/libkemfrodokem.la @@ -73,6 +76,7 @@ installheader_HEADERS= src/oqs.h \ src/kem/sike/kem_sike.h \ src/sig/sig.h \ src/sig/dilithium/sig_dilithium.h \ + src/sig/mqdss/sig_mqdss.h \ src/sig/picnic/sig_picnic.h \ src/sig/qtesla/sig_qtesla.h ##### OQS_COPY_FROM_PQCLEAN_FRAGMENT_INSTALLHEADER_END @@ -109,6 +113,7 @@ links: cp -f src/kem/newhope/kem_newhope.h include/oqs cp -f src/kem/ntru/kem_ntru.h include/oqs cp -f src/sig/dilithium/sig_dilithium.h include/oqs + cp -f src/sig/mqdss/sig_mqdss.h include/oqs ##### OQS_COPY_FROM_PQCLEAN_FRAGMENT_LINKS_END cp -f src/kem/frodokem/kem_frodokem.h include/oqs cp -f src/kem/sike/kem_sike.h include/oqs diff --git a/VisualStudio/oqs/dll.def b/VisualStudio/oqs/dll.def index 46b39d2a1..ed62a387f 100644 --- a/VisualStudio/oqs/dll.def +++ b/VisualStudio/oqs/dll.def @@ -107,4 +107,10 @@ EXPORTS OQS_SIG_dilithium_3_verify OQS_SIG_dilithium_4_keypair OQS_SIG_dilithium_4_sign - OQS_SIG_dilithium_4_verify \ No newline at end of file + OQS_SIG_dilithium_4_verify + OQS_SIG_mqdss_31_48_keypair + OQS_SIG_mqdss_31_48_sign + OQS_SIG_mqdss_31_48_verify + OQS_SIG_mqdss_31_64_keypair + OQS_SIG_mqdss_31_64_sign + OQS_SIG_mqdss_31_64_verify \ No newline at end of file diff --git a/VisualStudio/oqs/oqs.vcxproj b/VisualStudio/oqs/oqs.vcxproj index 30dc9fa78..bf06656d2 100644 --- a/VisualStudio/oqs/oqs.vcxproj +++ b/VisualStudio/oqs/oqs.vcxproj @@ -41,6 +41,7 @@ + @@ -214,6 +215,14 @@ + + + + + + + + @@ -412,6 +421,7 @@ copy "$(SolutionDir)..\src\kem\frodokem\kem_frodokem.h" "$(SolutionDir)include\o copy "$(SolutionDir)..\src\kem\sike\kem_sike.h" "$(SolutionDir)include\oqs\" copy "$(SolutionDir)..\src\sig\sig.h" "$(SolutionDir)include\oqs\" copy "$(SolutionDir)..\src\sig\dilithium\sig_dilithium.h" "$(SolutionDir)include\oqs\" +copy "$(SolutionDir)..\src\sig\mqdss\sig_mqdss.h" "$(SolutionDir)include\oqs\" copy "$(SolutionDir)..\src\sig\picnic\sig_picnic.h" "$(SolutionDir)include\oqs\" copy "$(SolutionDir)..\src\sig\qtesla\sig_qtesla.h" "$(SolutionDir)include\oqs\" @@ -452,6 +462,7 @@ copy "$(SolutionDir)..\src\kem\frodokem\kem_frodokem.h" "$(SolutionDir)include\o copy "$(SolutionDir)..\src\kem\sike\kem_sike.h" "$(SolutionDir)include\oqs\" copy "$(SolutionDir)..\src\sig\sig.h" "$(SolutionDir)include\oqs\" copy "$(SolutionDir)..\src\sig\dilithium\sig_dilithium.h" "$(SolutionDir)include\oqs\" +copy "$(SolutionDir)..\src\sig\mqdss\sig_mqdss.h" "$(SolutionDir)include\oqs\" copy "$(SolutionDir)..\src\sig\picnic\sig_picnic.h" "$(SolutionDir)include\oqs\" copy "$(SolutionDir)..\src\sig\qtesla\sig_qtesla.h" "$(SolutionDir)include\oqs\" @@ -492,6 +503,7 @@ copy "$(SolutionDir)..\src\kem\frodokem\kem_frodokem.h" "$(SolutionDir)include\o copy "$(SolutionDir)..\src\kem\sike\kem_sike.h" "$(SolutionDir)include\oqs\" copy "$(SolutionDir)..\src\sig\sig.h" "$(SolutionDir)include\oqs\" copy "$(SolutionDir)..\src\sig\dilithium\sig_dilithium.h" "$(SolutionDir)include\oqs\" +copy "$(SolutionDir)..\src\sig\mqdss\sig_mqdss.h" "$(SolutionDir)include\oqs\" copy "$(SolutionDir)..\src\sig\picnic\sig_picnic.h" "$(SolutionDir)include\oqs\" copy "$(SolutionDir)..\src\sig\qtesla\sig_qtesla.h" "$(SolutionDir)include\oqs\" @@ -540,6 +552,7 @@ copy "$(SolutionDir)..\src\kem\frodokem\kem_frodokem.h" "$(SolutionDir)include\o copy "$(SolutionDir)..\src\kem\sike\kem_sike.h" "$(SolutionDir)include\oqs\" copy "$(SolutionDir)..\src\sig\sig.h" "$(SolutionDir)include\oqs\" copy "$(SolutionDir)..\src\sig\dilithium\sig_dilithium.h" "$(SolutionDir)include\oqs\" +copy "$(SolutionDir)..\src\sig\mqdss\sig_mqdss.h" "$(SolutionDir)include\oqs\" copy "$(SolutionDir)..\src\sig\picnic\sig_picnic.h" "$(SolutionDir)include\oqs\" copy "$(SolutionDir)..\src\sig\qtesla\sig_qtesla.h" "$(SolutionDir)include\oqs\" @@ -587,6 +600,7 @@ copy "$(SolutionDir)..\src\kem\frodokem\kem_frodokem.h" "$(SolutionDir)include\o copy "$(SolutionDir)..\src\kem\sike\kem_sike.h" "$(SolutionDir)include\oqs\" copy "$(SolutionDir)..\src\sig\sig.h" "$(SolutionDir)include\oqs\" copy "$(SolutionDir)..\src\sig\dilithium\sig_dilithium.h" "$(SolutionDir)include\oqs\" +copy "$(SolutionDir)..\src\sig\mqdss\sig_mqdss.h" "$(SolutionDir)include\oqs\" copy "$(SolutionDir)..\src\sig\picnic\sig_picnic.h" "$(SolutionDir)include\oqs\" copy "$(SolutionDir)..\src\sig\qtesla\sig_qtesla.h" "$(SolutionDir)include\oqs\" @@ -631,6 +645,7 @@ copy "$(SolutionDir)..\src\kem\frodokem\kem_frodokem.h" "$(SolutionDir)include\o copy "$(SolutionDir)..\src\kem\sike\kem_sike.h" "$(SolutionDir)include\oqs\" copy "$(SolutionDir)..\src\sig\sig.h" "$(SolutionDir)include\oqs\" copy "$(SolutionDir)..\src\sig\dilithium\sig_dilithium.h" "$(SolutionDir)include\oqs\" +copy "$(SolutionDir)..\src\sig\mqdss\sig_mqdss.h" "$(SolutionDir)include\oqs\" copy "$(SolutionDir)..\src\sig\picnic\sig_picnic.h" "$(SolutionDir)include\oqs\" copy "$(SolutionDir)..\src\sig\qtesla\sig_qtesla.h" "$(SolutionDir)include\oqs\" @@ -675,6 +690,7 @@ copy "$(SolutionDir)..\src\kem\frodokem\kem_frodokem.h" "$(SolutionDir)include\o copy "$(SolutionDir)..\src\kem\sike\kem_sike.h" "$(SolutionDir)include\oqs\" copy "$(SolutionDir)..\src\sig\sig.h" "$(SolutionDir)include\oqs\" copy "$(SolutionDir)..\src\sig\dilithium\sig_dilithium.h" "$(SolutionDir)include\oqs\" +copy "$(SolutionDir)..\src\sig\mqdss\sig_mqdss.h" "$(SolutionDir)include\oqs\" copy "$(SolutionDir)..\src\sig\picnic\sig_picnic.h" "$(SolutionDir)include\oqs\" copy "$(SolutionDir)..\src\sig\qtesla\sig_qtesla.h" "$(SolutionDir)include\oqs\" @@ -727,6 +743,7 @@ copy "$(SolutionDir)..\src\kem\frodokem\kem_frodokem.h" "$(SolutionDir)include\o copy "$(SolutionDir)..\src\kem\sike\kem_sike.h" "$(SolutionDir)include\oqs\" copy "$(SolutionDir)..\src\sig\sig.h" "$(SolutionDir)include\oqs\" copy "$(SolutionDir)..\src\sig\dilithium\sig_dilithium.h" "$(SolutionDir)include\oqs\" +copy "$(SolutionDir)..\src\sig\mqdss\sig_mqdss.h" "$(SolutionDir)include\oqs\" copy "$(SolutionDir)..\src\sig\picnic\sig_picnic.h" "$(SolutionDir)include\oqs\" copy "$(SolutionDir)..\src\sig\qtesla\sig_qtesla.h" "$(SolutionDir)include\oqs\" diff --git a/VisualStudio/oqs/oqs.vcxproj.filters b/VisualStudio/oqs/oqs.vcxproj.filters index 3ea367a8e..467c5d969 100644 --- a/VisualStudio/oqs/oqs.vcxproj.filters +++ b/VisualStudio/oqs/oqs.vcxproj.filters @@ -350,6 +350,30 @@ dilithium\4 + + mqdss\31_48 + + + mqdss\31_48 + + + mqdss\31_48 + + + mqdss\31_48 + + + mqdss\31_64 + + + mqdss\31_64 + + + mqdss\31_64 + + + mqdss\31_64 + frodokem @@ -512,6 +536,9 @@ dilithium + + mqdss + frodokem @@ -726,6 +753,15 @@ {fb8c21f2-891b-46fb-8a45-17f69dfa31bd} + + {ac98bd77-73db-4889-b91f-75dc49769226} + + + {f640e0c6-bcdd-4964-951b-5af45229036f} + + + {cb56a63a-35d6-4825-92fa-07094d96d063} + diff --git a/VisualStudio/winconfig.h b/VisualStudio/winconfig.h index 95dc1dd96..f170050c4 100644 --- a/VisualStudio/winconfig.h +++ b/VisualStudio/winconfig.h @@ -40,6 +40,8 @@ #define OQS_ENABLE_SIG_dilithium_2 #define OQS_ENABLE_SIG_dilithium_3 #define OQS_ENABLE_SIG_dilithium_4 +#define OQS_ENABLE_SIG_mqdss_31_48 +#define OQS_ENABLE_SIG_mqdss_31_64 ///// OQS_COPY_FROM_PQCLEAN_FRAGMENT_SIGS_END #define OQS_KEM_DEFAULT OQS_KEM_alg_sike_p434 #define OQS_SIG_DEFAULT OQS_SIG_alg_picnic_L1_FS diff --git a/config/features.m4 b/config/features.m4 index 5b1b015ed..47f377ae5 100644 --- a/config/features.m4 +++ b/config/features.m4 @@ -48,6 +48,7 @@ AC_DEFUN([CONFIG_FEATURE_FLAGS], ARG_DISBL_SET_WRAP([kem-newhope], [kem_newhope], [ENABLE_KEM_NEWHOPE], [src/kem/newhope]) ARG_DISBL_SET_WRAP([kem-ntru], [kem_ntru], [ENABLE_KEM_NTRU], [src/kem/ntru]) ARG_DISBL_SET_WRAP([sig-dilithium], [sig_dilithium], [ENABLE_SIG_DILITHIUM], [src/sig/dilithium]) + ARG_DISBL_SET_WRAP([sig-mqdss], [sig_mqdss], [ENABLE_SIG_MQDSS], [src/sig/mqdss]) ##### OQS_COPY_FROM_PQCLEAN_FRAGMENT_ARG_DISBL_SET_WRAP_END ARG_DISBL_SET_WRAP([kem-frodokem], [kem_frodokem], [ENABLE_KEM_FRODOKEM], [src/kem/frodokem]) ARG_DISBL_SET_WRAP([kem-sike], [kem_sike], [ENABLE_KEM_SIKE], [src/kem/sike]) @@ -104,6 +105,10 @@ AC_DEFUN([CONFIG_FEATURES], AC_DEFINE(OQS_ENABLE_SIG_dilithium_3, 1, "Define to 1 when DILITHIUM_3 enabled") AC_DEFINE(OQS_ENABLE_SIG_dilithium_4, 1, "Define to 1 when DILITHIUM_4 enabled") ]) + AM_COND_IF([ENABLE_SIG_MQDSS], [ + AC_DEFINE(OQS_ENABLE_SIG_mqdss_31_48, 1, "Define to 1 when MQDSS-31-48 enabled") + AC_DEFINE(OQS_ENABLE_SIG_mqdss_31_64, 1, "Define to 1 when MQDSS-31-64 enabled") + ]) ##### OQS_COPY_FROM_PQCLEAN_FRAGMENT_AM_COND_IF_END AM_COND_IF([ENABLE_KEM_FRODOKEM], [ diff --git a/configure.ac b/configure.ac index b3e614072..b0b8c7f83 100644 --- a/configure.ac +++ b/configure.ac @@ -72,6 +72,7 @@ AC_CONFIG_FILES([Makefile src/sig/picnic/Makefile src/sig/qtesla/Makefile src/sig/dilithium/Makefile + src/sig/mqdss/Makefile src/kem/bike/Makefile src/kem/kyber/Makefile src/kem/newhope/Makefile diff --git a/scripts/copy_from_pqclean/copy_from_pqclean.yml b/scripts/copy_from_pqclean/copy_from_pqclean.yml index 071c42421..3ed0d30f2 100644 --- a/scripts/copy_from_pqclean/copy_from_pqclean.yml +++ b/scripts/copy_from_pqclean/copy_from_pqclean.yml @@ -100,3 +100,21 @@ sigs: implementation: clean sources: ['sign.c', 'polyvec.c', 'poly.c', 'packing.c', 'ntt.c', 'reduce.c', 'rounding.c', 'symmetric.c'] visual_studio_guid: fb8c21f2-891b-46fb-8a45-17f69dfa31bd + - + name: mqdss + visual_studio_guid: ac98bd77-73db-4889-b91f-75dc49769226 + schemes: + - + scheme: "31_48" + pqclean_scheme: mqdss-48 + pretty_name_full: MQDSS-31-48 + implementation: clean + sources: ['gf31.c', 'mq.c', 'sign.c'] + visual_studio_guid: f640e0c6-bcdd-4964-951b-5af45229036f + - + scheme: "31_64" + pqclean_scheme: mqdss-64 + pretty_name_full: MQDSS-31-64 + implementation: clean + sources: ['gf31.c', 'mq.c', 'sign.c'] + visual_studio_guid: cb56a63a-35d6-4825-92fa-07094d96d063 diff --git a/src/sig/mqdss/Makefile.am b/src/sig/mqdss/Makefile.am new file mode 100644 index 000000000..a7d08e6a4 --- /dev/null +++ b/src/sig/mqdss/Makefile.am @@ -0,0 +1,13 @@ +AUTOMAKE_OPTIONS = foreign +noinst_LTLIBRARIES = libsigmqdss.la +noinst_LTLIBRARIES += libsigmqdss_31_48.la libsigmqdss_31_64.la + +libsigmqdss_la_LIBADD = libsigmqdss_31_48.la libsigmqdss_31_64.la +libsigmqdss_la_SOURCES = + +libsigmqdss_31_48_la_SOURCES = sig_mqdss_31_48.c pqclean_mqdss-48_clean/gf31.c pqclean_mqdss-48_clean/mq.c pqclean_mqdss-48_clean/sign.c +libsigmqdss_31_48_la_CFLAGS = $(AM_CFLAGS) -I../../common/pqclean_shims + +libsigmqdss_31_64_la_SOURCES = sig_mqdss_31_64.c pqclean_mqdss-64_clean/gf31.c pqclean_mqdss-64_clean/mq.c pqclean_mqdss-64_clean/sign.c +libsigmqdss_31_64_la_CFLAGS = $(AM_CFLAGS) -I../../common/pqclean_shims + diff --git a/src/sig/mqdss/pqclean_mqdss-48_clean/LICENSE b/src/sig/mqdss/pqclean_mqdss-48_clean/LICENSE new file mode 100644 index 000000000..670154e35 --- /dev/null +++ b/src/sig/mqdss/pqclean_mqdss-48_clean/LICENSE @@ -0,0 +1,116 @@ +CC0 1.0 Universal + +Statement of Purpose + +The laws of most jurisdictions throughout the world automatically confer +exclusive Copyright and Related Rights (defined below) upon the creator and +subsequent owner(s) (each and all, an "owner") of an original work of +authorship and/or a database (each, a "Work"). + +Certain owners wish to permanently relinquish those rights to a Work for the +purpose of contributing to a commons of creative, cultural and scientific +works ("Commons") that the public can reliably and without fear of later +claims of infringement build upon, modify, incorporate in other works, reuse +and redistribute as freely as possible in any form whatsoever and for any +purposes, including without limitation commercial purposes. These owners may +contribute to the Commons to promote the ideal of a free culture and the +further production of creative, cultural and scientific works, or to gain +reputation or greater distribution for their Work in part through the use and +efforts of others. + +For these and/or other purposes and motivations, and without any expectation +of additional consideration or compensation, the person associating CC0 with a +Work (the "Affirmer"), to the extent that he or she is an owner of Copyright +and Related Rights in the Work, voluntarily elects to apply CC0 to the Work +and publicly distribute the Work under its terms, with knowledge of his or her +Copyright and Related Rights in the Work and the meaning and intended legal +effect of CC0 on those rights. + +1. Copyright and Related Rights. A Work made available under CC0 may be +protected by copyright and related or neighboring rights ("Copyright and +Related Rights"). Copyright and Related Rights include, but are not limited +to, the following: + + i. the right to reproduce, adapt, distribute, perform, display, communicate, + and translate a Work; + + ii. moral rights retained by the original author(s) and/or performer(s); + + iii. publicity and privacy rights pertaining to a person's image or likeness + depicted in a Work; + + iv. rights protecting against unfair competition in regards to a Work, + subject to the limitations in paragraph 4(a), below; + + v. rights protecting the extraction, dissemination, use and reuse of data in + a Work; + + vi. database rights (such as those arising under Directive 96/9/EC of the + European Parliament and of the Council of 11 March 1996 on the legal + protection of databases, and under any national implementation thereof, + including any amended or successor version of such directive); and + + vii. other similar, equivalent or corresponding rights throughout the world + based on applicable law or treaty, and any national implementations thereof. + +2. Waiver. To the greatest extent permitted by, but not in contravention of, +applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and +unconditionally waives, abandons, and surrenders all of Affirmer's Copyright +and Related Rights and associated claims and causes of action, whether now +known or unknown (including existing as well as future claims and causes of +action), in the Work (i) in all territories worldwide, (ii) for the maximum +duration provided by applicable law or treaty (including future time +extensions), (iii) in any current or future medium and for any number of +copies, and (iv) for any purpose whatsoever, including without limitation +commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes +the Waiver for the benefit of each member of the public at large and to the +detriment of Affirmer's heirs and successors, fully intending that such Waiver +shall not be subject to revocation, rescission, cancellation, termination, or +any other legal or equitable action to disrupt the quiet enjoyment of the Work +by the public as contemplated by Affirmer's express Statement of Purpose. + +3. Public License Fallback. Should any part of the Waiver for any reason be +judged legally invalid or ineffective under applicable law, then the Waiver +shall be preserved to the maximum extent permitted taking into account +Affirmer's express Statement of Purpose. In addition, to the extent the Waiver +is so judged Affirmer hereby grants to each affected person a royalty-free, +non transferable, non sublicensable, non exclusive, irrevocable and +unconditional license to exercise Affirmer's Copyright and Related Rights in +the Work (i) in all territories worldwide, (ii) for the maximum duration +provided by applicable law or treaty (including future time extensions), (iii) +in any current or future medium and for any number of copies, and (iv) for any +purpose whatsoever, including without limitation commercial, advertising or +promotional purposes (the "License"). The License shall be deemed effective as +of the date CC0 was applied by Affirmer to the Work. Should any part of the +License for any reason be judged legally invalid or ineffective under +applicable law, such partial invalidity or ineffectiveness shall not +invalidate the remainder of the License, and in such case Affirmer hereby +affirms that he or she will not (i) exercise any of his or her remaining +Copyright and Related Rights in the Work or (ii) assert any associated claims +and causes of action with respect to the Work, in either case contrary to +Affirmer's express Statement of Purpose. + +4. Limitations and Disclaimers. + + a. No trademark or patent rights held by Affirmer are waived, abandoned, + surrendered, licensed or otherwise affected by this document. + + b. Affirmer offers the Work as-is and makes no representations or warranties + of any kind concerning the Work, express, implied, statutory or otherwise, + including without limitation warranties of title, merchantability, fitness + for a particular purpose, non infringement, or the absence of latent or + other defects, accuracy, or the present or absence of errors, whether or not + discoverable, all to the greatest extent permissible under applicable law. + + c. Affirmer disclaims responsibility for clearing rights of other persons + that may apply to the Work or any use thereof, including without limitation + any person's Copyright and Related Rights in the Work. Further, Affirmer + disclaims responsibility for obtaining any necessary consents, permissions + or other rights required for any use of the Work. + + d. Affirmer understands and acknowledges that Creative Commons is not a + party to this document and has no duty or obligation with respect to this + CC0 or use of the Work. + +For more information, please see + diff --git a/src/sig/mqdss/pqclean_mqdss-48_clean/api.h b/src/sig/mqdss/pqclean_mqdss-48_clean/api.h new file mode 100644 index 000000000..e8890f52c --- /dev/null +++ b/src/sig/mqdss/pqclean_mqdss-48_clean/api.h @@ -0,0 +1,47 @@ +#ifndef PQCLEAN_MQDSS48_CLEAN_API_H +#define PQCLEAN_MQDSS48_CLEAN_API_H + +#include +#include + +#define PQCLEAN_MQDSS48_CLEAN_CRYPTO_ALGNAME "MQDSS-48" + +#define PQCLEAN_MQDSS48_CLEAN_CRYPTO_SECRETKEYBYTES 16 +#define PQCLEAN_MQDSS48_CLEAN_CRYPTO_PUBLICKEYBYTES 46 +#define PQCLEAN_MQDSS48_CLEAN_CRYPTO_BYTES 20854 + +/* + * Generates an MQDSS key pair. + */ +int PQCLEAN_MQDSS48_CLEAN_crypto_sign_keypair( + uint8_t *pk, uint8_t *sk); + +/** + * Returns an array containing a detached signature. + */ +int PQCLEAN_MQDSS48_CLEAN_crypto_sign_signature( + uint8_t *sig, size_t *siglen, + const uint8_t *m, size_t mlen, const uint8_t *sk); + +/** + * Verifies a detached signature and message under a given public key. + */ +int PQCLEAN_MQDSS48_CLEAN_crypto_sign_verify( + const uint8_t *sig, size_t siglen, + const uint8_t *m, size_t mlen, const uint8_t *pk); + +/** + * Returns an array containing the signature followed by the message. + */ +int PQCLEAN_MQDSS48_CLEAN_crypto_sign( + uint8_t *sm, size_t *smlen, + const uint8_t *m, size_t mlen, const uint8_t *sk); + +/** + * Verifies a given signature-message pair under a given public key. + */ +int PQCLEAN_MQDSS48_CLEAN_crypto_sign_open( + uint8_t *m, size_t *mlen, + const uint8_t *sm, size_t smlen, const uint8_t *pk); + +#endif diff --git a/src/sig/mqdss/pqclean_mqdss-48_clean/gf31.c b/src/sig/mqdss/pqclean_mqdss-48_clean/gf31.c new file mode 100644 index 000000000..9a5f2df00 --- /dev/null +++ b/src/sig/mqdss/pqclean_mqdss-48_clean/gf31.c @@ -0,0 +1,133 @@ +#include +#include +#include +#include + +#include "fips202.h" +#include "gf31.h" +#include "params.h" + +/* This performs a full unique reduction mod 13 on x; x can be any unsigned + 16-bit integer (i.e. in the range [0, 65535]) */ +gf31 PQCLEAN_MQDSS48_CLEAN_mod31(gf31 x) { + gf31 t; + + t = (gf31)(x & 31); + x >>= 5; + t = (gf31)(t + (x & 31)); + x >>= 5; + t = (gf31)(t + (x & 31)); + x >>= 5; + t = (gf31)(t + (x & 31)); + + t = (gf31)((t >> 5) + (t & 31)); + t = (gf31)((t >> 5) + (t & 31)); + return (gf31)((t != 31) * t); +} + +/* Given a vector of N elements in the range [0, 31], this reduces the elements + to the range [0, 30] by mapping 31 to 0 (i.e reduction mod 31) */ +void PQCLEAN_MQDSS48_CLEAN_vgf31_unique(gf31 *out, const gf31 *in) { + int i; + + for (i = 0; i < N; i++) { + out[i] = (gf31)((1 - (in[i] == 31)) * in[i]); + } +} + +/* Given a vector of 16-bit integers (i.e. in [0, 65535], this reduces the + elements to the range [0, 30] by mapping 31 to 0 (i.e reduction mod 31) */ +void PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(gf31 *out, const gf31 *in) { + int i; + + for (i = 0; i < N; i++) { + out[i] = PQCLEAN_MQDSS48_CLEAN_mod31(in[i]); + } +} + +/* Given a seed, samples len gf31 elements (in the range [0, 30]), and places + them in a vector of 16-bit elements */ +void PQCLEAN_MQDSS48_CLEAN_gf31_nrand(gf31 *out, int len, const unsigned char *seed, size_t seedlen) { + int i = 0, j; + shake256ctx shakestate; + unsigned char shakeblock[SHAKE256_RATE]; + + shake256_absorb(&shakestate, seed, seedlen); + + while (i < len) { + shake256_squeezeblocks(shakeblock, 1, &shakestate); + for (j = 0; j < SHAKE256_RATE && i < len; j++) { + if ((shakeblock[j] & 31) != 31) { + out[i] = (shakeblock[j] & 31); + i++; + } + } + } +} + +/* Given a seed, samples len gf31 elements, transposed into unsigned range, + i.e. in the range [-15, 15], and places them in an array of 8-bit integers. + This is used for the expansion of F, which wants packed elements. */ +void PQCLEAN_MQDSS48_CLEAN_gf31_nrand_schar(signed char *out, int len, const unsigned char *seed, size_t seedlen) { + int i = 0, j; + shake256ctx shakestate; + unsigned char shakeblock[SHAKE256_RATE]; + + shake256_absorb(&shakestate, seed, seedlen); + + while (i < len) { + shake256_squeezeblocks(shakeblock, 1, &shakestate); + for (j = 0; j < SHAKE256_RATE && i < len; j++) { + if ((shakeblock[j] & 31) != 31) { + out[i] = (signed char)(((signed char)shakeblock[j] & 31) - 15); + i++; + } + } + } +} + +/* Unpacks an array of packed GF31 elements to one element per gf31. + Assumes that there is sufficient empty space available at the end of the + array to unpack. Can perform in-place. */ +void PQCLEAN_MQDSS48_CLEAN_gf31_nunpack(gf31 *out, const unsigned char *in, unsigned int n) { + size_t i; + unsigned int j = ((n * 5) >> 3) - 1; + unsigned int d = 0; + + for (i = n; i > 0; i--) { + out[i - 1] = (gf31)((in[j] >> d) & 31); + d += 5; + if (d > 8) { + d -= 8; + j--; + out[i - 1] = (gf31)(out[i - 1] ^ ((in[j] << (5 - d)) & 31)); + } + } +} + +/* Packs an array of GF31 elements from gf31's to concatenated 5-bit values. + Assumes that there is sufficient space available to unpack. + Can perform in-place. */ +void PQCLEAN_MQDSS48_CLEAN_gf31_npack(unsigned char *out, const gf31 *in, unsigned int n) { + unsigned int i = 0; + unsigned int j; + int d = 3; + + for (j = 0; j < n; j++) { + assert(in[j] < 31); + } + + /* There will be ceil(5n / 8) output blocks */ + memset(out, 0, ((5 * n + 7) & (unsigned int)~7) >> 3); + + for (j = 0; j < n; j++) { + if (d < 0) { + d += 8; + out[i] = (unsigned char)((out[i] & (255 << (d - 3))) | + ((in[j] >> (8 - d)) & ~(255 << (d - 3)))); + i++; + } + out[i] = (unsigned char)((out[i] & ~(31 << d)) | ((in[j] << d) & (31 << d))); + d -= 5; + } +} diff --git a/src/sig/mqdss/pqclean_mqdss-48_clean/gf31.h b/src/sig/mqdss/pqclean_mqdss-48_clean/gf31.h new file mode 100644 index 000000000..ae85811be --- /dev/null +++ b/src/sig/mqdss/pqclean_mqdss-48_clean/gf31.h @@ -0,0 +1,40 @@ +#ifndef MQDSS_GF31_H +#define MQDSS_GF31_H + +#include +#include + +typedef uint16_t gf31; + +/* This performs a full unique reduction mod 13 on x; x can be any unsigned + 16-bit integer (i.e. in the range [0, 65535]) */ +gf31 PQCLEAN_MQDSS48_CLEAN_mod31(gf31 x); + +/* Given a vector of elements in the range [0, 31], this reduces the elements + to the range [0, 30] by mapping 31 to 0 (i.e reduction mod 31) */ +void PQCLEAN_MQDSS48_CLEAN_vgf31_unique(gf31 *out, const gf31 *in); + +/* Given a vector of 16-bit integers (i.e. in [0, 65535], this reduces the + elements to the range [0, 30] by mapping 31 to 0 (i.e reduction mod 31) */ +void PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(gf31 *out, const gf31 *in); + +/* Given a seed, samples len gf31 elements (in the range [0, 30]), and places + them in a vector of 16-bit elements */ +void PQCLEAN_MQDSS48_CLEAN_gf31_nrand(gf31 *out, int len, const unsigned char *seed, size_t seedlen); + +/* Given a seed, samples len gf31 elements, transposed into unsigned range, + i.e. in the range [-15, 15], and places them in an array of 8-bit integers. + This is used for the expansion of F, which wants packed elements. */ +void PQCLEAN_MQDSS48_CLEAN_gf31_nrand_schar(signed char *out, int len, const unsigned char *seed, size_t seedlen); + +/* Unpacks an array of packed GF31 elements to one element per gf31. + Assumes that there is sufficient empty space available at the end of the + array to unpack. Can perform in-place. */ +void PQCLEAN_MQDSS48_CLEAN_gf31_nunpack(gf31 *out, const unsigned char *in, unsigned int n); + +/* Packs an array of GF31 elements from gf31's to concatenated 5-bit values. + Assumes that there is sufficient space available to unpack. + Can perform in-place. */ +void PQCLEAN_MQDSS48_CLEAN_gf31_npack(unsigned char *out, const gf31 *in, unsigned int n); + +#endif diff --git a/src/sig/mqdss/pqclean_mqdss-48_clean/mq.c b/src/sig/mqdss/pqclean_mqdss-48_clean/mq.c new file mode 100644 index 000000000..fde77d634 --- /dev/null +++ b/src/sig/mqdss/pqclean_mqdss-48_clean/mq.c @@ -0,0 +1,81 @@ +#include "mq.h" +#include "params.h" + +/* Computes all products x_i * x_j, returns in reduced form */ +inline static +void generate_quadratic_terms( gf31 *xij, const gf31 *x ) { + int i, j, k; + k = 0; + for (i = 0; i < N; i++) { + for (j = 0; j <= i; j++) { + xij[k] = PQCLEAN_MQDSS48_CLEAN_mod31((gf31)(x[i] * x[j])); + k++; + } + } +} + +/* Computes all terms (x_i * y_j) + (x_j * y_i), returns in reduced form */ +inline static +void generate_xiyj_p_xjyi_terms( gf31 *xij, const gf31 *x, const gf31 *y ) { + int i, j, k; + k = 0; + for (i = 0; i < N; i++) { + for (j = 0; j <= i; j++) { + xij[k] = PQCLEAN_MQDSS48_CLEAN_mod31((gf31)(x[i] * y[j] + x[j] * y[i])); + k++; + } + } +} + +/* Evaluates the MQ function on a vector of N gf31 elements x (expected to be + in reduced 5-bit representation). Expects the coefficients in F to be in + signed representation (i.e. [-15, 15], packed bytewise). + Outputs M gf31 elements in unique 16-bit representation as fx. */ +void PQCLEAN_MQDSS48_CLEAN_MQ(gf31 *fx, const gf31 *x, const signed char *F) { + int i, j; + gf31 _xij[N * (N + 1) >> 1]; + int r[M] = {0}; + + generate_quadratic_terms(_xij, x); + + for (i = 0; i < N; i += 2) { + for (j = 0; j < M; j++) { + r[j] += ((int)x[i]) * ((int)F[i * M + 2 * j]) + + ((int)x[i + 1]) * ((int)F[i * M + 2 * j + 1]); + } + } + + for (i = 0; i < (N * (N + 1)) >> 1; i += 2) { + for (j = 0; j < M; j++) { + r[j] += ((int)_xij[i]) * ((int)F[N * M + i * M + 2 * j]) + + ((int)_xij[i + 1]) * ((int)F[N * M + i * M + 2 * j + 1]); + } + } + + for (i = 0; i < M; i++) { + fx[i] = PQCLEAN_MQDSS48_CLEAN_mod31((gf31)((r[i] >> 15) + (r[i] & 0x7FFF))); + } +} + +/* Evaluates the bilinear polar form of the MQ function (i.e. G) on a vector of + N gf31 elements x (expected to be in reduced 5-bit representation). Expects + the coefficients in F to be in signed representation (i.e. [-15, 15], packed + bytewise). Outputs M gf31 elements in unique 16-bit representation as fx. */ +void PQCLEAN_MQDSS48_CLEAN_G(gf31 *fx, const gf31 *x, const gf31 *y, const signed char *F) { + int i, j; + gf31 _xij[N * (N + 1) >> 1]; + int r[M] = {0}; + + generate_xiyj_p_xjyi_terms(_xij, x, y); + + for (i = 0; i < (N * (N + 1)) >> 1; i += 2) { + for (j = 0; j < M; j++) { + r[j] += ((int)_xij[i]) * ((int)F[N * M + i * M + 2 * j]) + + ((int)_xij[i + 1]) * ((int)F[N * M + i * M + 2 * j + 1]); + } + } + + for (i = 0; i < M; i++) { + fx[i] = PQCLEAN_MQDSS48_CLEAN_mod31((gf31)((r[i] >> 15) + (r[i] & 0x7FFF))); + } +} diff --git a/src/sig/mqdss/pqclean_mqdss-48_clean/mq.h b/src/sig/mqdss/pqclean_mqdss-48_clean/mq.h new file mode 100644 index 000000000..c2ab462c7 --- /dev/null +++ b/src/sig/mqdss/pqclean_mqdss-48_clean/mq.h @@ -0,0 +1,18 @@ +#ifndef MQDSS_MQ_H +#define MQDSS_MQ_H + +#include "gf31.h" + +/* Evaluates the MQ function on a vector of N gf31 elements x (expected to be + in reduced 5-bit representation). Expects the coefficients in F to be in + signed representation (i.e. [-15, 15], packed bytewise). + Outputs M gf31 elements in unique 16-bit representation as fx. */ +void PQCLEAN_MQDSS48_CLEAN_MQ(gf31 *fx, const gf31 *x, const signed char *F); + +/* Evaluates the bilinear polar form of the MQ function (i.e. G) on a vector of + N gf31 elements x (expected to be in reduced 5-bit representation). Expects + the coefficients in F to be in signed representation (i.e. [-15, 15], packed + bytewise). Outputs M gf31 elements in unique 16-bit representation as fx. */ +void PQCLEAN_MQDSS48_CLEAN_G(gf31 *fx, const gf31 *x, const gf31 *y, const signed char *F); + +#endif diff --git a/src/sig/mqdss/pqclean_mqdss-48_clean/params.h b/src/sig/mqdss/pqclean_mqdss-48_clean/params.h new file mode 100644 index 000000000..39db6b72a --- /dev/null +++ b/src/sig/mqdss/pqclean_mqdss-48_clean/params.h @@ -0,0 +1,25 @@ +#ifndef MQDSS_PARAMS_H +#define MQDSS_PARAMS_H + +#define N 48 +#define M N +#define F_LEN (M * (((N * (N + 1)) >> 1) + N)) /* Number of elements in F */ + +#define ROUNDS 135 + +/* Number of bytes that N, M and F_LEN elements require when packed into a byte + array, 5-bit elements packed continuously. */ +/* Assumes N and M to be multiples of 8 */ +#define NPACKED_BYTES ((N * 5) >> 3) +#define MPACKED_BYTES ((M * 5) >> 3) +#define FPACKED_BYTES ((F_LEN * 5) >> 3) + +#define HASH_BYTES 32 +#define SEED_BYTES 16 +#define PK_BYTES (SEED_BYTES + MPACKED_BYTES) +#define SK_BYTES SEED_BYTES + +// R, sigma_0, ROUNDS * (t1, r{0,1}, e1, c, rho) +#define SIG_LEN (2 * HASH_BYTES + ROUNDS * (2*NPACKED_BYTES + MPACKED_BYTES + HASH_BYTES + HASH_BYTES)) + +#endif diff --git a/src/sig/mqdss/pqclean_mqdss-48_clean/sign.c b/src/sig/mqdss/pqclean_mqdss-48_clean/sign.c new file mode 100644 index 000000000..01d67ef94 --- /dev/null +++ b/src/sig/mqdss/pqclean_mqdss-48_clean/sign.c @@ -0,0 +1,384 @@ +#include +#include +#include +#include + +#include "api.h" +#include "fips202.h" +#include "gf31.h" +#include "mq.h" +#include "params.h" +#include "randombytes.h" + +/* Takes an array of len bytes and computes a hash digest. + This is used as a hash function in the Fiat-Shamir transform. */ +static void H(unsigned char *out, const unsigned char *in, const size_t len) { + shake256(out, HASH_BYTES, in, len); +} + +/* Takes two arrays of N packed elements and an array of M packed elements, + and computes a HASH_BYTES commitment. */ +static void com_0(unsigned char *c, + const unsigned char *rho, + const unsigned char *inn, const unsigned char *inn2, + const unsigned char *inm) { + unsigned char buffer[HASH_BYTES + 2 * NPACKED_BYTES + MPACKED_BYTES]; + memcpy(buffer, rho, HASH_BYTES); + memcpy(buffer + HASH_BYTES, inn, NPACKED_BYTES); + memcpy(buffer + HASH_BYTES + NPACKED_BYTES, inn2, NPACKED_BYTES); + memcpy(buffer + HASH_BYTES + 2 * NPACKED_BYTES, inm, MPACKED_BYTES); + shake256(c, HASH_BYTES, buffer, HASH_BYTES + 2 * NPACKED_BYTES + MPACKED_BYTES); +} + +/* Takes an array of N packed elements and an array of M packed elements, + and computes a HASH_BYTES commitment. */ +static void com_1(unsigned char *c, + const unsigned char *rho, + const unsigned char *inn, const unsigned char *inm) { + unsigned char buffer[HASH_BYTES + NPACKED_BYTES + MPACKED_BYTES]; + memcpy(buffer, rho, HASH_BYTES); + memcpy(buffer + HASH_BYTES, inn, NPACKED_BYTES); + memcpy(buffer + HASH_BYTES + NPACKED_BYTES, inm, MPACKED_BYTES); + shake256(c, HASH_BYTES, buffer, HASH_BYTES + NPACKED_BYTES + MPACKED_BYTES); +} + +/* + * Generates an MQDSS key pair. + */ +int PQCLEAN_MQDSS48_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { + signed char F[F_LEN]; + unsigned char skbuf[SEED_BYTES * 2]; + gf31 sk_gf31[N]; + gf31 pk_gf31[M]; + + // Expand sk to obtain a seed for F and the secret input s. + // We also expand to obtain a value for sampling r0, t0 and e0 during + // signature generation, but that is not relevant here. + randombytes(sk, SEED_BYTES); + shake256(skbuf, SEED_BYTES * 2, sk, SEED_BYTES); + + memcpy(pk, skbuf, SEED_BYTES); + PQCLEAN_MQDSS48_CLEAN_gf31_nrand_schar(F, F_LEN, pk, SEED_BYTES); + PQCLEAN_MQDSS48_CLEAN_gf31_nrand(sk_gf31, N, skbuf + SEED_BYTES, SEED_BYTES); + PQCLEAN_MQDSS48_CLEAN_MQ(pk_gf31, sk_gf31, F); + PQCLEAN_MQDSS48_CLEAN_vgf31_unique(pk_gf31, pk_gf31); + PQCLEAN_MQDSS48_CLEAN_gf31_npack(pk + SEED_BYTES, pk_gf31, M); + + return 0; +} + +/** + * Returns an array containing a detached signature. + */ +int PQCLEAN_MQDSS48_CLEAN_crypto_sign_signature( + uint8_t *sig, size_t *siglen, + const uint8_t *m, size_t mlen, const uint8_t *sk) { + + signed char F[F_LEN]; + unsigned char skbuf[SEED_BYTES * 4]; + gf31 pk_gf31[M]; + unsigned char pk[SEED_BYTES + MPACKED_BYTES]; + // Concatenated for convenient hashing. + unsigned char D_sigma0_h0_sigma1[HASH_BYTES * 3 + ROUNDS * (NPACKED_BYTES + MPACKED_BYTES)]; + unsigned char *D = D_sigma0_h0_sigma1; + unsigned char *sigma0 = D_sigma0_h0_sigma1 + HASH_BYTES; + unsigned char *h0 = D_sigma0_h0_sigma1 + 2 * HASH_BYTES; + unsigned char *t1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES; + unsigned char *e1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES + ROUNDS * NPACKED_BYTES; + shake256ctx shakestate; + unsigned char shakeblock[SHAKE256_RATE]; + unsigned char h1[((ROUNDS + 7) & ~7) >> 3]; + unsigned char rnd_seed[HASH_BYTES + SEED_BYTES]; + unsigned char rho[2 * ROUNDS * HASH_BYTES]; + unsigned char *rho0 = rho; + unsigned char *rho1 = rho + ROUNDS * HASH_BYTES; + gf31 sk_gf31[N]; + gf31 rnd[(2 * N + M) * ROUNDS]; // Concatenated for easy RNG. + gf31 *r0 = rnd; + gf31 *t0 = rnd + N * ROUNDS; + gf31 *e0 = rnd + 2 * N * ROUNDS; + gf31 r1[N * ROUNDS]; + gf31 t1[N * ROUNDS]; + gf31 e1[M * ROUNDS]; + gf31 gx[M * ROUNDS]; + unsigned char packbuf0[NPACKED_BYTES]; + unsigned char packbuf1[NPACKED_BYTES]; + unsigned char packbuf2[MPACKED_BYTES]; + unsigned char c[HASH_BYTES * ROUNDS * 2]; + gf31 alpha; + int alpha_count = 0; + int b; + int i, j; + shake256incctx state; + + shake256(skbuf, SEED_BYTES * 4, sk, SEED_BYTES); + + PQCLEAN_MQDSS48_CLEAN_gf31_nrand_schar(F, F_LEN, skbuf, SEED_BYTES); + + shake256_inc_init(&state); + shake256_inc_absorb(&state, sk, SEED_BYTES); + shake256_inc_absorb(&state, m, mlen); + shake256_inc_finalize(&state); + shake256_inc_squeeze(sig, HASH_BYTES, &state); // Compute R. + + memcpy(pk, skbuf, SEED_BYTES); + PQCLEAN_MQDSS48_CLEAN_gf31_nrand(sk_gf31, N, skbuf + SEED_BYTES, SEED_BYTES); + PQCLEAN_MQDSS48_CLEAN_MQ(pk_gf31, sk_gf31, F); + PQCLEAN_MQDSS48_CLEAN_vgf31_unique(pk_gf31, pk_gf31); + PQCLEAN_MQDSS48_CLEAN_gf31_npack(pk + SEED_BYTES, pk_gf31, M); + + shake256_inc_init(&state); + shake256_inc_absorb(&state, pk, PK_BYTES); + shake256_inc_absorb(&state, sig, HASH_BYTES); + shake256_inc_absorb(&state, m, mlen); + shake256_inc_finalize(&state); + shake256_inc_squeeze(D, HASH_BYTES, &state); + + sig += HASH_BYTES; // Compensate for prefixed R. + + memcpy(rnd_seed, skbuf + 2 * SEED_BYTES, SEED_BYTES); + memcpy(rnd_seed + SEED_BYTES, D, HASH_BYTES); + shake256(rho, 2 * ROUNDS * HASH_BYTES, rnd_seed, SEED_BYTES + HASH_BYTES); + + memcpy(rnd_seed, skbuf + 3 * SEED_BYTES, SEED_BYTES); + memcpy(rnd_seed + SEED_BYTES, D, HASH_BYTES); + PQCLEAN_MQDSS48_CLEAN_gf31_nrand(rnd, (2 * N + M) * ROUNDS, rnd_seed, SEED_BYTES + HASH_BYTES); + + for (i = 0; i < ROUNDS; i++) { + for (j = 0; j < N; j++) { + r1[j + i * N] = (gf31)(31 + sk_gf31[j] - r0[j + i * N]); + } + PQCLEAN_MQDSS48_CLEAN_G(gx + i * M, t0 + i * N, r1 + i * N, F); + } + for (i = 0; i < ROUNDS * M; i++) { + gx[i] = (gf31)(gx[i] + e0[i]); + } + for (i = 0; i < ROUNDS; i++) { + PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf0, r0 + i * N, N); + PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf1, t0 + i * N, N); + PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf2, e0 + i * M, M); + com_0(c + HASH_BYTES * (2 * i + 0), rho0 + i * HASH_BYTES, packbuf0, packbuf1, packbuf2); + PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(r1 + i * N, r1 + i * N); + PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(gx + i * M, gx + i * M); + PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf0, r1 + i * N, N); + PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf1, gx + i * M, M); + com_1(c + HASH_BYTES * (2 * i + 1), rho1 + i * HASH_BYTES, packbuf0, packbuf1); + } + + H(sigma0, c, HASH_BYTES * ROUNDS * 2); // Compute sigma_0. + shake256_absorb(&shakestate, D_sigma0_h0_sigma1, 2 * HASH_BYTES); + shake256_squeezeblocks(shakeblock, 1, &shakestate); + + memcpy(h0, shakeblock, HASH_BYTES); + + memcpy(sig, sigma0, HASH_BYTES); + sig += HASH_BYTES; // Compensate for sigma_0. + + for (i = 0; i < ROUNDS; i++) { + do { + alpha = shakeblock[alpha_count] & 31; + alpha_count++; + if (alpha_count == SHAKE256_RATE) { + alpha_count = 0; + shake256_squeezeblocks(shakeblock, 1, &shakestate); + } + } while (alpha == 31); + for (j = 0; j < N; j++) { + t1[i * N + j] = (gf31)(alpha * r0[j + i * N] - t0[j + i * N] + 31); + } + PQCLEAN_MQDSS48_CLEAN_MQ(e1 + i * M, r0 + i * N, F); + for (j = 0; j < N; j++) { + e1[i * N + j] = (gf31)(alpha * e1[j + i * M] - e0[j + i * M] + 31); + } + PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(t1 + i * N, t1 + i * N); + PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(e1 + i * N, e1 + i * N); + } + PQCLEAN_MQDSS48_CLEAN_gf31_npack(t1packed, t1, N * ROUNDS); + PQCLEAN_MQDSS48_CLEAN_gf31_npack(e1packed, e1, M * ROUNDS); + + memcpy(sig, t1packed, NPACKED_BYTES * ROUNDS); + sig += NPACKED_BYTES * ROUNDS; + memcpy(sig, e1packed, MPACKED_BYTES * ROUNDS); + sig += MPACKED_BYTES * ROUNDS; + + shake256(h1, ((ROUNDS + 7) & ~7) >> 3, D_sigma0_h0_sigma1, 3 * HASH_BYTES + ROUNDS * (NPACKED_BYTES + MPACKED_BYTES)); + + for (i = 0; i < ROUNDS; i++) { + b = (h1[(i >> 3)] >> (i & 7)) & 1; + if (b == 0) { + PQCLEAN_MQDSS48_CLEAN_gf31_npack(sig, r0 + i * N, N); + } else if (b == 1) { + PQCLEAN_MQDSS48_CLEAN_gf31_npack(sig, r1 + i * N, N); + } + memcpy(sig + NPACKED_BYTES, c + HASH_BYTES * (2 * i + (1 - b)), HASH_BYTES); + memcpy(sig + NPACKED_BYTES + HASH_BYTES, rho + (i + b * ROUNDS) * HASH_BYTES, HASH_BYTES); + sig += NPACKED_BYTES + 2 * HASH_BYTES; + } + + *siglen = SIG_LEN; + return 0; +} + +/** + * Verifies a detached signature and message under a given public key. + */ +int PQCLEAN_MQDSS48_CLEAN_crypto_sign_verify( + const uint8_t *sig, size_t siglen, + const uint8_t *m, size_t mlen, const uint8_t *pk) { + + gf31 r[N]; + gf31 t[N]; + gf31 e[M]; + signed char F[F_LEN]; + gf31 pk_gf31[M]; + // Concatenated for convenient hashing. + unsigned char D_sigma0_h0_sigma1[HASH_BYTES * 3 + ROUNDS * (NPACKED_BYTES + MPACKED_BYTES)]; + unsigned char *D = D_sigma0_h0_sigma1; + unsigned char *sigma0 = D_sigma0_h0_sigma1 + HASH_BYTES; + unsigned char *h0 = D_sigma0_h0_sigma1 + 2 * HASH_BYTES; + unsigned char *t1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES; + unsigned char *e1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES + ROUNDS * NPACKED_BYTES; + unsigned char h1[((ROUNDS + 7) & ~7) >> 3]; + unsigned char c[HASH_BYTES * ROUNDS * 2]; + memset(c, 0, HASH_BYTES * 2); + gf31 x[N]; + gf31 y[M]; + gf31 z[M]; + unsigned char packbuf0[NPACKED_BYTES]; + unsigned char packbuf1[MPACKED_BYTES]; + shake256ctx shakestate; + unsigned char shakeblock[SHAKE256_RATE]; + int i, j; + gf31 alpha; + int alpha_count = 0; + int b; + shake256incctx state; + + if (siglen != SIG_LEN) { + return -1; + } + + shake256_inc_init(&state); + shake256_inc_absorb(&state, pk, PK_BYTES); + shake256_inc_absorb(&state, sig, HASH_BYTES); + shake256_inc_absorb(&state, m, mlen); + shake256_inc_finalize(&state); + shake256_inc_squeeze(D, HASH_BYTES, &state); + + sig += HASH_BYTES; + + PQCLEAN_MQDSS48_CLEAN_gf31_nrand_schar(F, F_LEN, pk, SEED_BYTES); + pk += SEED_BYTES; + PQCLEAN_MQDSS48_CLEAN_gf31_nunpack(pk_gf31, pk, M); + + memcpy(sigma0, sig, HASH_BYTES); + + shake256_absorb(&shakestate, D_sigma0_h0_sigma1, 2 * HASH_BYTES); + shake256_squeezeblocks(shakeblock, 1, &shakestate); + + memcpy(h0, shakeblock, HASH_BYTES); + + sig += HASH_BYTES; + + memcpy(t1packed, sig, ROUNDS * NPACKED_BYTES); + sig += ROUNDS * NPACKED_BYTES; + memcpy(e1packed, sig, ROUNDS * MPACKED_BYTES); + sig += ROUNDS * MPACKED_BYTES; + + shake256(h1, ((ROUNDS + 7) & ~7) >> 3, D_sigma0_h0_sigma1, 3 * HASH_BYTES + ROUNDS * (NPACKED_BYTES + MPACKED_BYTES)); + + for (i = 0; i < ROUNDS; i++) { + do { + alpha = shakeblock[alpha_count] & 31; + alpha_count++; + if (alpha_count == SHAKE256_RATE) { + alpha_count = 0; + shake256_squeezeblocks(shakeblock, 1, &shakestate); + } + } while (alpha == 31); + b = (h1[(i >> 3)] >> (i & 7)) & 1; + + PQCLEAN_MQDSS48_CLEAN_gf31_nunpack(r, sig, N); + PQCLEAN_MQDSS48_CLEAN_gf31_nunpack(t, t1packed + NPACKED_BYTES * i, N); + PQCLEAN_MQDSS48_CLEAN_gf31_nunpack(e, e1packed + MPACKED_BYTES * i, M); + + if (b == 0) { + PQCLEAN_MQDSS48_CLEAN_MQ(y, r, F); + for (j = 0; j < N; j++) { + x[j] = (gf31)(alpha * r[j] - t[j] + 31); + } + for (j = 0; j < N; j++) { + y[j] = (gf31)(alpha * y[j] - e[j] + 31); + } + PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(x, x); + PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(y, y); + PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf0, x, N); + PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf1, y, M); + com_0(c + HASH_BYTES * (2 * i + 0), sig + HASH_BYTES + NPACKED_BYTES, sig, packbuf0, packbuf1); + } else { + PQCLEAN_MQDSS48_CLEAN_MQ(y, r, F); + PQCLEAN_MQDSS48_CLEAN_G(z, t, r, F); + for (j = 0; j < N; j++) { + y[j] = (gf31)(alpha * (31 + pk_gf31[j] - y[j]) - z[j] - e[j] + 62); + } + PQCLEAN_MQDSS48_CLEAN_vgf31_shorten_unique(y, y); + PQCLEAN_MQDSS48_CLEAN_gf31_npack(packbuf0, y, M); + com_1(c + HASH_BYTES * (2 * i + 1), sig + HASH_BYTES + NPACKED_BYTES, sig, packbuf0); + } + memcpy(c + HASH_BYTES * (2 * i + (1 - b)), sig + NPACKED_BYTES, HASH_BYTES); + sig += NPACKED_BYTES + 2 * HASH_BYTES; + } + + H(c, c, HASH_BYTES * ROUNDS * 2); + if (memcmp(c, sigma0, HASH_BYTES) != 0) { + return -1; + } + + return 0; +} + +/** + * Returns an array containing the signature followed by the message. + */ +int PQCLEAN_MQDSS48_CLEAN_crypto_sign( + uint8_t *sm, size_t *smlen, + const uint8_t *m, size_t mlen, const uint8_t *sk) { + size_t siglen; + + PQCLEAN_MQDSS48_CLEAN_crypto_sign_signature( + sm, &siglen, m, mlen, sk); + + memmove(sm + SIG_LEN, m, mlen); + *smlen = siglen + mlen; + + return 0; +} + +/** + * Verifies a given signature-message pair under a given public key. + */ +int PQCLEAN_MQDSS48_CLEAN_crypto_sign_open( + uint8_t *m, size_t *mlen, + const uint8_t *sm, size_t smlen, const uint8_t *pk) { + /* The API caller does not necessarily know what size a signature should be + but MQDSS signatures are always exactly SIG_LEN. */ + if (smlen < SIG_LEN) { + memset(m, 0, smlen); + *mlen = 0; + return -1; + } + + *mlen = smlen - SIG_LEN; + + if (PQCLEAN_MQDSS48_CLEAN_crypto_sign_verify( + sm, SIG_LEN, sm + SIG_LEN, *mlen, pk)) { + memset(m, 0, smlen); + *mlen = 0; + return -1; + } + + /* If verification was successful, move the message to the right place. */ + memmove(m, sm + SIG_LEN, *mlen); + + return 0; +} diff --git a/src/sig/mqdss/pqclean_mqdss-64_clean/LICENSE b/src/sig/mqdss/pqclean_mqdss-64_clean/LICENSE new file mode 100644 index 000000000..670154e35 --- /dev/null +++ b/src/sig/mqdss/pqclean_mqdss-64_clean/LICENSE @@ -0,0 +1,116 @@ +CC0 1.0 Universal + +Statement of Purpose + +The laws of most jurisdictions throughout the world automatically confer +exclusive Copyright and Related Rights (defined below) upon the creator and +subsequent owner(s) (each and all, an "owner") of an original work of +authorship and/or a database (each, a "Work"). + +Certain owners wish to permanently relinquish those rights to a Work for the +purpose of contributing to a commons of creative, cultural and scientific +works ("Commons") that the public can reliably and without fear of later +claims of infringement build upon, modify, incorporate in other works, reuse +and redistribute as freely as possible in any form whatsoever and for any +purposes, including without limitation commercial purposes. These owners may +contribute to the Commons to promote the ideal of a free culture and the +further production of creative, cultural and scientific works, or to gain +reputation or greater distribution for their Work in part through the use and +efforts of others. + +For these and/or other purposes and motivations, and without any expectation +of additional consideration or compensation, the person associating CC0 with a +Work (the "Affirmer"), to the extent that he or she is an owner of Copyright +and Related Rights in the Work, voluntarily elects to apply CC0 to the Work +and publicly distribute the Work under its terms, with knowledge of his or her +Copyright and Related Rights in the Work and the meaning and intended legal +effect of CC0 on those rights. + +1. Copyright and Related Rights. A Work made available under CC0 may be +protected by copyright and related or neighboring rights ("Copyright and +Related Rights"). Copyright and Related Rights include, but are not limited +to, the following: + + i. the right to reproduce, adapt, distribute, perform, display, communicate, + and translate a Work; + + ii. moral rights retained by the original author(s) and/or performer(s); + + iii. publicity and privacy rights pertaining to a person's image or likeness + depicted in a Work; + + iv. rights protecting against unfair competition in regards to a Work, + subject to the limitations in paragraph 4(a), below; + + v. rights protecting the extraction, dissemination, use and reuse of data in + a Work; + + vi. database rights (such as those arising under Directive 96/9/EC of the + European Parliament and of the Council of 11 March 1996 on the legal + protection of databases, and under any national implementation thereof, + including any amended or successor version of such directive); and + + vii. other similar, equivalent or corresponding rights throughout the world + based on applicable law or treaty, and any national implementations thereof. + +2. Waiver. To the greatest extent permitted by, but not in contravention of, +applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and +unconditionally waives, abandons, and surrenders all of Affirmer's Copyright +and Related Rights and associated claims and causes of action, whether now +known or unknown (including existing as well as future claims and causes of +action), in the Work (i) in all territories worldwide, (ii) for the maximum +duration provided by applicable law or treaty (including future time +extensions), (iii) in any current or future medium and for any number of +copies, and (iv) for any purpose whatsoever, including without limitation +commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes +the Waiver for the benefit of each member of the public at large and to the +detriment of Affirmer's heirs and successors, fully intending that such Waiver +shall not be subject to revocation, rescission, cancellation, termination, or +any other legal or equitable action to disrupt the quiet enjoyment of the Work +by the public as contemplated by Affirmer's express Statement of Purpose. + +3. Public License Fallback. Should any part of the Waiver for any reason be +judged legally invalid or ineffective under applicable law, then the Waiver +shall be preserved to the maximum extent permitted taking into account +Affirmer's express Statement of Purpose. In addition, to the extent the Waiver +is so judged Affirmer hereby grants to each affected person a royalty-free, +non transferable, non sublicensable, non exclusive, irrevocable and +unconditional license to exercise Affirmer's Copyright and Related Rights in +the Work (i) in all territories worldwide, (ii) for the maximum duration +provided by applicable law or treaty (including future time extensions), (iii) +in any current or future medium and for any number of copies, and (iv) for any +purpose whatsoever, including without limitation commercial, advertising or +promotional purposes (the "License"). The License shall be deemed effective as +of the date CC0 was applied by Affirmer to the Work. Should any part of the +License for any reason be judged legally invalid or ineffective under +applicable law, such partial invalidity or ineffectiveness shall not +invalidate the remainder of the License, and in such case Affirmer hereby +affirms that he or she will not (i) exercise any of his or her remaining +Copyright and Related Rights in the Work or (ii) assert any associated claims +and causes of action with respect to the Work, in either case contrary to +Affirmer's express Statement of Purpose. + +4. Limitations and Disclaimers. + + a. No trademark or patent rights held by Affirmer are waived, abandoned, + surrendered, licensed or otherwise affected by this document. + + b. Affirmer offers the Work as-is and makes no representations or warranties + of any kind concerning the Work, express, implied, statutory or otherwise, + including without limitation warranties of title, merchantability, fitness + for a particular purpose, non infringement, or the absence of latent or + other defects, accuracy, or the present or absence of errors, whether or not + discoverable, all to the greatest extent permissible under applicable law. + + c. Affirmer disclaims responsibility for clearing rights of other persons + that may apply to the Work or any use thereof, including without limitation + any person's Copyright and Related Rights in the Work. Further, Affirmer + disclaims responsibility for obtaining any necessary consents, permissions + or other rights required for any use of the Work. + + d. Affirmer understands and acknowledges that Creative Commons is not a + party to this document and has no duty or obligation with respect to this + CC0 or use of the Work. + +For more information, please see + diff --git a/src/sig/mqdss/pqclean_mqdss-64_clean/api.h b/src/sig/mqdss/pqclean_mqdss-64_clean/api.h new file mode 100644 index 000000000..f4c040780 --- /dev/null +++ b/src/sig/mqdss/pqclean_mqdss-64_clean/api.h @@ -0,0 +1,47 @@ +#ifndef PQCLEAN_MQDSS64_CLEAN_API_H +#define PQCLEAN_MQDSS64_CLEAN_API_H + +#include +#include + +#define PQCLEAN_MQDSS64_CLEAN_CRYPTO_ALGNAME "MQDSS-64" + +#define PQCLEAN_MQDSS64_CLEAN_CRYPTO_SECRETKEYBYTES 24 +#define PQCLEAN_MQDSS64_CLEAN_CRYPTO_PUBLICKEYBYTES 64 +#define PQCLEAN_MQDSS64_CLEAN_CRYPTO_BYTES 43728 + +/* + * Generates an MQDSS key pair. + */ +int PQCLEAN_MQDSS64_CLEAN_crypto_sign_keypair( + uint8_t *pk, uint8_t *sk); + +/** + * Returns an array containing a detached signature. + */ +int PQCLEAN_MQDSS64_CLEAN_crypto_sign_signature( + uint8_t *sig, size_t *siglen, + const uint8_t *m, size_t mlen, const uint8_t *sk); + +/** + * Verifies a detached signature and message under a given public key. + */ +int PQCLEAN_MQDSS64_CLEAN_crypto_sign_verify( + const uint8_t *sig, size_t siglen, + const uint8_t *m, size_t mlen, const uint8_t *pk); + +/** + * Returns an array containing the signature followed by the message. + */ +int PQCLEAN_MQDSS64_CLEAN_crypto_sign( + uint8_t *sm, size_t *smlen, + const uint8_t *m, size_t mlen, const uint8_t *sk); + +/** + * Verifies a given signature-message pair under a given public key. + */ +int PQCLEAN_MQDSS64_CLEAN_crypto_sign_open( + uint8_t *m, size_t *mlen, + const uint8_t *sm, size_t smlen, const uint8_t *pk); + +#endif diff --git a/src/sig/mqdss/pqclean_mqdss-64_clean/gf31.c b/src/sig/mqdss/pqclean_mqdss-64_clean/gf31.c new file mode 100644 index 000000000..54bb7da5c --- /dev/null +++ b/src/sig/mqdss/pqclean_mqdss-64_clean/gf31.c @@ -0,0 +1,133 @@ +#include +#include +#include +#include + +#include "fips202.h" +#include "gf31.h" +#include "params.h" + +/* This performs a full unique reduction mod 13 on x; x can be any unsigned + 16-bit integer (i.e. in the range [0, 65535]) */ +gf31 PQCLEAN_MQDSS64_CLEAN_mod31(gf31 x) { + gf31 t; + + t = (gf31)(x & 31); + x >>= 5; + t = (gf31)(t + (x & 31)); + x >>= 5; + t = (gf31)(t + (x & 31)); + x >>= 5; + t = (gf31)(t + (x & 31)); + + t = (gf31)((t >> 5) + (t & 31)); + t = (gf31)((t >> 5) + (t & 31)); + return (gf31)((t != 31) * t); +} + +/* Given a vector of N elements in the range [0, 31], this reduces the elements + to the range [0, 30] by mapping 31 to 0 (i.e reduction mod 31) */ +void PQCLEAN_MQDSS64_CLEAN_vgf31_unique(gf31 *out, const gf31 *in) { + int i; + + for (i = 0; i < N; i++) { + out[i] = (gf31)((1 - (in[i] == 31)) * in[i]); + } +} + +/* Given a vector of 16-bit integers (i.e. in [0, 65535], this reduces the + elements to the range [0, 30] by mapping 31 to 0 (i.e reduction mod 31) */ +void PQCLEAN_MQDSS64_CLEAN_vgf31_shorten_unique(gf31 *out, const gf31 *in) { + int i; + + for (i = 0; i < N; i++) { + out[i] = PQCLEAN_MQDSS64_CLEAN_mod31(in[i]); + } +} + +/* Given a seed, samples len gf31 elements (in the range [0, 30]), and places + them in a vector of 16-bit elements */ +void PQCLEAN_MQDSS64_CLEAN_gf31_nrand(gf31 *out, int len, const unsigned char *seed, size_t seedlen) { + int i = 0, j; + shake256ctx shakestate; + unsigned char shakeblock[SHAKE256_RATE]; + + shake256_absorb(&shakestate, seed, seedlen); + + while (i < len) { + shake256_squeezeblocks(shakeblock, 1, &shakestate); + for (j = 0; j < SHAKE256_RATE && i < len; j++) { + if ((shakeblock[j] & 31) != 31) { + out[i] = (shakeblock[j] & 31); + i++; + } + } + } +} + +/* Given a seed, samples len gf31 elements, transposed into unsigned range, + i.e. in the range [-15, 15], and places them in an array of 8-bit integers. + This is used for the expansion of F, which wants packed elements. */ +void PQCLEAN_MQDSS64_CLEAN_gf31_nrand_schar(signed char *out, int len, const unsigned char *seed, size_t seedlen) { + int i = 0, j; + shake256ctx shakestate; + unsigned char shakeblock[SHAKE256_RATE]; + + shake256_absorb(&shakestate, seed, seedlen); + + while (i < len) { + shake256_squeezeblocks(shakeblock, 1, &shakestate); + for (j = 0; j < SHAKE256_RATE && i < len; j++) { + if ((shakeblock[j] & 31) != 31) { + out[i] = (signed char)(((signed char)shakeblock[j] & 31) - 15); + i++; + } + } + } +} + +/* Unpacks an array of packed GF31 elements to one element per gf31. + Assumes that there is sufficient empty space available at the end of the + array to unpack. Can perform in-place. */ +void PQCLEAN_MQDSS64_CLEAN_gf31_nunpack(gf31 *out, const unsigned char *in, unsigned int n) { + size_t i; + unsigned int j = ((n * 5) >> 3) - 1; + unsigned int d = 0; + + for (i = n; i > 0; i--) { + out[i - 1] = (gf31)((in[j] >> d) & 31); + d += 5; + if (d > 8) { + d -= 8; + j--; + out[i - 1] = (gf31)(out[i - 1] ^ ((in[j] << (5 - d)) & 31)); + } + } +} + +/* Packs an array of GF31 elements from gf31's to concatenated 5-bit values. + Assumes that there is sufficient space available to unpack. + Can perform in-place. */ +void PQCLEAN_MQDSS64_CLEAN_gf31_npack(unsigned char *out, const gf31 *in, unsigned int n) { + unsigned int i = 0; + unsigned int j; + int d = 3; + + for (j = 0; j < n; j++) { + assert(in[j] < 31); + } + + /* There will be ceil(5n / 8) output blocks */ + memset(out, 0, ((5 * n + 7) & (unsigned int)~7) >> 3); + + for (j = 0; j < n; j++) { + if (d < 0) { + d += 8; + out[i] = (unsigned char)((out[i] & (255 << (d - 3))) | + ((in[j] >> (8 - d)) & ~(255 << (d - 3)))); + i++; + } + out[i] = (unsigned char)((out[i] & ~(31 << d)) | ((in[j] << d) & (31 << d))); + d -= 5; + } +} diff --git a/src/sig/mqdss/pqclean_mqdss-64_clean/gf31.h b/src/sig/mqdss/pqclean_mqdss-64_clean/gf31.h new file mode 100644 index 000000000..a0036b7f6 --- /dev/null +++ b/src/sig/mqdss/pqclean_mqdss-64_clean/gf31.h @@ -0,0 +1,40 @@ +#ifndef MQDSS_GF31_H +#define MQDSS_GF31_H + +#include +#include + +typedef uint16_t gf31; + +/* This performs a full unique reduction mod 13 on x; x can be any unsigned + 16-bit integer (i.e. in the range [0, 65535]) */ +gf31 PQCLEAN_MQDSS64_CLEAN_mod31(gf31 x); + +/* Given a vector of elements in the range [0, 31], this reduces the elements + to the range [0, 30] by mapping 31 to 0 (i.e reduction mod 31) */ +void PQCLEAN_MQDSS64_CLEAN_vgf31_unique(gf31 *out, const gf31 *in); + +/* Given a vector of 16-bit integers (i.e. in [0, 65535], this reduces the + elements to the range [0, 30] by mapping 31 to 0 (i.e reduction mod 31) */ +void PQCLEAN_MQDSS64_CLEAN_vgf31_shorten_unique(gf31 *out, const gf31 *in); + +/* Given a seed, samples len gf31 elements (in the range [0, 30]), and places + them in a vector of 16-bit elements */ +void PQCLEAN_MQDSS64_CLEAN_gf31_nrand(gf31 *out, int len, const unsigned char *seed, size_t seedlen); + +/* Given a seed, samples len gf31 elements, transposed into unsigned range, + i.e. in the range [-15, 15], and places them in an array of 8-bit integers. + This is used for the expansion of F, which wants packed elements. */ +void PQCLEAN_MQDSS64_CLEAN_gf31_nrand_schar(signed char *out, int len, const unsigned char *seed, size_t seedlen); + +/* Unpacks an array of packed GF31 elements to one element per gf31. + Assumes that there is sufficient empty space available at the end of the + array to unpack. Can perform in-place. */ +void PQCLEAN_MQDSS64_CLEAN_gf31_nunpack(gf31 *out, const unsigned char *in, unsigned int n); + +/* Packs an array of GF31 elements from gf31's to concatenated 5-bit values. + Assumes that there is sufficient space available to unpack. + Can perform in-place. */ +void PQCLEAN_MQDSS64_CLEAN_gf31_npack(unsigned char *out, const gf31 *in, unsigned int n); + +#endif diff --git a/src/sig/mqdss/pqclean_mqdss-64_clean/mq.c b/src/sig/mqdss/pqclean_mqdss-64_clean/mq.c new file mode 100644 index 000000000..e67f6ddcd --- /dev/null +++ b/src/sig/mqdss/pqclean_mqdss-64_clean/mq.c @@ -0,0 +1,81 @@ +#include "mq.h" +#include "params.h" + +/* Computes all products x_i * x_j, returns in reduced form */ +inline static +void generate_quadratic_terms( gf31 *xij, const gf31 *x ) { + int i, j, k; + k = 0; + for (i = 0; i < N; i++) { + for (j = 0; j <= i; j++) { + xij[k] = PQCLEAN_MQDSS64_CLEAN_mod31((gf31)(x[i] * x[j])); + k++; + } + } +} + +/* Computes all terms (x_i * y_j) + (x_j * y_i), returns in reduced form */ +inline static +void generate_xiyj_p_xjyi_terms( gf31 *xij, const gf31 *x, const gf31 *y ) { + int i, j, k; + k = 0; + for (i = 0; i < N; i++) { + for (j = 0; j <= i; j++) { + xij[k] = PQCLEAN_MQDSS64_CLEAN_mod31((gf31)(x[i] * y[j] + x[j] * y[i])); + k++; + } + } +} + +/* Evaluates the MQ function on a vector of N gf31 elements x (expected to be + in reduced 5-bit representation). Expects the coefficients in F to be in + signed representation (i.e. [-15, 15], packed bytewise). + Outputs M gf31 elements in unique 16-bit representation as fx. */ +void PQCLEAN_MQDSS64_CLEAN_MQ(gf31 *fx, const gf31 *x, const signed char *F) { + int i, j; + gf31 _xij[N * (N + 1) >> 1]; + int r[M] = {0}; + + generate_quadratic_terms(_xij, x); + + for (i = 0; i < N; i += 2) { + for (j = 0; j < M; j++) { + r[j] += ((int)x[i]) * ((int)F[i * M + 2 * j]) + + ((int)x[i + 1]) * ((int)F[i * M + 2 * j + 1]); + } + } + + for (i = 0; i < (N * (N + 1)) >> 1; i += 2) { + for (j = 0; j < M; j++) { + r[j] += ((int)_xij[i]) * ((int)F[N * M + i * M + 2 * j]) + + ((int)_xij[i + 1]) * ((int)F[N * M + i * M + 2 * j + 1]); + } + } + + for (i = 0; i < M; i++) { + fx[i] = PQCLEAN_MQDSS64_CLEAN_mod31((gf31)((r[i] >> 15) + (r[i] & 0x7FFF))); + } +} + +/* Evaluates the bilinear polar form of the MQ function (i.e. G) on a vector of + N gf31 elements x (expected to be in reduced 5-bit representation). Expects + the coefficients in F to be in signed representation (i.e. [-15, 15], packed + bytewise). Outputs M gf31 elements in unique 16-bit representation as fx. */ +void PQCLEAN_MQDSS64_CLEAN_G(gf31 *fx, const gf31 *x, const gf31 *y, const signed char *F) { + int i, j; + gf31 _xij[N * (N + 1) >> 1]; + int r[M] = {0}; + + generate_xiyj_p_xjyi_terms(_xij, x, y); + + for (i = 0; i < (N * (N + 1)) >> 1; i += 2) { + for (j = 0; j < M; j++) { + r[j] += ((int)_xij[i]) * ((int)F[N * M + i * M + 2 * j]) + + ((int)_xij[i + 1]) * ((int)F[N * M + i * M + 2 * j + 1]); + } + } + + for (i = 0; i < M; i++) { + fx[i] = PQCLEAN_MQDSS64_CLEAN_mod31((gf31)((r[i] >> 15) + (r[i] & 0x7FFF))); + } +} diff --git a/src/sig/mqdss/pqclean_mqdss-64_clean/mq.h b/src/sig/mqdss/pqclean_mqdss-64_clean/mq.h new file mode 100644 index 000000000..2f38c1ef3 --- /dev/null +++ b/src/sig/mqdss/pqclean_mqdss-64_clean/mq.h @@ -0,0 +1,18 @@ +#ifndef MQDSS_MQ_H +#define MQDSS_MQ_H + +#include "gf31.h" + +/* Evaluates the MQ function on a vector of N gf31 elements x (expected to be + in reduced 5-bit representation). Expects the coefficients in F to be in + signed representation (i.e. [-15, 15], packed bytewise). + Outputs M gf31 elements in unique 16-bit representation as fx. */ +void PQCLEAN_MQDSS64_CLEAN_MQ(gf31 *fx, const gf31 *x, const signed char *F); + +/* Evaluates the bilinear polar form of the MQ function (i.e. G) on a vector of + N gf31 elements x (expected to be in reduced 5-bit representation). Expects + the coefficients in F to be in signed representation (i.e. [-15, 15], packed + bytewise). Outputs M gf31 elements in unique 16-bit representation as fx. */ +void PQCLEAN_MQDSS64_CLEAN_G(gf31 *fx, const gf31 *x, const gf31 *y, const signed char *F); + +#endif diff --git a/src/sig/mqdss/pqclean_mqdss-64_clean/params.h b/src/sig/mqdss/pqclean_mqdss-64_clean/params.h new file mode 100644 index 000000000..038e3cb50 --- /dev/null +++ b/src/sig/mqdss/pqclean_mqdss-64_clean/params.h @@ -0,0 +1,25 @@ +#ifndef MQDSS_PARAMS_H +#define MQDSS_PARAMS_H + +#define N 64 +#define M N +#define F_LEN (M * (((N * (N + 1)) >> 1) + N)) /* Number of elements in F */ + +#define ROUNDS 202 + +/* Number of bytes that N, M and F_LEN elements require when packed into a byte + array, 5-bit elements packed continuously. */ +/* Assumes N and M to be multiples of 8 */ +#define NPACKED_BYTES ((N * 5) >> 3) +#define MPACKED_BYTES ((M * 5) >> 3) +#define FPACKED_BYTES ((F_LEN * 5) >> 3) + +#define HASH_BYTES 48 +#define SEED_BYTES 24 +#define PK_BYTES (SEED_BYTES + MPACKED_BYTES) +#define SK_BYTES SEED_BYTES + +// R, sigma_0, ROUNDS * (t1, r{0,1}, e1, c, rho) +#define SIG_LEN (2 * HASH_BYTES + ROUNDS * (2*NPACKED_BYTES + MPACKED_BYTES + HASH_BYTES + HASH_BYTES)) + +#endif diff --git a/src/sig/mqdss/pqclean_mqdss-64_clean/sign.c b/src/sig/mqdss/pqclean_mqdss-64_clean/sign.c new file mode 100644 index 000000000..189b70f87 --- /dev/null +++ b/src/sig/mqdss/pqclean_mqdss-64_clean/sign.c @@ -0,0 +1,384 @@ +#include +#include +#include +#include + +#include "api.h" +#include "fips202.h" +#include "gf31.h" +#include "mq.h" +#include "params.h" +#include "randombytes.h" + +/* Takes an array of len bytes and computes a hash digest. + This is used as a hash function in the Fiat-Shamir transform. */ +static void H(unsigned char *out, const unsigned char *in, const size_t len) { + shake256(out, HASH_BYTES, in, len); +} + +/* Takes two arrays of N packed elements and an array of M packed elements, + and computes a HASH_BYTES commitment. */ +static void com_0(unsigned char *c, + const unsigned char *rho, + const unsigned char *inn, const unsigned char *inn2, + const unsigned char *inm) { + unsigned char buffer[HASH_BYTES + 2 * NPACKED_BYTES + MPACKED_BYTES]; + memcpy(buffer, rho, HASH_BYTES); + memcpy(buffer + HASH_BYTES, inn, NPACKED_BYTES); + memcpy(buffer + HASH_BYTES + NPACKED_BYTES, inn2, NPACKED_BYTES); + memcpy(buffer + HASH_BYTES + 2 * NPACKED_BYTES, inm, MPACKED_BYTES); + shake256(c, HASH_BYTES, buffer, HASH_BYTES + 2 * NPACKED_BYTES + MPACKED_BYTES); +} + +/* Takes an array of N packed elements and an array of M packed elements, + and computes a HASH_BYTES commitment. */ +static void com_1(unsigned char *c, + const unsigned char *rho, + const unsigned char *inn, const unsigned char *inm) { + unsigned char buffer[HASH_BYTES + NPACKED_BYTES + MPACKED_BYTES]; + memcpy(buffer, rho, HASH_BYTES); + memcpy(buffer + HASH_BYTES, inn, NPACKED_BYTES); + memcpy(buffer + HASH_BYTES + NPACKED_BYTES, inm, MPACKED_BYTES); + shake256(c, HASH_BYTES, buffer, HASH_BYTES + NPACKED_BYTES + MPACKED_BYTES); +} + +/* + * Generates an MQDSS key pair. + */ +int PQCLEAN_MQDSS64_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { + signed char F[F_LEN]; + unsigned char skbuf[SEED_BYTES * 2]; + gf31 sk_gf31[N]; + gf31 pk_gf31[M]; + + // Expand sk to obtain a seed for F and the secret input s. + // We also expand to obtain a value for sampling r0, t0 and e0 during + // signature generation, but that is not relevant here. + randombytes(sk, SEED_BYTES); + shake256(skbuf, SEED_BYTES * 2, sk, SEED_BYTES); + + memcpy(pk, skbuf, SEED_BYTES); + PQCLEAN_MQDSS64_CLEAN_gf31_nrand_schar(F, F_LEN, pk, SEED_BYTES); + PQCLEAN_MQDSS64_CLEAN_gf31_nrand(sk_gf31, N, skbuf + SEED_BYTES, SEED_BYTES); + PQCLEAN_MQDSS64_CLEAN_MQ(pk_gf31, sk_gf31, F); + PQCLEAN_MQDSS64_CLEAN_vgf31_unique(pk_gf31, pk_gf31); + PQCLEAN_MQDSS64_CLEAN_gf31_npack(pk + SEED_BYTES, pk_gf31, M); + + return 0; +} + +/** + * Returns an array containing a detached signature. + */ +int PQCLEAN_MQDSS64_CLEAN_crypto_sign_signature( + uint8_t *sig, size_t *siglen, + const uint8_t *m, size_t mlen, const uint8_t *sk) { + + signed char F[F_LEN]; + unsigned char skbuf[SEED_BYTES * 4]; + gf31 pk_gf31[M]; + unsigned char pk[SEED_BYTES + MPACKED_BYTES]; + // Concatenated for convenient hashing. + unsigned char D_sigma0_h0_sigma1[HASH_BYTES * 3 + ROUNDS * (NPACKED_BYTES + MPACKED_BYTES)]; + unsigned char *D = D_sigma0_h0_sigma1; + unsigned char *sigma0 = D_sigma0_h0_sigma1 + HASH_BYTES; + unsigned char *h0 = D_sigma0_h0_sigma1 + 2 * HASH_BYTES; + unsigned char *t1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES; + unsigned char *e1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES + ROUNDS * NPACKED_BYTES; + shake256ctx shakestate; + unsigned char shakeblock[SHAKE256_RATE]; + unsigned char h1[((ROUNDS + 7) & ~7) >> 3]; + unsigned char rnd_seed[HASH_BYTES + SEED_BYTES]; + unsigned char rho[2 * ROUNDS * HASH_BYTES]; + unsigned char *rho0 = rho; + unsigned char *rho1 = rho + ROUNDS * HASH_BYTES; + gf31 sk_gf31[N]; + gf31 rnd[(2 * N + M) * ROUNDS]; // Concatenated for easy RNG. + gf31 *r0 = rnd; + gf31 *t0 = rnd + N * ROUNDS; + gf31 *e0 = rnd + 2 * N * ROUNDS; + gf31 r1[N * ROUNDS]; + gf31 t1[N * ROUNDS]; + gf31 e1[M * ROUNDS]; + gf31 gx[M * ROUNDS]; + unsigned char packbuf0[NPACKED_BYTES]; + unsigned char packbuf1[NPACKED_BYTES]; + unsigned char packbuf2[MPACKED_BYTES]; + unsigned char c[HASH_BYTES * ROUNDS * 2]; + gf31 alpha; + int alpha_count = 0; + int b; + int i, j; + shake256incctx state; + + shake256(skbuf, SEED_BYTES * 4, sk, SEED_BYTES); + + PQCLEAN_MQDSS64_CLEAN_gf31_nrand_schar(F, F_LEN, skbuf, SEED_BYTES); + + shake256_inc_init(&state); + shake256_inc_absorb(&state, sk, SEED_BYTES); + shake256_inc_absorb(&state, m, mlen); + shake256_inc_finalize(&state); + shake256_inc_squeeze(sig, HASH_BYTES, &state); // Compute R. + + memcpy(pk, skbuf, SEED_BYTES); + PQCLEAN_MQDSS64_CLEAN_gf31_nrand(sk_gf31, N, skbuf + SEED_BYTES, SEED_BYTES); + PQCLEAN_MQDSS64_CLEAN_MQ(pk_gf31, sk_gf31, F); + PQCLEAN_MQDSS64_CLEAN_vgf31_unique(pk_gf31, pk_gf31); + PQCLEAN_MQDSS64_CLEAN_gf31_npack(pk + SEED_BYTES, pk_gf31, M); + + shake256_inc_init(&state); + shake256_inc_absorb(&state, pk, PK_BYTES); + shake256_inc_absorb(&state, sig, HASH_BYTES); + shake256_inc_absorb(&state, m, mlen); + shake256_inc_finalize(&state); + shake256_inc_squeeze(D, HASH_BYTES, &state); + + sig += HASH_BYTES; // Compensate for prefixed R. + + memcpy(rnd_seed, skbuf + 2 * SEED_BYTES, SEED_BYTES); + memcpy(rnd_seed + SEED_BYTES, D, HASH_BYTES); + shake256(rho, 2 * ROUNDS * HASH_BYTES, rnd_seed, SEED_BYTES + HASH_BYTES); + + memcpy(rnd_seed, skbuf + 3 * SEED_BYTES, SEED_BYTES); + memcpy(rnd_seed + SEED_BYTES, D, HASH_BYTES); + PQCLEAN_MQDSS64_CLEAN_gf31_nrand(rnd, (2 * N + M) * ROUNDS, rnd_seed, SEED_BYTES + HASH_BYTES); + + for (i = 0; i < ROUNDS; i++) { + for (j = 0; j < N; j++) { + r1[j + i * N] = (gf31)(31 + sk_gf31[j] - r0[j + i * N]); + } + PQCLEAN_MQDSS64_CLEAN_G(gx + i * M, t0 + i * N, r1 + i * N, F); + } + for (i = 0; i < ROUNDS * M; i++) { + gx[i] = (gf31)(gx[i] + e0[i]); + } + for (i = 0; i < ROUNDS; i++) { + PQCLEAN_MQDSS64_CLEAN_gf31_npack(packbuf0, r0 + i * N, N); + PQCLEAN_MQDSS64_CLEAN_gf31_npack(packbuf1, t0 + i * N, N); + PQCLEAN_MQDSS64_CLEAN_gf31_npack(packbuf2, e0 + i * M, M); + com_0(c + HASH_BYTES * (2 * i + 0), rho0 + i * HASH_BYTES, packbuf0, packbuf1, packbuf2); + PQCLEAN_MQDSS64_CLEAN_vgf31_shorten_unique(r1 + i * N, r1 + i * N); + PQCLEAN_MQDSS64_CLEAN_vgf31_shorten_unique(gx + i * M, gx + i * M); + PQCLEAN_MQDSS64_CLEAN_gf31_npack(packbuf0, r1 + i * N, N); + PQCLEAN_MQDSS64_CLEAN_gf31_npack(packbuf1, gx + i * M, M); + com_1(c + HASH_BYTES * (2 * i + 1), rho1 + i * HASH_BYTES, packbuf0, packbuf1); + } + + H(sigma0, c, HASH_BYTES * ROUNDS * 2); // Compute sigma_0. + shake256_absorb(&shakestate, D_sigma0_h0_sigma1, 2 * HASH_BYTES); + shake256_squeezeblocks(shakeblock, 1, &shakestate); + + memcpy(h0, shakeblock, HASH_BYTES); + + memcpy(sig, sigma0, HASH_BYTES); + sig += HASH_BYTES; // Compensate for sigma_0. + + for (i = 0; i < ROUNDS; i++) { + do { + alpha = shakeblock[alpha_count] & 31; + alpha_count++; + if (alpha_count == SHAKE256_RATE) { + alpha_count = 0; + shake256_squeezeblocks(shakeblock, 1, &shakestate); + } + } while (alpha == 31); + for (j = 0; j < N; j++) { + t1[i * N + j] = (gf31)(alpha * r0[j + i * N] - t0[j + i * N] + 31); + } + PQCLEAN_MQDSS64_CLEAN_MQ(e1 + i * M, r0 + i * N, F); + for (j = 0; j < N; j++) { + e1[i * N + j] = (gf31)(alpha * e1[j + i * M] - e0[j + i * M] + 31); + } + PQCLEAN_MQDSS64_CLEAN_vgf31_shorten_unique(t1 + i * N, t1 + i * N); + PQCLEAN_MQDSS64_CLEAN_vgf31_shorten_unique(e1 + i * N, e1 + i * N); + } + PQCLEAN_MQDSS64_CLEAN_gf31_npack(t1packed, t1, N * ROUNDS); + PQCLEAN_MQDSS64_CLEAN_gf31_npack(e1packed, e1, M * ROUNDS); + + memcpy(sig, t1packed, NPACKED_BYTES * ROUNDS); + sig += NPACKED_BYTES * ROUNDS; + memcpy(sig, e1packed, MPACKED_BYTES * ROUNDS); + sig += MPACKED_BYTES * ROUNDS; + + shake256(h1, ((ROUNDS + 7) & ~7) >> 3, D_sigma0_h0_sigma1, 3 * HASH_BYTES + ROUNDS * (NPACKED_BYTES + MPACKED_BYTES)); + + for (i = 0; i < ROUNDS; i++) { + b = (h1[(i >> 3)] >> (i & 7)) & 1; + if (b == 0) { + PQCLEAN_MQDSS64_CLEAN_gf31_npack(sig, r0 + i * N, N); + } else if (b == 1) { + PQCLEAN_MQDSS64_CLEAN_gf31_npack(sig, r1 + i * N, N); + } + memcpy(sig + NPACKED_BYTES, c + HASH_BYTES * (2 * i + (1 - b)), HASH_BYTES); + memcpy(sig + NPACKED_BYTES + HASH_BYTES, rho + (i + b * ROUNDS) * HASH_BYTES, HASH_BYTES); + sig += NPACKED_BYTES + 2 * HASH_BYTES; + } + + *siglen = SIG_LEN; + return 0; +} + +/** + * Verifies a detached signature and message under a given public key. + */ +int PQCLEAN_MQDSS64_CLEAN_crypto_sign_verify( + const uint8_t *sig, size_t siglen, + const uint8_t *m, size_t mlen, const uint8_t *pk) { + + gf31 r[N]; + gf31 t[N]; + gf31 e[M]; + signed char F[F_LEN]; + gf31 pk_gf31[M]; + // Concatenated for convenient hashing. + unsigned char D_sigma0_h0_sigma1[HASH_BYTES * 3 + ROUNDS * (NPACKED_BYTES + MPACKED_BYTES)]; + unsigned char *D = D_sigma0_h0_sigma1; + unsigned char *sigma0 = D_sigma0_h0_sigma1 + HASH_BYTES; + unsigned char *h0 = D_sigma0_h0_sigma1 + 2 * HASH_BYTES; + unsigned char *t1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES; + unsigned char *e1packed = D_sigma0_h0_sigma1 + 3 * HASH_BYTES + ROUNDS * NPACKED_BYTES; + unsigned char h1[((ROUNDS + 7) & ~7) >> 3]; + unsigned char c[HASH_BYTES * ROUNDS * 2]; + memset(c, 0, HASH_BYTES * 2); + gf31 x[N]; + gf31 y[M]; + gf31 z[M]; + unsigned char packbuf0[NPACKED_BYTES]; + unsigned char packbuf1[MPACKED_BYTES]; + shake256ctx shakestate; + unsigned char shakeblock[SHAKE256_RATE]; + int i, j; + gf31 alpha; + int alpha_count = 0; + int b; + shake256incctx state; + + if (siglen != SIG_LEN) { + return -1; + } + + shake256_inc_init(&state); + shake256_inc_absorb(&state, pk, PK_BYTES); + shake256_inc_absorb(&state, sig, HASH_BYTES); + shake256_inc_absorb(&state, m, mlen); + shake256_inc_finalize(&state); + shake256_inc_squeeze(D, HASH_BYTES, &state); + + sig += HASH_BYTES; + + PQCLEAN_MQDSS64_CLEAN_gf31_nrand_schar(F, F_LEN, pk, SEED_BYTES); + pk += SEED_BYTES; + PQCLEAN_MQDSS64_CLEAN_gf31_nunpack(pk_gf31, pk, M); + + memcpy(sigma0, sig, HASH_BYTES); + + shake256_absorb(&shakestate, D_sigma0_h0_sigma1, 2 * HASH_BYTES); + shake256_squeezeblocks(shakeblock, 1, &shakestate); + + memcpy(h0, shakeblock, HASH_BYTES); + + sig += HASH_BYTES; + + memcpy(t1packed, sig, ROUNDS * NPACKED_BYTES); + sig += ROUNDS * NPACKED_BYTES; + memcpy(e1packed, sig, ROUNDS * MPACKED_BYTES); + sig += ROUNDS * MPACKED_BYTES; + + shake256(h1, ((ROUNDS + 7) & ~7) >> 3, D_sigma0_h0_sigma1, 3 * HASH_BYTES + ROUNDS * (NPACKED_BYTES + MPACKED_BYTES)); + + for (i = 0; i < ROUNDS; i++) { + do { + alpha = shakeblock[alpha_count] & 31; + alpha_count++; + if (alpha_count == SHAKE256_RATE) { + alpha_count = 0; + shake256_squeezeblocks(shakeblock, 1, &shakestate); + } + } while (alpha == 31); + b = (h1[(i >> 3)] >> (i & 7)) & 1; + + PQCLEAN_MQDSS64_CLEAN_gf31_nunpack(r, sig, N); + PQCLEAN_MQDSS64_CLEAN_gf31_nunpack(t, t1packed + NPACKED_BYTES * i, N); + PQCLEAN_MQDSS64_CLEAN_gf31_nunpack(e, e1packed + MPACKED_BYTES * i, M); + + if (b == 0) { + PQCLEAN_MQDSS64_CLEAN_MQ(y, r, F); + for (j = 0; j < N; j++) { + x[j] = (gf31)(alpha * r[j] - t[j] + 31); + } + for (j = 0; j < N; j++) { + y[j] = (gf31)(alpha * y[j] - e[j] + 31); + } + PQCLEAN_MQDSS64_CLEAN_vgf31_shorten_unique(x, x); + PQCLEAN_MQDSS64_CLEAN_vgf31_shorten_unique(y, y); + PQCLEAN_MQDSS64_CLEAN_gf31_npack(packbuf0, x, N); + PQCLEAN_MQDSS64_CLEAN_gf31_npack(packbuf1, y, M); + com_0(c + HASH_BYTES * (2 * i + 0), sig + HASH_BYTES + NPACKED_BYTES, sig, packbuf0, packbuf1); + } else { + PQCLEAN_MQDSS64_CLEAN_MQ(y, r, F); + PQCLEAN_MQDSS64_CLEAN_G(z, t, r, F); + for (j = 0; j < N; j++) { + y[j] = (gf31)(alpha * (31 + pk_gf31[j] - y[j]) - z[j] - e[j] + 62); + } + PQCLEAN_MQDSS64_CLEAN_vgf31_shorten_unique(y, y); + PQCLEAN_MQDSS64_CLEAN_gf31_npack(packbuf0, y, M); + com_1(c + HASH_BYTES * (2 * i + 1), sig + HASH_BYTES + NPACKED_BYTES, sig, packbuf0); + } + memcpy(c + HASH_BYTES * (2 * i + (1 - b)), sig + NPACKED_BYTES, HASH_BYTES); + sig += NPACKED_BYTES + 2 * HASH_BYTES; + } + + H(c, c, HASH_BYTES * ROUNDS * 2); + if (memcmp(c, sigma0, HASH_BYTES) != 0) { + return -1; + } + + return 0; +} + +/** + * Returns an array containing the signature followed by the message. + */ +int PQCLEAN_MQDSS64_CLEAN_crypto_sign( + uint8_t *sm, size_t *smlen, + const uint8_t *m, size_t mlen, const uint8_t *sk) { + size_t siglen; + + PQCLEAN_MQDSS64_CLEAN_crypto_sign_signature( + sm, &siglen, m, mlen, sk); + + memmove(sm + SIG_LEN, m, mlen); + *smlen = siglen + mlen; + + return 0; +} + +/** + * Verifies a given signature-message pair under a given public key. + */ +int PQCLEAN_MQDSS64_CLEAN_crypto_sign_open( + uint8_t *m, size_t *mlen, + const uint8_t *sm, size_t smlen, const uint8_t *pk) { + /* The API caller does not necessarily know what size a signature should be + but MQDSS signatures are always exactly SIG_LEN. */ + if (smlen < SIG_LEN) { + memset(m, 0, smlen); + *mlen = 0; + return -1; + } + + *mlen = smlen - SIG_LEN; + + if (PQCLEAN_MQDSS64_CLEAN_crypto_sign_verify( + sm, SIG_LEN, sm + SIG_LEN, *mlen, pk)) { + memset(m, 0, smlen); + *mlen = 0; + return -1; + } + + /* If verification was successful, move the message to the right place. */ + memmove(m, sm + SIG_LEN, *mlen); + + return 0; +} diff --git a/src/sig/mqdss/sig_mqdss.h b/src/sig/mqdss/sig_mqdss.h new file mode 100644 index 000000000..8f348a194 --- /dev/null +++ b/src/sig/mqdss/sig_mqdss.h @@ -0,0 +1,28 @@ +#ifndef __OQS_SIG_MQDSS_H +#define __OQS_SIG_MQDSS_H + +#include + +#ifdef OQS_ENABLE_SIG_mqdss_31_48 +#define OQS_SIG_mqdss_31_48_length_public_key 46 +#define OQS_SIG_mqdss_31_48_length_secret_key 16 +#define OQS_SIG_mqdss_31_48_length_signature 20854 + +OQS_SIG *OQS_SIG_mqdss_31_48_new(); +OQS_API OQS_STATUS OQS_SIG_mqdss_31_48_keypair(uint8_t *public_key, uint8_t *secret_key); +OQS_API OQS_STATUS OQS_SIG_mqdss_31_48_sign(uint8_t *signature, size_t *signature_len, const uint8_t *message, size_t message_len, const uint8_t *secret_key); +OQS_API OQS_STATUS OQS_SIG_mqdss_31_48_verify(const uint8_t *message, size_t message_len, const uint8_t *signature, size_t signature_len, const uint8_t *public_key); +#endif + +#ifdef OQS_ENABLE_SIG_mqdss_31_64 +#define OQS_SIG_mqdss_31_64_length_public_key 64 +#define OQS_SIG_mqdss_31_64_length_secret_key 24 +#define OQS_SIG_mqdss_31_64_length_signature 43728 + +OQS_SIG *OQS_SIG_mqdss_31_64_new(); +OQS_API OQS_STATUS OQS_SIG_mqdss_31_64_keypair(uint8_t *public_key, uint8_t *secret_key); +OQS_API OQS_STATUS OQS_SIG_mqdss_31_64_sign(uint8_t *signature, size_t *signature_len, const uint8_t *message, size_t message_len, const uint8_t *secret_key); +OQS_API OQS_STATUS OQS_SIG_mqdss_31_64_verify(const uint8_t *message, size_t message_len, const uint8_t *signature, size_t signature_len, const uint8_t *public_key); +#endif + +#endif \ No newline at end of file diff --git a/src/sig/mqdss/sig_mqdss_31_48.c b/src/sig/mqdss/sig_mqdss_31_48.c new file mode 100644 index 000000000..07a97f6f9 --- /dev/null +++ b/src/sig/mqdss/sig_mqdss_31_48.c @@ -0,0 +1,44 @@ +#include + +#include + +#ifdef OQS_ENABLE_SIG_mqdss_31_48 + +OQS_SIG *OQS_SIG_mqdss_31_48_new() { + + OQS_SIG *sig = malloc(sizeof(OQS_SIG)); + if (sig == NULL) { + return NULL; + } + sig->method_name = OQS_SIG_alg_mqdss_31_48; + sig->alg_version = "https://github.com/joostrijneveld/MQDSS/commit/0c64d4d67a37051c1299a3049a5bb8984ca27ecc"; + + sig->claimed_nist_level = 1; + sig->euf_cma = true; + + sig->length_public_key = OQS_SIG_mqdss_31_48_length_public_key; + sig->length_secret_key = OQS_SIG_mqdss_31_48_length_secret_key; + sig->length_signature = OQS_SIG_mqdss_31_48_length_signature; + + sig->keypair = OQS_SIG_mqdss_31_48_keypair; + sig->sign = OQS_SIG_mqdss_31_48_sign; + sig->verify = OQS_SIG_mqdss_31_48_verify; + + return sig; +} + +int PQCLEAN_MQDSS48_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk); +int PQCLEAN_MQDSS48_CLEAN_crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk); +int PQCLEAN_MQDSS48_CLEAN_crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk); + +OQS_API OQS_STATUS OQS_SIG_mqdss_31_48_keypair(uint8_t *public_key, uint8_t *secret_key) { + return (OQS_STATUS) PQCLEAN_MQDSS48_CLEAN_crypto_sign_keypair(public_key, secret_key); +} +OQS_API OQS_STATUS OQS_SIG_mqdss_31_48_sign(uint8_t *signature, size_t *signature_len, const uint8_t *message, size_t message_len, const uint8_t *secret_key) { + return (OQS_STATUS) PQCLEAN_MQDSS48_CLEAN_crypto_sign_signature(signature, signature_len, message, message_len, secret_key); +} +OQS_API OQS_STATUS OQS_SIG_mqdss_31_48_verify(const uint8_t *message, size_t message_len, const uint8_t *signature, size_t signature_len, const uint8_t *public_key) { + return (OQS_STATUS) PQCLEAN_MQDSS48_CLEAN_crypto_sign_verify(signature, signature_len, message, message_len, public_key); +} + +#endif diff --git a/src/sig/mqdss/sig_mqdss_31_64.c b/src/sig/mqdss/sig_mqdss_31_64.c new file mode 100644 index 000000000..4dfb2b632 --- /dev/null +++ b/src/sig/mqdss/sig_mqdss_31_64.c @@ -0,0 +1,44 @@ +#include + +#include + +#ifdef OQS_ENABLE_SIG_mqdss_31_64 + +OQS_SIG *OQS_SIG_mqdss_31_64_new() { + + OQS_SIG *sig = malloc(sizeof(OQS_SIG)); + if (sig == NULL) { + return NULL; + } + sig->method_name = OQS_SIG_alg_mqdss_31_64; + sig->alg_version = "https://github.com/joostrijneveld/MQDSS/commit/0c64d4d67a37051c1299a3049a5bb8984ca27ecc"; + + sig->claimed_nist_level = 3; + sig->euf_cma = true; + + sig->length_public_key = OQS_SIG_mqdss_31_64_length_public_key; + sig->length_secret_key = OQS_SIG_mqdss_31_64_length_secret_key; + sig->length_signature = OQS_SIG_mqdss_31_64_length_signature; + + sig->keypair = OQS_SIG_mqdss_31_64_keypair; + sig->sign = OQS_SIG_mqdss_31_64_sign; + sig->verify = OQS_SIG_mqdss_31_64_verify; + + return sig; +} + +int PQCLEAN_MQDSS64_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk); +int PQCLEAN_MQDSS64_CLEAN_crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk); +int PQCLEAN_MQDSS64_CLEAN_crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk); + +OQS_API OQS_STATUS OQS_SIG_mqdss_31_64_keypair(uint8_t *public_key, uint8_t *secret_key) { + return (OQS_STATUS) PQCLEAN_MQDSS64_CLEAN_crypto_sign_keypair(public_key, secret_key); +} +OQS_API OQS_STATUS OQS_SIG_mqdss_31_64_sign(uint8_t *signature, size_t *signature_len, const uint8_t *message, size_t message_len, const uint8_t *secret_key) { + return (OQS_STATUS) PQCLEAN_MQDSS64_CLEAN_crypto_sign_signature(signature, signature_len, message, message_len, secret_key); +} +OQS_API OQS_STATUS OQS_SIG_mqdss_31_64_verify(const uint8_t *message, size_t message_len, const uint8_t *signature, size_t signature_len, const uint8_t *public_key) { + return (OQS_STATUS) PQCLEAN_MQDSS64_CLEAN_crypto_sign_verify(signature, signature_len, message, message_len, public_key); +} + +#endif diff --git a/src/sig/sig.c b/src/sig/sig.c index 3bc92959e..eec3576e8 100644 --- a/src/sig/sig.c +++ b/src/sig/sig.c @@ -14,6 +14,7 @@ OQS_API const char *OQS_SIG_alg_identifier(size_t i) { OQS_SIG_alg_default, ///// OQS_COPY_FROM_PQCLEAN_FRAGMENT_ALG_IDENTIFIER_START OQS_SIG_alg_dilithium_2, OQS_SIG_alg_dilithium_3, OQS_SIG_alg_dilithium_4, + OQS_SIG_alg_mqdss_31_48, OQS_SIG_alg_mqdss_31_64, ///// OQS_COPY_FROM_PQCLEAN_FRAGMENT_ALG_IDENTIFIER_END OQS_SIG_alg_picnic_L1_FS, OQS_SIG_alg_picnic_L1_UR, OQS_SIG_alg_picnic_L3_FS, OQS_SIG_alg_picnic_L3_UR, OQS_SIG_alg_picnic_L5_FS, OQS_SIG_alg_picnic_L5_UR, OQS_SIG_alg_picnic2_L1_FS, OQS_SIG_alg_picnic2_L3_FS, OQS_SIG_alg_picnic2_L5_FS, OQS_SIG_alg_qTESLA_I, OQS_SIG_alg_qTESLA_III_size, OQS_SIG_alg_qTESLA_III_speed}; @@ -52,6 +53,18 @@ OQS_API OQS_SIG *OQS_SIG_new(const char *method_name) { return OQS_SIG_dilithium_4_new(); #else return NULL; +#endif + } else if (0 == strcasecmp(method_name, OQS_SIG_alg_mqdss_31_48)) { +#ifdef OQS_ENABLE_SIG_mqdss_31_48 + return OQS_SIG_mqdss_31_48_new(); +#else + return NULL; +#endif + } else if (0 == strcasecmp(method_name, OQS_SIG_alg_mqdss_31_64)) { +#ifdef OQS_ENABLE_SIG_mqdss_31_64 + return OQS_SIG_mqdss_31_64_new(); +#else + return NULL; #endif ///// OQS_COPY_FROM_PQCLEAN_FRAGMENT_NEW_CASE_END } else if (0 == strcasecmp(method_name, OQS_SIG_alg_picnic_L1_FS)) { diff --git a/src/sig/sig.h b/src/sig/sig.h index cae1f61ff..5fea3514c 100644 --- a/src/sig/sig.h +++ b/src/sig/sig.h @@ -62,11 +62,15 @@ extern "C" { #define OQS_SIG_alg_dilithium_3 "DILITHIUM_3" /** Algorithm identifier for DILITHIUM_4 */ #define OQS_SIG_alg_dilithium_4 "DILITHIUM_4" +/** Algorithm identifier for MQDSS-31-48 */ +#define OQS_SIG_alg_mqdss_31_48 "MQDSS-31-48" +/** Algorithm identifier for MQDSS-31-64 */ +#define OQS_SIG_alg_mqdss_31_64 "MQDSS-31-64" ///// OQS_COPY_FROM_PQCLEAN_FRAGMENT_ALG_IDENTIFIER_END // EDIT-WHEN-ADDING-SIG ///// OQS_COPY_FROM_PQCLEAN_FRAGMENT_ALGS_LENGTH_START /** Number of algorithm identifiers above (including default). */ -#define OQS_SIG_algs_length 16 +#define OQS_SIG_algs_length 18 ///// OQS_COPY_FROM_PQCLEAN_FRAGMENT_ALGS_LENGTH_END /** @@ -231,6 +235,7 @@ OQS_API void OQS_SIG_free(OQS_SIG *sig); #include ///// OQS_COPY_FROM_PQCLEAN_FRAGMENT_INCLUDE_START #include +#include ///// OQS_COPY_FROM_PQCLEAN_FRAGMENT_INCLUDE_END // EDIT-WHEN-ADDING-SIG