-
Notifications
You must be signed in to change notification settings - Fork 26
/
Copy pathpicnic3_simulate.c.i
61 lines (55 loc) · 2.24 KB
/
picnic3_simulate.c.i
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
/*! @file picnic3_impl.c
* @brief This is the main file of the signature scheme for the Picnic3
* parameter sets.
*
* This file is part of the reference implementation of the Picnic signature scheme.
* See the accompanying documentation for complete details.
*
* The code is provided under the MIT license, see LICENSE for
* more details.
* SPDX-License-Identifier: MIT
*/
#if defined(LOWMC_INSTANCE)
#if defined(FN_ATTR)
FN_ATTR
#endif
static int SIM_ONLINE(mzd_local_t* maskedKey, randomTape_t* tapes, msgs_t* msgs,
const mzd_local_t* plaintext, const uint8_t* pubKey,
const picnic_instance_t* params) {
#define mpc_sbox CONCAT(picnic3_mpc_sbox, CONCAT(IMPL, LOWMC_INSTANCE))
mzd_local_t state[(LOWMC_N + 255) / 256];
mzd_local_t temp[(LOWMC_N + 255) / 256];
// MPC_MUL(temp, maskedKey, LOWMC_INSTANCE.k0_matrix,
// mask_shares); // roundKey = maskedKey * KMatrix[0]
MUL(temp, maskedKey, LOWMC_INSTANCE.k0_matrix);
XOR(state, temp, plaintext);
for (uint32_t r = 0; r < LOWMC_R; r++) {
mpc_sbox(state, tapes, msgs);
// MPC_MUL(state, state, LOWMC_INSTANCE.rounds[r].l_matrix,
// mask_shares); // state = state * LMatrix (r-1)
MUL(temp, state, LOWMC_INSTANCE.rounds[r].l_matrix);
XOR(state, temp, LOWMC_INSTANCE.rounds[r].constant);
ADDMUL(state, maskedKey, LOWMC_INSTANCE.rounds[r].k_matrix);
}
/* check that the output is correct */
uint8_t output[MAX_LOWMC_BLOCK_SIZE] = {0};
mzd_to_char_array(output, state, params->input_output_size);
/* timingsafe_bcmp is not strictly necessary here. The comparison does not leak
* any information on the secret key. Also, the result is fine to be leaked as
* it essentially only conveys the information whether the public key stored in
* the secret key is consistent. */
const int ret = picnic_timingsafe_bcmp(output, pubKey, params->input_output_size);
picnic_declassify(&ret, sizeof(ret));
#if !defined(NDEBUG)
if (ret) {
printf("%s: output does not match pubKey\n", __func__);
printf("pubKey: ");
print_hex(stdout, pubKey, params->input_output_size);
printf("\noutput: ");
print_hex(stdout, output, params->input_output_size);
printf("\n");
}
#endif
return ret;
}
#endif