From b7c979dfa4339644af016c016052fa574997b164 Mon Sep 17 00:00:00 2001 From: Stephan Schmiedmayer <56692976+StephanSchmiedmayer@users.noreply.github.com> Date: Fri, 19 Apr 2024 10:28:15 +0200 Subject: [PATCH] Add bls12 381 shake 256 ciphersuite (#4) --- .uncrustify.cfg | 3 +- CMakeLists.txt | 15 +- README.md | 3 +- include/bbs.h | 320 ++++-- include/bbs_util.h | 359 ++++--- src/CMakeLists.txt | 18 +- src/bbs.c | 908 ++++++++++++++---- src/bbs_util.c | 532 +++++++--- test/CMakeLists.txt | 2 + test/bbs_e2e_sign_n_proof.c | 221 +++-- test/bbs_fix_expand_message.c | 124 +++ test/bbs_fix_generators.c | 226 ++--- test/bbs_fix_hash_to_scalar.c | 73 ++ test/bbs_fix_keygen.c | 100 +- test/bbs_fix_msg_scalars.c | 195 ++-- test/bbs_fix_proof_gen.c | 680 ++++++++----- test/bbs_fix_proof_verify.c | 458 +++++++-- test/bbs_fix_sign.c | 251 +++-- test/bbs_fix_verify.c | 237 ++++- .../bls12-381-shake-256/expandMessage.json | 76 ++ test/fixtures.c | 224 +++++ test/fixtures.h | 69 ++ test/genfixtures.rb | 53 +- test/test_util.h | 32 +- 24 files changed, 3862 insertions(+), 1317 deletions(-) create mode 100644 test/bbs_fix_expand_message.c create mode 100644 test/bbs_fix_hash_to_scalar.c create mode 100644 test/fixture_data/bls12-381-shake-256/expandMessage.json diff --git a/.uncrustify.cfg b/.uncrustify.cfg index 233ff78..eb63827 100644 --- a/.uncrustify.cfg +++ b/.uncrustify.cfg @@ -21,11 +21,12 @@ sp_after_cast=add ls_for_split_full=true ls_func_split_full=true -ls_code_width=true +ls_code_width=false # Arithmetic operations in wrapped expressions should be at the start # of the line. pos_arith=lead +pos_comma = trail # Fully parenthesize boolean exprs mod_full_paren_if_bool=false diff --git a/CMakeLists.txt b/CMakeLists.txt index 90aae2f..a6089c9 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -62,6 +62,19 @@ ExternalProject_Get_Property(relic BINARY_DIR) ExternalProject_Get_Property(relic SOURCE_DIR) include_directories(${SOURCE_DIR}/include) +find_program(MAKE_EXECUTABLE NAMES gmake make mingw32-make REQUIRED) + +ExternalProject_Add( + KeccakCodePackage + PREFIX ${CMAKE_BINARY_DIR}/KeccakCodePackage + GIT_REPOSITORY https://github.com/XKCP/XKCP.git + GIT_TAG 07ed6e44dc9032708b438ad19740970a40b3b285 + GIT_SUBMODULES "support/XKCBuild" + UPDATE_DISCONNECTED 1 + CONFIGURE_COMMAND "" + BUILD_IN_SOURCE 1 + BUILD_COMMAND ${MAKE_EXECUTABLE} -j generic64/libXKCP.a + INSTALL_COMMAND "") file(MAKE_DIRECTORY ${BINARY_DIR}/${CMAKE_INSTALL_INCLUDEDIR}) # avoid race # condition @@ -70,7 +83,5 @@ if(DEFINED LIBBBS_DEBUG) add_compile_definitions(LIBBBS_DEBUG) endif() - - add_subdirectory(src) add_subdirectory(test) diff --git a/README.md b/README.md index d62c31d..fe53417 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ Specification-compliant and performant implementation of the [bbs signature scheme](https://www.ietf.org/archive/id/draft-irtf-cfrg-bbs-signatures-05.html). -Provides a library `libbbs` implementing the `BLS12381-SHA-256` cipher suite. +Provides a library `libbbs` implementing the `BLS12381-SHA-256` and `BLS12-381-SHAKE-256` cipher suite. ## Setup @@ -31,4 +31,3 @@ cmake .. make -j make test ``` - diff --git a/include/bbs.h b/include/bbs.h index e2625b4..ec122da 100644 --- a/include/bbs.h +++ b/include/bbs.h @@ -4,93 +4,291 @@ #include #include +/// @brief BBS cipher suite interface +/// @note Strategy pattern to dispatch to the correct hash function for the +/// cipher suite, keeping the same overall control flow for the caller. +typedef struct +{ + // Execution needs multiple hash contexts simultaneously + void *hash_ctx; + void *dom_ctx; + void *ch_ctx; + uint8_t *p1; + + // Incremental expand_message API with fixed 48B output (needed at multiple points in protocol) + int (*expand_message_init) ( + void *ctx + ); + int (*expand_message_update) ( + void *ctx, + const uint8_t *msg, + uint32_t msg_len + ); + int (*expand_message_finalize_48B) ( + void *ctx, + uint8_t out[48], + const uint8_t *dst, + uint8_t dst_len + ); + + // One-shot expand_message API with variable output length (only needed in create_generator_next) + int (*expand_message_dyn)( + void *ctx, + uint8_t *out, + uint32_t out_len, + const uint8_t *msg, + uint32_t msg_lg, + const uint8_t *dst, + uint8_t dst_len + ); + + /// DST + char *cipher_suite_id; + uint8_t cipher_suite_id_len; + char *default_key_dst; + uint8_t default_key_dst_len; + char *api_id; + uint8_t api_id_len; + char *signature_dst; + uint8_t signature_dst_len; + char *challenge_dst; + uint8_t challenge_dst_len; + char *map_dst; + uint8_t map_dst_len; +} bbs_cipher_suite_t; + +extern bbs_cipher_suite_t bbs_sha256_cipher_suite; +extern bbs_cipher_suite_t bbs_shake256_cipher_suite; + // Octet string lengths -#define BBS_SK_LEN 32 -#define BBS_PK_LEN 96 -#define BBS_SIG_LEN 80 -#define BBS_PROOF_BASE_LEN 272 -#define BBS_PROOF_UD_ELEM_LEN 32 -#define BBS_PROOF_LEN(num_undisclosed) (BBS_PROOF_BASE_LEN + num_undisclosed * BBS_PROOF_UD_ELEM_LEN) +#define BBS_SK_LEN 32 +#define BBS_PK_LEN 96 +#define BBS_SIG_LEN 80 +#define BBS_PROOF_BASE_LEN 272 +#define BBS_PROOF_UD_ELEM_LEN 32 +#define BBS_PROOF_LEN(num_undisclosed) (BBS_PROOF_BASE_LEN + num_undisclosed * BBS_PROOF_UD_ELEM_LEN \ + ) // Return values -#define BBS_OK 0 +#define BBS_OK 0 #define BBS_ERROR 1 // Typedefs -typedef uint8_t bbs_secret_key[BBS_SK_LEN]; -typedef uint8_t bbs_public_key[BBS_PK_LEN]; -typedef uint8_t bbs_signature[BBS_SIG_LEN]; +typedef uint8_t bbs_secret_key[BBS_SK_LEN]; +typedef uint8_t bbs_public_key[BBS_PK_LEN]; +typedef uint8_t bbs_signature[BBS_SIG_LEN]; // Key Generation -int bbs_keygen_full( - bbs_secret_key sk, - bbs_public_key pk + +int bbs_sha256_keygen_full ( + bbs_secret_key sk, + bbs_public_key pk + ); + +int bbs_shake256_keygen_full ( + bbs_secret_key sk, + bbs_public_key pk + ); + +int bbs_keygen_full ( + bbs_cipher_suite_t *cipher_suite, + bbs_secret_key sk, + bbs_public_key pk ); -int bbs_keygen( - bbs_secret_key sk, - const uint8_t *key_material, - uint16_t key_material_len, - const uint8_t *key_info, - uint16_t key_info_len, - const uint8_t *key_dst, - uint8_t key_dst_len +int bbs_sha256_keygen ( + bbs_secret_key sk, + const uint8_t *key_material, + uint16_t key_material_len, + const uint8_t *key_info, + uint16_t key_info_len, + const uint8_t *key_dst, + uint8_t key_dst_len ); -int bbs_sk_to_pk( - const bbs_secret_key sk, - bbs_public_key pk +int bbs_shake256_keygen ( + bbs_secret_key sk, + const uint8_t *key_material, + uint16_t key_material_len, + const uint8_t *key_info, + uint16_t key_info_len, + const uint8_t *key_dst, + uint8_t key_dst_len + ); + +int bbs_keygen ( + bbs_cipher_suite_t *cipher_suite, + bbs_secret_key sk, + const uint8_t *key_material, + uint16_t key_material_len, + const uint8_t *key_info, + uint16_t key_info_len, + const uint8_t *key_dst, + uint8_t key_dst_len + ); + +#define bbs_sha256_sk_to_pk bbs_sk_to_pk + +#define bbs_shake256_sk_to_pk bbs_sk_to_pk + +int bbs_sk_to_pk ( + const bbs_secret_key sk, + bbs_public_key pk ); // Signing -int bbs_sign( - const bbs_secret_key sk, - const bbs_public_key pk, - bbs_signature signature, - const uint8_t *header, - uint64_t header_len, - uint64_t num_messages, - ... + +int bbs_sha256_sign ( + const bbs_secret_key sk, + const bbs_public_key pk, + bbs_signature signature, + const uint8_t *header, + uint64_t header_len, + uint64_t num_messages, + ... + ); + +int bbs_shake256_sign ( + const bbs_secret_key sk, + const bbs_public_key pk, + bbs_signature signature, + const uint8_t *header, + uint64_t header_len, + uint64_t num_messages, + ... + ); + + +int bbs_sign ( + bbs_cipher_suite_t *cipher_suite, + const bbs_secret_key sk, + const bbs_public_key pk, + bbs_signature signature, + const uint8_t *header, + uint64_t header_len, + uint64_t num_messages, + va_list ap ); // Verification -int bbs_verify( - const bbs_public_key pk, - const bbs_signature signature, - const uint8_t *header, - uint64_t header_len, - uint64_t num_messages, - ... + +int bbs_sha256_verify ( + const bbs_public_key pk, + const bbs_signature signature, + const uint8_t *header, + uint64_t header_len, + uint64_t num_messages, + ... + ); + +int bbs_shake256_verify ( + const bbs_public_key pk, + const bbs_signature signature, + const uint8_t *header, + uint64_t header_len, + uint64_t num_messages, + ... + ); + +int bbs_verify ( + bbs_cipher_suite_t *cipher_suite, + const bbs_public_key pk, + const bbs_signature signature, + const uint8_t *header, + uint64_t header_len, + uint64_t num_messages, + va_list ap ); // Proof Generation + +int bbs_sha256_proof_gen ( + const bbs_public_key pk, + const bbs_signature signature, + uint8_t *proof, + const uint8_t *header, + uint64_t header_len, + const uint8_t *presentation_header, + uint64_t presentation_header_len, + const uint64_t *disclosed_indexes, + uint64_t disclosed_indexes_len, + uint64_t num_messages, + ... + ); + +int bbs_shake256_proof_gen ( + const bbs_public_key pk, + const bbs_signature signature, + uint8_t *proof, + const uint8_t *header, + uint64_t header_len, + const uint8_t *presentation_header, + uint64_t presentation_header_len, + const uint64_t *disclosed_indexes, + uint64_t disclosed_indexes_len, + uint64_t num_messages, + ... + ); + + int bbs_proof_gen ( - const bbs_public_key pk, - const bbs_signature signature, - uint8_t *proof, - const uint8_t *header, - uint64_t header_len, - const uint8_t *presentation_header, - uint64_t presentation_header_len, - const uint64_t *disclosed_indexes, - uint64_t disclosed_indexes_len, - uint64_t num_messages, - ... + bbs_cipher_suite_t *cipher_suite, + const bbs_public_key pk, + const bbs_signature signature, + uint8_t *proof, + const uint8_t *header, + uint64_t header_len, + const uint8_t *presentation_header, + uint64_t presentation_header_len, + const uint64_t *disclosed_indexes, + uint64_t disclosed_indexes_len, + uint64_t num_messages, + va_list ap ); // Proof Verification + +int bbs_sha256_proof_verify ( + const bbs_public_key pk, + const uint8_t *proof, + uint64_t proof_len, + const uint8_t *header, + uint64_t header_len, + const uint8_t *presentation_header, + uint64_t presentation_header_len, + const uint64_t *disclosed_indexes, + uint64_t disclosed_indexes_len, + uint64_t num_messages, + ... + ); + +int bbs_shake256_proof_verify ( + const bbs_public_key pk, + const uint8_t *proof, + uint64_t proof_len, + const uint8_t *header, + uint64_t header_len, + const uint8_t *presentation_header, + uint64_t presentation_header_len, + const uint64_t *disclosed_indexes, + uint64_t disclosed_indexes_len, + uint64_t num_messages, + ... + ); + int bbs_proof_verify ( - const bbs_public_key pk, - const uint8_t *proof, - uint64_t proof_len, - const uint8_t *header, - uint64_t header_len, - const uint8_t *presentation_header, - uint64_t presentation_header_len, - const uint64_t *disclosed_indexes, - uint64_t disclosed_indexes_len, - uint64_t num_messages, - ... + bbs_cipher_suite_t *cipher_suite, + const bbs_public_key pk, + const uint8_t *proof, + uint64_t proof_len, + const uint8_t *header, + uint64_t header_len, + const uint8_t *presentation_header, + uint64_t presentation_header_len, + const uint64_t *disclosed_indexes, + uint64_t disclosed_indexes_len, + uint64_t num_messages, + va_list ap ); #endif diff --git a/include/bbs_util.h b/include/bbs_util.h index 45b0df9..a3628a1 100644 --- a/include/bbs_util.h +++ b/include/bbs_util.h @@ -2,15 +2,20 @@ #define BBS_UTIL_H #include "bbs.h" -#include + #include +#include "KeccakHash.h" + +#undef ALIGN +#include // This header specifies useful functions for several utility algorithms. // Use these if you want to hack on BBS signatures and want to stay close to the // RFC draft. -#define LEN(m) (sizeof(m) / sizeof(m[0])) -#define DEBUG(p, a, l) do { puts(p); for(int xx=0;xx> 56) | \ - ((x & 0x00ff000000000000LL) >> 40) | \ - ((x & 0x0000ff0000000000LL) >> 24) | \ - ((x & 0x000000ff00000000LL) >> 8) | \ - ((x & 0x00000000ff000000LL) << 8) | \ - ((x & 0x0000000000ff0000LL) << 24) | \ - ((x & 0x000000000000ff00LL) << 40) | \ - ((x & 0x00000000000000ffLL) << 56)) + ((x & 0x00ff000000000000LL) >> 40) | \ + ((x & 0x0000ff0000000000LL) >> 24) | \ + ((x & 0x000000ff00000000LL) >> 8) | \ + ((x & 0x00000000ff000000LL) << 8) | \ + ((x & 0x0000000000ff0000LL) << 24) | \ + ((x & 0x000000000000ff00LL) << 40) | \ + ((x & 0x00000000000000ffLL) << 56)) #endif /*BBS_UTIL_H*/ diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index af47b0b..a99c5a8 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -6,15 +6,31 @@ add_library(bbs SHARED bbs.c bbs_util.c) - # set_property(TARGET bbs PROPERTY POSITION_INDEPENDENT_CODE ON) target_include_directories(bbs PUBLIC ../include) +ExternalProject_Get_Property(relic SOURCE_DIR) target_include_directories(bbs PUBLIC ${SOURCE_DIR}/include) target_include_directories(bbs PUBLIC ${SOURCE_DIR}/src/md) target_include_directories(bbs PUBLIC ${SOURCE_DIR}/src/tmpl) target_include_directories(bbs PUBLIC ${BINARY_DIR}/include) target_include_directories(bbs PUBLIC ${GMP_PATH}) +ExternalProject_Get_Property(KeccakCodePackage SOURCE_DIR) +message(STATUS "KeccakCodePackage: ${SOURCE_DIR}") +target_include_directories(bbs PUBLIC ${SOURCE_DIR}/bin/generic64/libXKCP.a.headers) +target_link_libraries(bbs PUBLIC ${SOURCE_DIR}/bin/generic64/libXKCP.a) +target_include_directories( + bbs + PRIVATE + ${CMAKE_BINARY_DIR}/KeccakCodePackage/src/KeccakCodePackage/bin/generic64/libXKCP.a.headers +) +target_link_libraries( + bbs + PRIVATE + ${CMAKE_BINARY_DIR}/KeccakCodePackage/src/KeccakCodePackage/bin/generic64/libXKCP.a +) +add_dependencies(bbs KeccakCodePackage) + add_dependencies(bbs relic) target_link_libraries(bbs PUBLIC ${GMP_LIB}) target_link_libraries(bbs PRIVATE diff --git a/src/bbs.c b/src/bbs.c index fd88a4a..ff33595 100644 --- a/src/bbs.c +++ b/src/bbs.c @@ -3,28 +3,132 @@ #include // Magic constants to be used as Domain Separation Tags -#define BBS_SHA_256_CIPHER_ID "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_" -#define BBS_SHA_256_DEFAULT_KEY_DST BBS_SHA_256_CIPHER_ID "KEYGEN_DST_" -#define BBS_SHA_256_API_ID BBS_SHA_256_CIPHER_ID "H2G_HM2S_" -#define BBS_SHA_256_SIGNATURE_DST BBS_SHA_256_API_ID "H2S_" -#define BBS_SHA_256_CHALLENGE_DST BBS_SHA_256_API_ID "H2S_" -#define BBS_SHA_256_MAP_DST BBS_SHA_256_API_ID "MAP_MSG_TO_SCALAR_AS_HASH_" + +#define BBS_SHA256_CIPHER_SUITE_ID "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_" +#define BBS_SHA256_CIPHER_SUITE_LENGTH 35 +#define BBS_SHA256_DEFAULT_KEY_DST BBS_SHA256_CIPHER_SUITE_ID "KEYGEN_DST_" +#define BBS_SHA256_DEFAULT_KEY_DST_LENGTH BBS_SHA256_CIPHER_SUITE_LENGTH + 11 +#define BBS_SHA256_API_ID BBS_SHA256_CIPHER_SUITE_ID "H2G_HM2S_" +#define BBS_SHA256_API_ID_LENGTH BBS_SHA256_CIPHER_SUITE_LENGTH + 9 +#define BBS_SHA256_SIGNATURE_DST BBS_SHA256_API_ID "H2S_" +#define BBS_SHA256_SIGNATURE_DST_LENGTH BBS_SHA256_API_ID_LENGTH + 4 +#define BBS_SHA256_CHALLENGE_DST BBS_SHA256_API_ID "H2S_" +#define BBS_SHA256_CHALLENGE_DST_LENGTH BBS_SHA256_API_ID_LENGTH + 4 +#define BBS_SHA256_MAP_DST BBS_SHA256_API_ID "MAP_MSG_TO_SCALAR_AS_HASH_" +#define BBS_SHA256_MAP_DST_LENGTH BBS_SHA256_API_ID_LENGTH + 26 + // The above collision stems from the ID. Possible oversight? Should not compromise // security too much... -// Point for the SHA suite -static uint8_t P1[] = { +SHA256Context bbs_sha256_hash_ctx_t; +SHA256Context bbs_sha256_dom_ctx_t; +SHA256Context bbs_sha256_ch_ctx_t; + +#define BBS_SHAKE256_CIPHER_SUITE_ID "BBS_BLS12381G1_XOF:SHAKE-256_SSWU_RO_" +#define BBS_SHAKE256_CIPHER_SUITE_LENGTH 37 +#define BBS_SHAKE256_DEFAULT_KEY_DST BBS_SHAKE256_CIPHER_SUITE_ID "KEYGEN_DST_" +#define BBS_SHAKE256_DEFAULT_KEY_DST_LENGTH BBS_SHAKE256_CIPHER_SUITE_LENGTH + 11 +#define BBS_SHAKE256_API_ID BBS_SHAKE256_CIPHER_SUITE_ID "H2G_HM2S_" +#define BBS_SHAKE256_API_ID_LENGTH BBS_SHAKE256_CIPHER_SUITE_LENGTH + 9 +#define BBS_SHAKE256_SIGNATURE_DST BBS_SHAKE256_API_ID "H2S_" +#define BBS_SHAKE256_SIGNATURE_DST_LENGTH BBS_SHAKE256_API_ID_LENGTH + 4 +#define BBS_SHAKE256_CHALLENGE_DST BBS_SHAKE256_API_ID "H2S_" +#define BBS_SHAKE256_CHALLENGE_DST_LENGTH BBS_SHAKE256_API_ID_LENGTH + 4 +#define BBS_SHAKE256_MAP_DST BBS_SHAKE256_API_ID "MAP_MSG_TO_SCALAR_AS_HASH_" +#define BBS_SHAKE256_MAP_DST_LENGTH BBS_SHAKE256_API_ID_LENGTH + 26 + + +Keccak_HashInstance bbs_shake256_hash_ctx_t; +Keccak_HashInstance bbs_shake256_dom_ctx_t; +Keccak_HashInstance bbs_shake256_ch_ctx_t; + +static uint8_t BBS_SHA256_P1[] = { 0xa8, 0xce, 0x25, 0x61, 0x02, 0x84, 0x08, 0x21, 0xa3, 0xe9, 0x4e, 0xa9, 0x02, 0x5e, 0x46, 0x62, 0xb2, 0x05, 0x76, 0x2f, 0x97, 0x76, 0xb3, 0xa7, 0x66, 0xc8, 0x72, 0xb9, 0x48, 0xf1, 0xfd, 0x22, 0x5e, 0x7c, 0x59, 0x69, 0x85, 0x88, 0xe7, 0x0d, 0x11, 0x40, 0x6d, 0x16, 0x1b, 0x4e, 0x28, 0xc9 }; +static uint8_t BBS_SHAKE256_P1[] = { + 0x89, 0x29, 0xdf, 0xbc, 0x7e, 0x66, 0x42, 0xc4, 0xed, 0x9c, 0xba, 0x08, 0x56, 0xe4, 0x93, + 0xf8, 0xb9, 0xd7, 0xd5, 0xfc, 0xb0, 0xc3, 0x1e, 0xf8, 0xfd, 0xcd, 0x34, 0xd5, 0x06, 0x48, + 0xa5, 0x6c, 0x79, 0x5e, 0x10, 0x6e, 0x9e, 0xad, 0xa6, 0xe0, 0xbd, 0xa3, 0x86, 0xb4, 0x14, + 0x15, 0x07, 0x55 +}; + +// *INDENT-OFF* - Preserve formatting +bbs_cipher_suite_t bbs_sha256_cipher_suite = { + .hash_ctx = &bbs_sha256_hash_ctx_t, + .dom_ctx = &bbs_sha256_dom_ctx_t, + .ch_ctx = &bbs_sha256_ch_ctx_t, + .p1 = BBS_SHA256_P1, + .expand_message_init = bbs_sha256_expand_message_init, + .expand_message_update = bbs_sha256_expand_message_update, + .expand_message_finalize_48B = bbs_sha256_expand_message_finalize_48B, + .expand_message_dyn = bbs_sha256_expand_message_dyn, + .cipher_suite_id = (char*) BBS_SHA256_CIPHER_SUITE_ID, + .cipher_suite_id_len = BBS_SHA256_CIPHER_SUITE_LENGTH, + .default_key_dst = BBS_SHA256_DEFAULT_KEY_DST, + .default_key_dst_len = BBS_SHA256_DEFAULT_KEY_DST_LENGTH, + .api_id = BBS_SHA256_API_ID, + .api_id_len = BBS_SHA256_API_ID_LENGTH, + .signature_dst = BBS_SHA256_SIGNATURE_DST, + .signature_dst_len = BBS_SHA256_SIGNATURE_DST_LENGTH, + .challenge_dst = BBS_SHA256_CHALLENGE_DST, + .challenge_dst_len = BBS_SHA256_CHALLENGE_DST_LENGTH, + .map_dst = BBS_SHA256_MAP_DST, + .map_dst_len = BBS_SHA256_MAP_DST_LENGTH, +}; + +bbs_cipher_suite_t bbs_shake256_cipher_suite = { + .hash_ctx = &bbs_shake256_hash_ctx_t, + .dom_ctx = &bbs_shake256_dom_ctx_t, + .ch_ctx = &bbs_shake256_ch_ctx_t, + .p1 = BBS_SHAKE256_P1, + .expand_message_init = bbs_shake256_expand_message_init, + .expand_message_update = bbs_shake256_expand_message_update, + .expand_message_finalize_48B = bbs_shake256_expand_message_finalize_48B, + .expand_message_dyn = bbs_shake256_expand_message_dyn, + .cipher_suite_id = (char*) BBS_SHAKE256_CIPHER_SUITE_ID, + .cipher_suite_id_len = BBS_SHAKE256_CIPHER_SUITE_LENGTH, + .default_key_dst = BBS_SHAKE256_DEFAULT_KEY_DST, + .default_key_dst_len = BBS_SHAKE256_DEFAULT_KEY_DST_LENGTH, + .api_id = BBS_SHAKE256_API_ID, + .api_id_len = BBS_SHAKE256_API_ID_LENGTH, + .signature_dst = BBS_SHAKE256_SIGNATURE_DST, + .signature_dst_len = BBS_SHAKE256_SIGNATURE_DST_LENGTH, + .challenge_dst = BBS_SHAKE256_CHALLENGE_DST, + .challenge_dst_len = BBS_SHAKE256_CHALLENGE_DST_LENGTH, + .map_dst = BBS_SHAKE256_MAP_DST, + .map_dst_len = BBS_SHAKE256_MAP_DST_LENGTH, +}; +// *INDENT-ON* - Restore formatting int -bbs_keygen_full ( +bbs_sha256_keygen_full ( bbs_secret_key sk, bbs_public_key pk ) +{ + return bbs_keygen_full (&bbs_sha256_cipher_suite, sk, pk); +} + + +int +bbs_shake256_keygen_full ( + bbs_secret_key sk, + bbs_public_key pk + ) +{ + return bbs_keygen_full (&bbs_shake256_cipher_suite, sk, pk); +} + + +int +bbs_keygen_full ( + bbs_cipher_suite_t *cipher_suite, + bbs_secret_key sk, + bbs_public_key pk + ) { int res = BBS_ERROR; static uint8_t seed[32]; @@ -38,7 +142,7 @@ bbs_keygen_full ( } // Generate the secret key - if (BBS_OK != bbs_keygen (sk, seed, 32, 0, 0, 0, 0)) + if (BBS_OK != bbs_keygen (cipher_suite, sk, seed, 32, 0, 0, 0, 0)) { goto cleanup; } @@ -56,7 +160,7 @@ bbs_keygen_full ( int -bbs_keygen ( +bbs_sha256_keygen ( bbs_secret_key sk, const uint8_t *key_material, uint16_t key_material_len, @@ -65,6 +169,51 @@ bbs_keygen ( const uint8_t *key_dst, uint8_t key_dst_len ) +{ + return bbs_keygen (&bbs_sha256_cipher_suite, + sk, + key_material, + key_material_len, + key_info, + key_info_len, + key_dst, + key_dst_len); +} + + +int +bbs_shake256_keygen ( + bbs_secret_key sk, + const uint8_t *key_material, + uint16_t key_material_len, + const uint8_t *key_info, + uint16_t key_info_len, + const uint8_t *key_dst, + uint8_t key_dst_len + ) +{ + return bbs_keygen (&bbs_shake256_cipher_suite, + sk, + key_material, + key_material_len, + key_info, + key_info_len, + key_dst, + key_dst_len); +} + + +int +bbs_keygen ( + bbs_cipher_suite_t *cipher_suite, + bbs_secret_key sk, + const uint8_t *key_material, + uint16_t key_material_len, + const uint8_t *key_info, + uint16_t key_info_len, + const uint8_t *key_dst, + uint8_t key_dst_len + ) { bn_t sk_n; uint16_t key_info_len_be = ((key_info_len & 0x00FFu) << 8) | (key_info_len >> 8); @@ -80,8 +229,8 @@ bbs_keygen ( if (! key_dst) { - key_dst = (uint8_t*) BBS_SHA_256_DEFAULT_KEY_DST; - key_dst_len = LEN (BBS_SHA_256_DEFAULT_KEY_DST) - 1; + key_dst = (uint8_t*) cipher_suite->default_key_dst; + key_dst_len = cipher_suite->default_key_dst_len; } RLC_TRY { @@ -91,8 +240,17 @@ bbs_keygen ( goto cleanup; } - if (BBS_OK != hash_to_scalar (sk_n, key_dst, key_dst_len, key_material, key_material_len, - &key_info_len_be, 2, key_info, key_info_len, 0)) + if (BBS_OK != hash_to_scalar (cipher_suite, + sk_n, + key_dst, + key_dst_len, + key_material, + key_material_len, + &key_info_len_be, + 2, + key_info, + key_info_len, + 0)) { goto cleanup; } @@ -145,7 +303,7 @@ bbs_sk_to_pk ( int -bbs_sign ( +bbs_sha256_sign ( const bbs_secret_key sk, const bbs_public_key pk, bbs_signature signature, @@ -155,15 +313,66 @@ bbs_sign ( ... ) { - va_list ap; - uint8_t generator_ctx[48 + 8]; - SHA256Context h2s_ctx, dom_ctx; - uint8_t buffer[BBS_SCALAR_LEN]; - bn_t e, domain, msg_scalar, sk_n; - ep_t A, B, Q_1, H_i; - uint8_t *msg; - uint32_t msg_len; - int res = BBS_ERROR; + va_list args; + va_start (args, num_messages); + int result = bbs_sign (&bbs_sha256_cipher_suite, + sk, + pk, + signature, + header, + header_len, + num_messages, + args); + va_end (args); + return result; +} + + +int +bbs_shake256_sign ( + const bbs_secret_key sk, + const bbs_public_key pk, + bbs_signature signature, + const uint8_t *header, + uint64_t header_len, + uint64_t num_messages, + ... + ) +{ + va_list args; + va_start (args, num_messages); + int result = bbs_sign (&bbs_shake256_cipher_suite, + sk, + pk, + signature, + header, + header_len, + num_messages, + args); + va_end (args); + return result; +} + + +int +bbs_sign ( + bbs_cipher_suite_t *cipher_suite, + const bbs_secret_key sk, + const bbs_public_key pk, + bbs_signature signature, + const uint8_t *header, + uint64_t header_len, + uint64_t num_messages, + va_list ap + ) +{ + uint8_t generator_ctx[48 + 8]; + uint8_t buffer[BBS_SCALAR_LEN]; + bn_t e, domain, msg_scalar, sk_n; + ep_t A, B, Q_1, H_i; + uint8_t *msg; + uint32_t msg_len; + int res = BBS_ERROR; bn_null (e); bn_null (sk_n); @@ -180,22 +389,23 @@ bbs_sign ( header_len = 0; } - if (BBS_OK != create_generator_init (generator_ctx, (uint8_t*) BBS_SHA_256_API_ID, LEN ( - BBS_SHA_256_API_ID) - - 1)) + if (BBS_OK != create_generator_init (cipher_suite, + generator_ctx, + (uint8_t*) cipher_suite->api_id, + cipher_suite->api_id_len)) { goto cleanup; } - if (BBS_OK != calculate_domain_init (&dom_ctx, pk, num_messages)) + if (BBS_OK != calculate_domain_init (cipher_suite, cipher_suite->dom_ctx, pk, num_messages)) { goto cleanup; } - if (BBS_OK != hash_to_scalar_init (&h2s_ctx)) + if (BBS_OK != hash_to_scalar_init (cipher_suite, cipher_suite->ch_ctx)) { goto cleanup; } - if (BBS_OK != hash_to_scalar_update (&h2s_ctx, sk, BBS_SK_LEN)) + if (BBS_OK != hash_to_scalar_update (cipher_suite, cipher_suite->ch_ctx, sk, BBS_SK_LEN)) { goto cleanup; } @@ -210,7 +420,7 @@ bbs_sign ( ep_new (H_i); // Initialize B to P1 - ep_read_bbs (B, P1); + ep_read_bbs (B, cipher_suite->p1); } RLC_CATCH_ANY { goto cleanup; @@ -224,28 +434,32 @@ bbs_sign ( for (int i = 0; iapi_id, + cipher_suite->api_id_len) + ) { goto cleanup; } - if (BBS_OK != calculate_domain_update (&dom_ctx, H_i)) + if (BBS_OK != calculate_domain_update (cipher_suite, cipher_suite->dom_ctx, H_i)) { goto cleanup; } } - if (BBS_OK != calculate_domain_finalize (&dom_ctx, domain, header, header_len, - (uint8_t*) BBS_SHA_256_API_ID, LEN ( - BBS_SHA_256_API_ID) - - 1)) + if (BBS_OK != calculate_domain_finalize (cipher_suite, + cipher_suite->dom_ctx, + domain, + header, + header_len, + (uint8_t*) cipher_suite->api_id, + cipher_suite->api_id_len)) { goto cleanup; } - if (BBS_OK != create_generator_init (generator_ctx, (uint8_t*) BBS_SHA_256_API_ID, LEN ( - BBS_SHA_256_API_ID) - - 1)) + if (BBS_OK != create_generator_init (cipher_suite, + generator_ctx, + (uint8_t*) cipher_suite->api_id, + cipher_suite->api_id_len)) { goto cleanup; } @@ -255,28 +469,32 @@ bbs_sign ( RLC_CATCH_ANY { goto cleanup; } - if (BBS_OK != hash_to_scalar_update (&h2s_ctx, buffer, BBS_SCALAR_LEN)) + if (BBS_OK != hash_to_scalar_update (cipher_suite, + cipher_suite->ch_ctx, + buffer, + BBS_SCALAR_LEN)) { goto cleanup; } // END UGLY CODE // Calculate Q_1 - if (BBS_OK != create_generator_next (generator_ctx, Q_1, (uint8_t*) BBS_SHA_256_API_ID, - LEN (BBS_SHA_256_API_ID) - - 1)) + if (BBS_OK != create_generator_next (cipher_suite, + generator_ctx, + Q_1, + (uint8_t*) cipher_suite->api_id, + cipher_suite->api_id_len)) { goto cleanup; } - va_start (ap, num_messages); for (int i = 0; iapi_id, + cipher_suite->api_id_len) + ) { goto cleanup; } @@ -287,8 +505,9 @@ bbs_sign ( // Calculate msg_scalar (oneshot) msg = va_arg (ap, uint8_t*); msg_len = va_arg (ap, uint32_t); - if (BBS_OK != hash_to_scalar (msg_scalar, (uint8_t*) BBS_SHA_256_MAP_DST, LEN ( - BBS_SHA_256_MAP_DST) - 1, msg, msg_len, 0)) + if (BBS_OK != hash_to_scalar (cipher_suite, msg_scalar, + (uint8_t*) cipher_suite->map_dst, + cipher_suite->map_dst_len, msg, msg_len, 0)) { goto cleanup; } @@ -303,17 +522,19 @@ bbs_sign ( RLC_CATCH_ANY { goto cleanup; } - if (BBS_OK != hash_to_scalar_update (&h2s_ctx, buffer, BBS_SCALAR_LEN)) + if (BBS_OK != hash_to_scalar_update (cipher_suite, cipher_suite->ch_ctx, buffer, + BBS_SCALAR_LEN)) { goto cleanup; } } - va_end (ap); // Derive e - if (BBS_OK != hash_to_scalar_finalize (&h2s_ctx, e, (uint8_t*) BBS_SHA_256_SIGNATURE_DST, - LEN (BBS_SHA_256_SIGNATURE_DST) - - 1)) + if (BBS_OK != hash_to_scalar_finalize (cipher_suite, + cipher_suite->ch_ctx, + e, + (uint8_t*) cipher_suite->signature_dst, + cipher_suite->signature_dst_len)) { goto cleanup; } @@ -353,7 +574,31 @@ bbs_sign ( int -bbs_verify ( +bbs_sha256_verify ( + const bbs_public_key pk, + const bbs_signature signature, + const uint8_t *header, + uint64_t header_len, + uint64_t num_messages, + ... + ) +{ + va_list args; + va_start (args, num_messages); + int result = bbs_verify (&bbs_sha256_cipher_suite, + pk, + signature, + header, + header_len, + num_messages, + args); + va_end (args); + return result; +} + + +int +bbs_shake256_verify ( const bbs_public_key pk, const bbs_signature signature, const uint8_t *header, @@ -362,16 +607,39 @@ bbs_verify ( ... ) { - va_list ap; - uint8_t generator_ctx[48 + 8]; - SHA256Context dom_ctx; - bn_t e, domain, msg_scalar; - ep_t A, B, Q_1, H_i; - ep2_t W, tmp_p; - fp12_t paired1, paired2; - uint8_t *msg; - uint32_t msg_len; - int res = BBS_ERROR; + va_list args; + va_start (args, num_messages); + int result = bbs_verify (&bbs_shake256_cipher_suite, + pk, + signature, + header, + header_len, + num_messages, + args); + va_end (args); + return result; +} + + +int +bbs_verify ( + bbs_cipher_suite_t *cipher_suite, + const bbs_public_key pk, + const bbs_signature signature, + const uint8_t *header, + uint64_t header_len, + uint64_t num_messages, + va_list ap + ) +{ + uint8_t generator_ctx[48 + 8]; + bn_t e, domain, msg_scalar; + ep_t A, B, Q_1, H_i; + ep2_t W, tmp_p; + fp12_t paired1, paired2; + uint8_t *msg; + uint32_t msg_len; + int res = BBS_ERROR; bn_null (e); bn_null (domain); @@ -391,13 +659,14 @@ bbs_verify ( header_len = 0; } - if (BBS_OK != create_generator_init (generator_ctx, (uint8_t*) BBS_SHA_256_API_ID, LEN ( - BBS_SHA_256_API_ID) - - 1)) + if (BBS_OK != create_generator_init (cipher_suite, + generator_ctx, + (uint8_t*) cipher_suite->api_id, + cipher_suite->api_id_len)) { goto cleanup; } - if (BBS_OK != calculate_domain_init (&dom_ctx, pk, num_messages)) + if (BBS_OK != calculate_domain_init (cipher_suite, cipher_suite->dom_ctx, pk, num_messages)) { goto cleanup; } @@ -416,7 +685,7 @@ bbs_verify ( fp12_new (paired2); // Initialize B to P1, and parse signature - ep_read_bbs (B, P1); + ep_read_bbs (B, cipher_suite->p1); ep_read_bbs (A, signature); bn_read_bbs (e, signature + BBS_G1_ELEM_LEN); ep2_read_bbs (W, pk); @@ -426,29 +695,30 @@ bbs_verify ( } // Calculate Q_1 - if (BBS_OK != create_generator_next (generator_ctx, Q_1, (uint8_t*) BBS_SHA_256_API_ID, - LEN (BBS_SHA_256_API_ID) - - 1)) + if (BBS_OK != create_generator_next (cipher_suite, + generator_ctx, + Q_1, + (uint8_t*) cipher_suite->api_id, + cipher_suite->api_id_len)) { goto cleanup; } - if (BBS_OK != calculate_domain_update (&dom_ctx, Q_1)) + if (BBS_OK != calculate_domain_update (cipher_suite, cipher_suite->dom_ctx, Q_1)) { goto cleanup; } - va_start (ap, num_messages); for (int i = 0; iapi_id, + cipher_suite->api_id_len) + ) { goto cleanup; } - if (BBS_OK != calculate_domain_update (&dom_ctx, H_i)) + if (BBS_OK != calculate_domain_update (cipher_suite, cipher_suite->dom_ctx, H_i)) { goto cleanup; } @@ -456,8 +726,9 @@ bbs_verify ( // Calculate msg_scalar (oneshot) msg = va_arg (ap, uint8_t*); msg_len = va_arg (ap, uint32_t); - if (BBS_OK != hash_to_scalar (msg_scalar, (uint8_t*) BBS_SHA_256_MAP_DST, LEN ( - BBS_SHA_256_MAP_DST) - 1, msg, msg_len, 0)) + if (BBS_OK != hash_to_scalar (cipher_suite, msg_scalar, + (uint8_t*) cipher_suite->map_dst, + cipher_suite->map_dst_len, msg, msg_len, 0)) { goto cleanup; } @@ -470,13 +741,15 @@ bbs_verify ( goto cleanup; } } - va_end (ap); // Finalize domain calculation - if (BBS_OK != calculate_domain_finalize (&dom_ctx, domain, header, header_len, - (uint8_t*) BBS_SHA_256_API_ID, LEN ( - BBS_SHA_256_API_ID) - - 1)) + if (BBS_OK != calculate_domain_finalize (cipher_suite, + cipher_suite->dom_ctx, + domain, + header, + header_len, + (uint8_t*) cipher_suite->api_id, + cipher_suite->api_id_len)) { goto cleanup; } @@ -524,12 +797,12 @@ bbs_verify ( return res; } - // bbs_proof_gen, but makes callbacks to prf for random scalars // We need to control the random scalars for the fixture tests. This way we do // not need to compile a dedicated library for the tests. int bbs_proof_gen_det ( + bbs_cipher_suite_t *cipher_suite, const bbs_public_key pk, const bbs_signature signature, uint8_t *proof, @@ -545,20 +818,19 @@ bbs_proof_gen_det ( va_list ap ) { - va_list ap2; - uint8_t generator_ctx[48 + 8]; - uint8_t T_buffer[2 * BBS_G1_ELEM_LEN]; - uint8_t scalar_buffer[BBS_SCALAR_LEN]; - uint8_t *proof_ptr, *msg; - uint64_t msg_len, be_buffer; - SHA256Context dom_ctx, ch_ctx; - bn_t e, domain, msg_scalar, msg_scalar_tilde, r1, r2, e_tilde, r1_tilde, r3_tilde, - challenge; - ep_t A, B, Q_1, H_i, T1, T2, D, Abar, Bbar; - uint64_t disclosed_indexes_idx = 0; - uint64_t undisclosed_indexes_idx = 0; - uint64_t undisclosed_indexes_len = num_messages - disclosed_indexes_len; - int res = BBS_ERROR; + va_list ap2; + uint8_t generator_ctx[48 + 8]; + uint8_t T_buffer[2 * BBS_G1_ELEM_LEN]; + uint8_t scalar_buffer[BBS_SCALAR_LEN]; + uint8_t *proof_ptr, *msg; + uint64_t msg_len, be_buffer; + bn_t e, domain, msg_scalar, msg_scalar_tilde, r1, r2, e_tilde, r1_tilde, r3_tilde, + challenge; + ep_t A, B, Q_1, H_i, T1, T2, D, Abar, Bbar; + uint64_t disclosed_indexes_idx = 0; + uint64_t undisclosed_indexes_idx = 0; + uint64_t undisclosed_indexes_len = num_messages - disclosed_indexes_len; + int res = BBS_ERROR; // We iterate over the messages twice because the spec is **** va_copy (ap2, ap); @@ -595,13 +867,14 @@ bbs_proof_gen_det ( ep_null (Abar); ep_null (Bbar); - if (BBS_OK != create_generator_init (generator_ctx, (uint8_t*) BBS_SHA_256_API_ID, LEN ( - BBS_SHA_256_API_ID) - - 1)) + if (BBS_OK != create_generator_init (cipher_suite, + generator_ctx, + (uint8_t*) cipher_suite->api_id, + cipher_suite->api_id_len)) { goto cleanup; } - if (BBS_OK != calculate_domain_init (&dom_ctx, pk, num_messages)) + if (BBS_OK != calculate_domain_init (cipher_suite, cipher_suite->dom_ctx, pk, num_messages)) { goto cleanup; } @@ -628,7 +901,7 @@ bbs_proof_gen_det ( ep_new (Bbar); // Initialize B to P1 and T2 to the identity - ep_read_bbs (B, P1); + ep_read_bbs (B, cipher_suite->p1); ep_set_infty (T2); // Parse the signature @@ -640,25 +913,27 @@ bbs_proof_gen_det ( } // Derive random scalars. The msg_scalar_tilde scalars are derived later - if (BBS_OK != prf (r1, 1, 0, prf_cookie)) + if (BBS_OK != prf (cipher_suite, r1, 1, 0, prf_cookie)) goto cleanup; - if (BBS_OK != prf (r2, 2, 0, prf_cookie)) + if (BBS_OK != prf (cipher_suite, r2, 2, 0, prf_cookie)) goto cleanup; - if (BBS_OK != prf (e_tilde, 3, 0, prf_cookie)) + if (BBS_OK != prf (cipher_suite, e_tilde, 3, 0, prf_cookie)) goto cleanup; - if (BBS_OK != prf (r1_tilde, 4, 0, prf_cookie)) + if (BBS_OK != prf (cipher_suite, r1_tilde, 4, 0, prf_cookie)) goto cleanup; - if (BBS_OK != prf (r3_tilde, 5, 0, prf_cookie)) + if (BBS_OK != prf (cipher_suite, r3_tilde, 5, 0, prf_cookie)) goto cleanup; // Calculate Q_1 - if (BBS_OK != create_generator_next (generator_ctx, Q_1, (uint8_t*) BBS_SHA_256_API_ID, - LEN (BBS_SHA_256_API_ID) - - 1)) + if (BBS_OK != create_generator_next (cipher_suite, + generator_ctx, + Q_1, + (uint8_t*) cipher_suite->api_id, + cipher_suite->api_id_len)) { goto cleanup; } - if (BBS_OK != calculate_domain_update (&dom_ctx, Q_1)) + if (BBS_OK != calculate_domain_update (cipher_suite, cipher_suite->dom_ctx, Q_1)) { goto cleanup; } @@ -667,14 +942,14 @@ bbs_proof_gen_det ( for (uint64_t i = 0; iapi_id, + cipher_suite->api_id_len) + ) { goto cleanup; } - if (BBS_OK != calculate_domain_update (&dom_ctx, H_i)) + if (BBS_OK != calculate_domain_update (cipher_suite, cipher_suite->dom_ctx, H_i)) { goto cleanup; } @@ -682,8 +957,9 @@ bbs_proof_gen_det ( // Calculate msg_scalar (oneshot) msg = va_arg (ap, uint8_t*); msg_len = va_arg (ap, uint32_t); - if (BBS_OK != hash_to_scalar (msg_scalar, (uint8_t*) BBS_SHA_256_MAP_DST, LEN ( - BBS_SHA_256_MAP_DST) - 1, msg, msg_len, 0)) + if (BBS_OK != hash_to_scalar (cipher_suite, msg_scalar, + (uint8_t*) cipher_suite->map_dst, + cipher_suite->map_dst_len, msg, msg_len, 0)) { goto cleanup; } @@ -697,8 +973,8 @@ bbs_proof_gen_det ( goto cleanup; } - if (disclosed_indexes_idx < disclosed_indexes_len && - disclosed_indexes[disclosed_indexes_idx] == i) + if (disclosed_indexes_idx < disclosed_indexes_len && disclosed_indexes[ + disclosed_indexes_idx] == i) { // This message is disclosed. // Here I would like to hash the disclosed messages into the @@ -713,8 +989,8 @@ bbs_proof_gen_det ( { // This message is undisclosed. Derive new random scalar // and accumulate it onto T2 - if (BBS_OK != prf (msg_scalar_tilde, 0, undisclosed_indexes_idx, - prf_cookie)) + if (BBS_OK != prf (cipher_suite, msg_scalar_tilde, 0, undisclosed_indexes_idx, prf_cookie) + ) { goto cleanup; } @@ -744,10 +1020,13 @@ bbs_proof_gen_det ( } // Finalize domain calculation - if (BBS_OK != calculate_domain_finalize (&dom_ctx, domain, header, header_len, - (uint8_t*) BBS_SHA_256_API_ID, LEN ( - BBS_SHA_256_API_ID) - - 1)) + if (BBS_OK != calculate_domain_finalize (cipher_suite, + cipher_suite->dom_ctx, + domain, + header, + header_len, + (uint8_t*) cipher_suite->api_id, + cipher_suite->api_id_len)) { goto cleanup; } @@ -789,20 +1068,29 @@ bbs_proof_gen_det ( } // Calculate the challenge - if (BBS_OK != hash_to_scalar_init (&ch_ctx)) + if (BBS_OK != hash_to_scalar_init (cipher_suite, cipher_suite->ch_ctx)) { goto cleanup; } - if (BBS_OK != hash_to_scalar_update (&ch_ctx, proof, 3 * BBS_G1_ELEM_LEN)) + if (BBS_OK != hash_to_scalar_update (cipher_suite, + cipher_suite->ch_ctx, + proof, + 3 * BBS_G1_ELEM_LEN)) { goto cleanup; } - if (BBS_OK != hash_to_scalar_update (&ch_ctx, T_buffer, 2 * BBS_G1_ELEM_LEN)) + if (BBS_OK != hash_to_scalar_update (cipher_suite, + cipher_suite->ch_ctx, + T_buffer, + 2 * BBS_G1_ELEM_LEN)) { goto cleanup; } be_buffer = UINT64_H2BE (disclosed_indexes_len); - if (BBS_OK != hash_to_scalar_update (&ch_ctx, (uint8_t*) &be_buffer, 8)) + if (BBS_OK != hash_to_scalar_update (cipher_suite, + cipher_suite->ch_ctx, + (uint8_t*) &be_buffer, + 8)) { goto cleanup; } @@ -810,7 +1098,10 @@ bbs_proof_gen_det ( for (uint64_t i = 0; ich_ctx, + (uint8_t*) &be_buffer, + 8)) { goto cleanup; } @@ -823,13 +1114,13 @@ bbs_proof_gen_det ( // Calculate msg_scalar (oneshot) msg = va_arg (ap2, uint8_t*); msg_len = va_arg (ap2, uint32_t); - if (disclosed_indexes_idx < disclosed_indexes_len && - disclosed_indexes[disclosed_indexes_idx] == i) + if (disclosed_indexes_idx < disclosed_indexes_len && disclosed_indexes[ + disclosed_indexes_idx] == i) { disclosed_indexes_idx++; - if (BBS_OK != hash_to_scalar (msg_scalar, (uint8_t*) BBS_SHA_256_MAP_DST, - LEN (BBS_SHA_256_MAP_DST) - - 1, msg, msg_len, 0)) + if (BBS_OK != hash_to_scalar (cipher_suite, msg_scalar, + (uint8_t*) cipher_suite->map_dst, + cipher_suite->map_dst_len, msg, msg_len, 0)) { goto cleanup; } @@ -839,8 +1130,9 @@ bbs_proof_gen_det ( RLC_CATCH_ANY { goto cleanup; } - if (BBS_OK != hash_to_scalar_update (&ch_ctx, scalar_buffer, - BBS_SCALAR_LEN)) + if (BBS_OK != hash_to_scalar_update (cipher_suite, cipher_suite->ch_ctx, + scalar_buffer, BBS_SCALAR_LEN) + ) { goto cleanup; } @@ -853,23 +1145,33 @@ bbs_proof_gen_det ( RLC_CATCH_ANY { goto cleanup; } - if (BBS_OK != hash_to_scalar_update (&ch_ctx, scalar_buffer, BBS_SCALAR_LEN)) + if (BBS_OK != hash_to_scalar_update (cipher_suite, + cipher_suite->ch_ctx, + scalar_buffer, + BBS_SCALAR_LEN)) { goto cleanup; } be_buffer = UINT64_H2BE (presentation_header_len); - if (BBS_OK != hash_to_scalar_update (&ch_ctx, (uint8_t*) &be_buffer, 8)) + if (BBS_OK != hash_to_scalar_update (cipher_suite, + cipher_suite->ch_ctx, + (uint8_t*) &be_buffer, + 8)) { goto cleanup; } - if (BBS_OK != hash_to_scalar_update (&ch_ctx, presentation_header, presentation_header_len)) + if (BBS_OK != hash_to_scalar_update (cipher_suite, + cipher_suite->ch_ctx, + presentation_header, + presentation_header_len)) { goto cleanup; } - if (BBS_OK != hash_to_scalar_finalize (&ch_ctx, challenge, - (uint8_t*) BBS_SHA_256_CHALLENGE_DST, LEN ( - BBS_SHA_256_CHALLENGE_DST) - - 1)) + if (BBS_OK != hash_to_scalar_finalize (cipher_suite, + cipher_suite->ch_ctx, + challenge, + (uint8_t*) cipher_suite->challenge_dst, + cipher_suite->challenge_dst_len)) { goto cleanup; } @@ -914,7 +1216,7 @@ bbs_proof_gen_det ( undisclosed_indexes_idx < undisclosed_indexes_len; undisclosed_indexes_idx++) { - if (BBS_OK != prf (msg_scalar_tilde, 0, undisclosed_indexes_idx, prf_cookie)) + if (BBS_OK != prf (cipher_suite, msg_scalar_tilde, 0, undisclosed_indexes_idx, prf_cookie)) { goto cleanup; } @@ -960,6 +1262,7 @@ bbs_proof_gen_det ( int bbs_proof_prf ( + bbs_cipher_suite_t *cipher_suite, bn_t out, uint8_t input_type, uint64_t input, @@ -975,12 +1278,53 @@ bbs_proof_prf ( if (input_type >= LEN (dsts)) return BBS_ERROR; - return hash_to_scalar (out, dsts[input_type], 17, seed, 32, input, 8, 0); + return hash_to_scalar (cipher_suite, + out, + dsts[input_type], + 17, + seed, + 32, + input, + 8, + 0); +} + +int +bbs_sha256_proof_gen ( + const bbs_public_key pk, + const bbs_signature signature, + uint8_t *proof, + const uint8_t *header, + uint64_t header_len, + const uint8_t *presentation_header, + uint64_t presentation_header_len, + const uint64_t *disclosed_indexes, + uint64_t disclosed_indexes_len, + uint64_t num_messages, + ... + ) +{ + va_list ap; + va_start (ap, num_messages); + int result = bbs_proof_gen (&bbs_sha256_cipher_suite, + pk, + signature, + proof, + header, + header_len, + presentation_header, + presentation_header_len, + disclosed_indexes, + disclosed_indexes_len, + num_messages, + ap); + va_end (ap); + return result; } int -bbs_proof_gen ( +bbs_shake256_proof_gen ( const bbs_public_key pk, const bbs_signature signature, uint8_t *proof, @@ -995,10 +1339,43 @@ bbs_proof_gen ( ) { va_list ap; + va_start (ap, num_messages); + int result = bbs_proof_gen (&bbs_shake256_cipher_suite, + pk, + signature, + proof, + header, + header_len, + presentation_header, + presentation_header_len, + disclosed_indexes, + disclosed_indexes_len, + num_messages, + ap); + va_end (ap); + return result; +} + + +int +bbs_proof_gen ( + bbs_cipher_suite_t *cipher_suite, + const bbs_public_key pk, + const bbs_signature signature, + uint8_t *proof, + const uint8_t *header, + uint64_t header_len, + const uint8_t *presentation_header, + uint64_t presentation_header_len, + const uint64_t *disclosed_indexes, + uint64_t disclosed_indexes_len, + uint64_t num_messages, + va_list ap + ) +{ uint8_t seed[32]; int ret = BBS_ERROR; - va_start (ap, num_messages); RLC_TRY { // Gather randomness. The seed is used for any randomness within this // function. In particular, this implies that we do not need to store @@ -1011,23 +1388,32 @@ bbs_proof_gen ( goto cleanup; } - if (BBS_OK != bbs_proof_gen_det (pk, signature, proof, header, header_len, - presentation_header, presentation_header_len, - disclosed_indexes, disclosed_indexes_len, - num_messages, bbs_proof_prf, seed, ap)) + if (BBS_OK != bbs_proof_gen_det (cipher_suite, + pk, + signature, + proof, + header, + header_len, + presentation_header, + presentation_header_len, + disclosed_indexes, + disclosed_indexes_len, + num_messages, + bbs_proof_prf, + seed, + ap)) { goto cleanup; } ret = BBS_OK; cleanup: - va_end (ap); return ret; } int -bbs_proof_verify ( +bbs_sha256_proof_verify ( const bbs_public_key pk, const uint8_t *proof, uint64_t proof_len, @@ -1041,13 +1427,82 @@ bbs_proof_verify ( ... ) { - va_list ap; + va_list args; + va_start (args, num_messages); + int result = bbs_proof_verify (&bbs_sha256_cipher_suite, + pk, + proof, + proof_len, + header, + header_len, + presentation_header, + presentation_header_len, + disclosed_indexes, + disclosed_indexes_len, + num_messages, + args); + va_end (args); + return result; + +} + + +int +bbs_shake256_proof_verify ( + const bbs_public_key pk, + const uint8_t *proof, + uint64_t proof_len, + const uint8_t *header, + uint64_t header_len, + const uint8_t *presentation_header, + uint64_t presentation_header_len, + const uint64_t *disclosed_indexes, + uint64_t disclosed_indexes_len, + uint64_t num_messages, + ... + ) +{ + va_list args; + va_start (args, num_messages); + int result = bbs_proof_verify (&bbs_shake256_cipher_suite, + pk, + proof, + proof_len, + header, + header_len, + presentation_header, + presentation_header_len, + disclosed_indexes, + disclosed_indexes_len, + num_messages, + args); + va_end (args); + return result; + +} + + +int +bbs_proof_verify ( + bbs_cipher_suite_t *cipher_suite, + const bbs_public_key pk, + const uint8_t *proof, + uint64_t proof_len, + const uint8_t *header, + uint64_t header_len, + const uint8_t *presentation_header, + uint64_t presentation_header_len, + const uint64_t *disclosed_indexes, + uint64_t disclosed_indexes_len, + uint64_t num_messages, + va_list ap + ) +{ uint8_t generator_ctx[48 + 8]; uint8_t T_buffer[2 * BBS_G1_ELEM_LEN]; uint8_t scalar_buffer[BBS_SCALAR_LEN]; const uint8_t *proof_ptr, *msg; uint64_t msg_len, be_buffer; - SHA256Context dom_ctx, ch_ctx; bn_t domain, msg_scalar, e_hat, r1_hat, r3_hat, challenge, challenge_prime; ep_t Bv, Q_1, H_i, T1, T2, D, Abar, Bbar; ep2_t W; @@ -1056,6 +1511,10 @@ bbs_proof_verify ( uint64_t undisclosed_indexes_idx = 0; uint64_t undisclosed_indexes_len = num_messages - disclosed_indexes_len; int res = BBS_ERROR; + va_list ap2; + + // Make a copy of the va_list to use for the first iteration + va_copy (ap2, ap); if (! header) { @@ -1096,13 +1555,14 @@ bbs_proof_verify ( goto cleanup; } - if (BBS_OK != create_generator_init (generator_ctx, (uint8_t*) BBS_SHA_256_API_ID, LEN ( - BBS_SHA_256_API_ID) - - 1)) + if (BBS_OK != create_generator_init (cipher_suite, + generator_ctx, + (uint8_t*) cipher_suite->api_id, + cipher_suite->api_id_len)) { goto cleanup; } - if (BBS_OK != calculate_domain_init (&dom_ctx, pk, num_messages)) + if (BBS_OK != calculate_domain_init (cipher_suite, cipher_suite->dom_ctx, pk, num_messages)) { goto cleanup; } @@ -1156,7 +1616,7 @@ bbs_proof_verify ( ep_add (T1, T1, T2); // Initialize Bv to P1 and T2 to D*r3_hat - ep_read_bbs (Bv, P1); + ep_read_bbs (Bv, cipher_suite->p1); ep_mul (T2, D, r3_hat); } RLC_CATCH_ANY { @@ -1164,35 +1624,36 @@ bbs_proof_verify ( } // Calculate Q_1 - if (BBS_OK != create_generator_next (generator_ctx, Q_1, (uint8_t*) BBS_SHA_256_API_ID, - LEN (BBS_SHA_256_API_ID) - - 1)) + if (BBS_OK != create_generator_next (cipher_suite, + generator_ctx, + Q_1, + (uint8_t*) cipher_suite->api_id, + cipher_suite->api_id_len)) { goto cleanup; } - if (BBS_OK != calculate_domain_update (&dom_ctx, Q_1)) + if (BBS_OK != calculate_domain_update (cipher_suite, cipher_suite->dom_ctx, Q_1)) { goto cleanup; } - va_start (ap, num_messages); for (uint64_t i = 0; iapi_id, + cipher_suite->api_id_len) + ) { goto cleanup; } - if (BBS_OK != calculate_domain_update (&dom_ctx, H_i)) + if (BBS_OK != calculate_domain_update (cipher_suite, cipher_suite->dom_ctx, H_i)) { goto cleanup; } - if (disclosed_indexes_idx < disclosed_indexes_len && - disclosed_indexes[disclosed_indexes_idx] == i) + if (disclosed_indexes_idx < disclosed_indexes_len && disclosed_indexes[ + disclosed_indexes_idx] == i) { // This message is disclosed. // Read in the message and accumulate onto Bv @@ -1200,9 +1661,9 @@ bbs_proof_verify ( msg_len = va_arg (ap, uint32_t); // Calculate msg_scalar (oneshot) - if (BBS_OK != hash_to_scalar (msg_scalar, (uint8_t*) BBS_SHA_256_MAP_DST, - LEN (BBS_SHA_256_MAP_DST) - - 1, msg, msg_len, 0)) + if (BBS_OK != hash_to_scalar (cipher_suite, msg_scalar, + (uint8_t*) cipher_suite->map_dst, + cipher_suite->map_dst_len, msg, msg_len, 0)) { goto cleanup; } @@ -1236,7 +1697,6 @@ bbs_proof_verify ( undisclosed_indexes_idx++; } } - va_end (ap); // Sanity check. If any indices for disclosed messages were out of order // or invalid, we fail here. @@ -1246,10 +1706,13 @@ bbs_proof_verify ( } // Finalize domain calculation - if (BBS_OK != calculate_domain_finalize (&dom_ctx, domain, header, header_len, - (uint8_t*) BBS_SHA_256_API_ID, LEN ( - BBS_SHA_256_API_ID) - - 1)) + if (BBS_OK != calculate_domain_finalize (cipher_suite, + cipher_suite->dom_ctx, + domain, + header, + header_len, + (uint8_t*) cipher_suite->api_id, + cipher_suite->api_id_len)) { goto cleanup; } @@ -1271,20 +1734,29 @@ bbs_proof_verify ( } // Calculate the challenge - if (BBS_OK != hash_to_scalar_init (&ch_ctx)) + if (BBS_OK != hash_to_scalar_init (cipher_suite, cipher_suite->ch_ctx)) { goto cleanup; } - if (BBS_OK != hash_to_scalar_update (&ch_ctx, proof, 3 * BBS_G1_ELEM_LEN)) + if (BBS_OK != hash_to_scalar_update (cipher_suite, + cipher_suite->ch_ctx, + proof, + 3 * BBS_G1_ELEM_LEN)) { goto cleanup; } - if (BBS_OK != hash_to_scalar_update (&ch_ctx, T_buffer, 2 * BBS_G1_ELEM_LEN)) + if (BBS_OK != hash_to_scalar_update (cipher_suite, + cipher_suite->ch_ctx, + T_buffer, + 2 * BBS_G1_ELEM_LEN)) { goto cleanup; } be_buffer = UINT64_H2BE (disclosed_indexes_len); - if (BBS_OK != hash_to_scalar_update (&ch_ctx, (uint8_t*) &be_buffer, 8)) + if (BBS_OK != hash_to_scalar_update (cipher_suite, + cipher_suite->ch_ctx, + (uint8_t*) &be_buffer, + 8)) { goto cleanup; } @@ -1292,22 +1764,23 @@ bbs_proof_verify ( for (uint64_t i = 0; ich_ctx, + (uint8_t*) &be_buffer, 8)) { goto cleanup; } } // We have to go over all disclosed messages again. Someone please fix // this in the spec... - va_start (ap, num_messages); for (disclosed_indexes_idx = 0; disclosed_indexes_idxmap_dst, + cipher_suite->map_dst_len, msg, msg_len, 0)) { goto cleanup; } @@ -1317,12 +1790,13 @@ bbs_proof_verify ( RLC_CATCH_ANY { goto cleanup; } - if (BBS_OK != hash_to_scalar_update (&ch_ctx, scalar_buffer, BBS_SCALAR_LEN)) + if (BBS_OK != hash_to_scalar_update (cipher_suite, cipher_suite->ch_ctx, + scalar_buffer, BBS_SCALAR_LEN)) { goto cleanup; } } - va_end (ap); + va_end (ap2); RLC_TRY { // Write out the domain. We reuse scalar_buffer bn_write_bbs (scalar_buffer, domain); @@ -1330,23 +1804,33 @@ bbs_proof_verify ( RLC_CATCH_ANY { goto cleanup; } - if (BBS_OK != hash_to_scalar_update (&ch_ctx, scalar_buffer, BBS_SCALAR_LEN)) + if (BBS_OK != hash_to_scalar_update (cipher_suite, + cipher_suite->ch_ctx, + scalar_buffer, + BBS_SCALAR_LEN)) { goto cleanup; } be_buffer = UINT64_H2BE (presentation_header_len); - if (BBS_OK != hash_to_scalar_update (&ch_ctx, (uint8_t*) &be_buffer, 8)) + if (BBS_OK != hash_to_scalar_update (cipher_suite, + cipher_suite->ch_ctx, + (uint8_t*) &be_buffer, + 8)) { goto cleanup; } - if (BBS_OK != hash_to_scalar_update (&ch_ctx, presentation_header, presentation_header_len)) + if (BBS_OK != hash_to_scalar_update (cipher_suite, + cipher_suite->ch_ctx, + presentation_header, + presentation_header_len)) { goto cleanup; } - if (BBS_OK != hash_to_scalar_finalize (&ch_ctx, challenge_prime, - (uint8_t*) BBS_SHA_256_CHALLENGE_DST, LEN ( - BBS_SHA_256_CHALLENGE_DST) - - 1)) + if (BBS_OK != hash_to_scalar_finalize (cipher_suite, + cipher_suite->ch_ctx, + challenge_prime, + (uint8_t*) cipher_suite->challenge_dst, + cipher_suite->challenge_dst_len)) { goto cleanup; } diff --git a/src/bbs_util.c b/src/bbs_util.c index dbc6590..905b172 100644 --- a/src/bbs_util.c +++ b/src/bbs_util.c @@ -158,17 +158,30 @@ ep2_read_bbs ( } +// Note: Incremental expand_message API with fixed 48B output needed multiple times during BBS execution. +// During generator creation bigger outputs are needed, however not with an incremental API. + int -expand_message_init ( - SHA256Context *ctx +expand_message_init (bbs_cipher_suite_t *cipher_suite, + void *ctx + ) +{ + return cipher_suite->expand_message_init (ctx); +} + + +int +bbs_sha256_expand_message_init ( + void *ctx ) { - uint64_t zero[] = {0, 0, 0, 0, 0, 0, 0, 0}; - int res = BBS_ERROR; + SHA256Context *sha_ctx = (SHA256Context*) ctx; + uint64_t zero[] = {0, 0, 0, 0, 0, 0, 0, 0}; + int res = BBS_ERROR; - if (shaSuccess != SHA256Reset (ctx)) + if (shaSuccess != SHA256Reset (sha_ctx)) goto cleanup; - if (shaSuccess != SHA256Input (ctx, (uint8_t*) zero, 64)) + if (shaSuccess != SHA256Input (sha_ctx, (uint8_t*) zero, 64)) goto cleanup; res = BBS_OK; @@ -178,15 +191,45 @@ expand_message_init ( int -expand_message_update ( - SHA256Context *ctx, +bbs_shake256_expand_message_init ( + void *ctx + ) +{ + Keccak_HashInstance *shake_ctx = (Keccak_HashInstance*) ctx; + HashReturn res = Keccak_HashInitialize_SHAKE256 (shake_ctx); + if (res == KECCAK_SUCCESS) + { + return BBS_OK; + } + else + { + return BBS_ERROR; + } +} + + +int +expand_message_update (bbs_cipher_suite_t *cipher_suite, + void *ctx, + const uint8_t *msg, + uint32_t msg_len + ) +{ + return cipher_suite->expand_message_update (ctx, msg, msg_len); +} + + +int +bbs_sha256_expand_message_update ( + void *ctx, const uint8_t *msg, uint32_t msg_len ) { - int res = BBS_ERROR; + SHA256Context *sha_ctx = (SHA256Context*) ctx; + int res = BBS_ERROR; - if (shaSuccess != SHA256Input (ctx, msg, msg_len)) + if (shaSuccess != SHA256Input (sha_ctx, msg, msg_len)) goto cleanup; res = BBS_OK; @@ -196,47 +239,80 @@ expand_message_update ( int -expand_message_finalize ( - SHA256Context *ctx, +bbs_shake256_expand_message_update ( + void *ctx, + const uint8_t *msg, + uint32_t msg_len + ) +{ + Keccak_HashInstance *shake_ctx = (Keccak_HashInstance*) ctx; + HashReturn res = Keccak_HashUpdate (shake_ctx, msg, msg_len * 8); + if (res == KECCAK_SUCCESS) + { + return BBS_OK; + } + else + { + return BBS_ERROR; + } +} + + +int +expand_message_finalize_48B (bbs_cipher_suite_t *cipher_suite, + void *ctx, + uint8_t out[48], + const uint8_t *dst, + uint8_t dst_len + ) +{ + return cipher_suite->expand_message_finalize_48B (ctx, out, dst, dst_len); +} + + +int +bbs_sha256_expand_message_finalize_48B ( + void *ctx, uint8_t out[48], const uint8_t *dst, uint8_t dst_len ) { - uint8_t b_0[32]; - uint8_t b_1[32]; - uint8_t b_2[32]; - int res = BBS_ERROR; - uint8_t num = 0; - - if (shaSuccess != SHA256Input (ctx, &num, 1)) + uint8_t b_0[32]; + uint8_t b_1[32]; + uint8_t b_2[32]; + int res = BBS_ERROR; + uint8_t num = 0; + SHA256Context *sha_ctx = (SHA256Context*) ctx; + + if (shaSuccess != SHA256Input (sha_ctx, &num, 1)) goto cleanup; num = 48; - if (shaSuccess != SHA256Input (ctx, &num, 1)) + if (shaSuccess != SHA256Input (sha_ctx, &num, 1)) goto cleanup; num = 0; - if (shaSuccess != SHA256Input (ctx, &num, 1)) + if (shaSuccess != SHA256Input (sha_ctx, &num, 1)) goto cleanup; - if (shaSuccess != SHA256Input (ctx, dst, dst_len)) + if (shaSuccess != SHA256Input (sha_ctx, dst, dst_len)) goto cleanup; - if (shaSuccess != SHA256Input (ctx, &dst_len, 1)) + if (shaSuccess != SHA256Input (sha_ctx, &dst_len, 1)) goto cleanup; - if (shaSuccess != SHA256Result (ctx, b_0)) + if (shaSuccess != SHA256Result (sha_ctx, b_0)) goto cleanup; // b_1 = H( b_0, I2OSP(1,1), dst, I2OSP(dst_len, 1)) - if (shaSuccess != SHA256Reset (ctx)) + if (shaSuccess != SHA256Reset (sha_ctx)) goto cleanup; - if (shaSuccess != SHA256Input (ctx, b_0, 32)) + if (shaSuccess != SHA256Input (sha_ctx, b_0, 32)) goto cleanup; num = 1; - if (shaSuccess != SHA256Input (ctx, &num, 1)) + if (shaSuccess != SHA256Input (sha_ctx, &num, 1)) goto cleanup; - if (shaSuccess != SHA256Input (ctx, dst, dst_len)) + if (shaSuccess != SHA256Input (sha_ctx, dst, dst_len)) goto cleanup; - if (shaSuccess != SHA256Input (ctx, &dst_len, 1)) + if (shaSuccess != SHA256Input (sha_ctx, &dst_len, 1)) goto cleanup; - if (shaSuccess != SHA256Result (ctx, b_1)) + if (shaSuccess != SHA256Result (sha_ctx, b_1)) goto cleanup; // b_0 ^= b_1 @@ -244,18 +320,18 @@ expand_message_finalize ( ((uint64_t*) b_0)[i] ^= ((uint64_t*) b_1)[i]; // b_2 = H( b_0, I2OSP(2,1), dst, I2OSP(dst_len, 1)) - if (shaSuccess != SHA256Reset (ctx)) + if (shaSuccess != SHA256Reset (sha_ctx)) goto cleanup; - if (shaSuccess != SHA256Input (ctx, b_0, 32)) + if (shaSuccess != SHA256Input (sha_ctx, b_0, 32)) goto cleanup; num = 2; - if (shaSuccess != SHA256Input (ctx, &num, 1)) + if (shaSuccess != SHA256Input (sha_ctx, &num, 1)) goto cleanup; - if (shaSuccess != SHA256Input (ctx, dst, dst_len)) + if (shaSuccess != SHA256Input (sha_ctx, dst, dst_len)) goto cleanup; - if (shaSuccess != SHA256Input (ctx, &dst_len, 1)) + if (shaSuccess != SHA256Input (sha_ctx, &dst_len, 1)) goto cleanup; - if (shaSuccess != SHA256Result (ctx, b_2)) + if (shaSuccess != SHA256Result (sha_ctx, b_2)) goto cleanup; for (int i = 0; i<4; i++) @@ -269,21 +345,162 @@ expand_message_finalize ( } +/** + * @brief Finalizes the expand_message xof operation with fixed output size of 48 bytes. + * + * https://www.rfc-editor.org/rfc/rfc9380.html#name-expand_message_xof +*/ int -expand_message ( +bbs_shake256_expand_message_finalize_48B ( + void *ctx, uint8_t out[48], const uint8_t *dst, - uint8_t dst_len, + uint8_t dst_len + ) +{ + return bbs_shake256_expand_message_finalize_dyn (ctx, out, 48, dst, dst_len); +} + + +int +expand_message_dyn ( + bbs_cipher_suite_t *cipher_suite, + void *ctx, + uint8_t *out, + uint32_t out_len, + const uint8_t *msg, + uint32_t msg_len, + const uint8_t *dst, + uint8_t dst_len + ) +{ + return cipher_suite->expand_message_dyn (ctx, out, out_len, msg, msg_len, dst, dst_len); +} + + +int +bbs_sha256_expand_message_dyn ( + void *ctx, + uint8_t *out, + uint32_t out_len, + const uint8_t *msg, + uint32_t msg_len, + const uint8_t *dst, + uint8_t dst_len + ) +{ + // Hash to curve g1 + // relic does implement this as ep_map_sswum, but hard-codes the dst, so + // we need to reimplement the high level parts here + RLC_TRY { + md_xmd (out, out_len, msg, msg_len, dst, dst_len); + } + RLC_CATCH_ANY { + return BBS_ERROR; + } + return BBS_OK; +} + + +/** + * @brief Finalizes the expand_message xof operation with flexible output size. + * + * https://www.rfc-editor.org/rfc/rfc9380.html#name-expand_message_xof +*/ +int +bbs_shake256_expand_message_finalize_dyn ( + void *ctx, + uint8_t *out, + uint32_t out_len, + const uint8_t *dst, + uint8_t dst_len + ) +{ + int res = BBS_ERROR; + if (out_len > 65535) + { + goto cleanup; + } + if (dst_len > 255) + { + goto cleanup; + } + // H(msg || I2OSP(len_in_bytes, 2) || DST || I2OSP(len(DST), 1), len_in_bytes) + uint8_t num = out_len / 256; + if (Keccak_HashUpdate (ctx, &num, 1 * 8) != KECCAK_SUCCESS) + goto cleanup; + num = out_len % 256; + if (Keccak_HashUpdate (ctx, &num, 1 * 8) != KECCAK_SUCCESS) + goto cleanup; + if (Keccak_HashUpdate (ctx, dst, dst_len * 8) != KECCAK_SUCCESS) + goto cleanup; + if (Keccak_HashUpdate (ctx, &dst_len, 1 * 8) != KECCAK_SUCCESS) + goto cleanup; + + if (Keccak_HashFinal (ctx, NULL) != KECCAK_SUCCESS) + goto cleanup; + if (Keccak_HashSqueeze (ctx, out, out_len * 8) != KECCAK_SUCCESS) + goto cleanup; + res = BBS_OK; +cleanup: + return res; +} + + +int +bbs_shake256_expand_message_dyn ( + void *ctx, + uint8_t *out, + uint32_t out_len, + const uint8_t *msg, + uint32_t msg_len, + const uint8_t *dst, + uint8_t dst_len + ) +{ + Keccak_HashInstance *shake_ctx = (Keccak_HashInstance*) ctx; + int res = BBS_ERROR; + + if (BBS_OK != bbs_shake256_expand_message_init (shake_ctx)) + { + goto cleanup; + } + + if (BBS_OK != bbs_shake256_expand_message_update (shake_ctx, msg, msg_len)) + { + goto cleanup; + } + + if (BBS_OK != bbs_shake256_expand_message_finalize_dyn (shake_ctx, + out, + out_len, + dst, + dst_len)) + { + goto cleanup; + } + + res = BBS_OK; +cleanup: + return res; +} + + +int +expand_message_48B ( + bbs_cipher_suite_t *cipher_suite, + uint8_t out[48], + const uint8_t *dst, + uint8_t dst_len, ... ) { - va_list ap; - SHA256Context hctx; - uint8_t *msg = 0; - uint32_t msg_len = 0; - int res = BBS_ERROR; + va_list ap; + uint8_t *msg = 0; + uint32_t msg_len = 0; + int res = BBS_ERROR; - if (BBS_OK != expand_message_init (&hctx)) + if (BBS_OK != cipher_suite->expand_message_init (cipher_suite->hash_ctx)) { goto cleanup; } @@ -292,14 +509,19 @@ expand_message ( while ((msg = va_arg (ap, uint8_t*))) { msg_len = va_arg (ap, uint32_t); - if (BBS_OK != expand_message_update (&hctx, msg, msg_len)) + if (BBS_OK != cipher_suite->expand_message_update (cipher_suite->hash_ctx, + msg, + msg_len)) { goto cleanup; } } va_end (ap); - if (BBS_OK != expand_message_finalize (&hctx, out, dst, dst_len)) + if (BBS_OK != cipher_suite->expand_message_finalize_48B (cipher_suite->hash_ctx, + out, + dst, + dst_len)) { goto cleanup; } @@ -312,36 +534,39 @@ expand_message ( inline int hash_to_scalar_init ( - SHA256Context *ctx + bbs_cipher_suite_t *cipher_suite, + void *ctx ) { - return expand_message_init (ctx); + return cipher_suite->expand_message_init (ctx); } inline int hash_to_scalar_update ( - SHA256Context *ctx, - const uint8_t *msg, - uint32_t msg_len + bbs_cipher_suite_t *cipher_suite, + void *ctx, + const uint8_t *msg, + uint32_t msg_len ) { - return expand_message_update (ctx, msg, msg_len); + return cipher_suite->expand_message_update (ctx, msg, msg_len); } inline int hash_to_scalar_finalize ( - SHA256Context *ctx, - bn_t out, - const uint8_t *dst, - uint8_t dst_len + bbs_cipher_suite_t *cipher_suite, + void *ctx, + bn_t out, + const uint8_t *dst, + uint8_t dst_len ) { uint8_t buffer[48]; int res = BBS_ERROR; - if (BBS_OK != expand_message_finalize (ctx, buffer, dst, dst_len)) + if (BBS_OK != cipher_suite->expand_message_finalize_48B (ctx, buffer, dst, dst_len)) { goto cleanup; } @@ -362,19 +587,19 @@ hash_to_scalar_finalize ( int hash_to_scalar ( - bn_t out, - const uint8_t *dst, - uint8_t dst_len, + bbs_cipher_suite_t *cipher_suite, + bn_t out, + const uint8_t *dst, + uint8_t dst_len, ... ) { - va_list ap; - SHA256Context hctx; - uint8_t *msg = 0; - uint32_t msg_len = 0; - int res = BBS_ERROR; + va_list ap; + uint8_t *msg = 0; + uint32_t msg_len = 0; + int res = BBS_ERROR; - if (BBS_OK != hash_to_scalar_init (&hctx)) + if (BBS_OK != hash_to_scalar_init (cipher_suite, cipher_suite->hash_ctx)) { goto cleanup; } @@ -383,14 +608,21 @@ hash_to_scalar ( while ((msg = va_arg (ap, uint8_t*))) { msg_len = va_arg (ap, uint32_t); - if (BBS_OK != hash_to_scalar_update (&hctx, msg, msg_len)) + if (BBS_OK != hash_to_scalar_update (cipher_suite, + cipher_suite->hash_ctx, + msg, + msg_len)) { goto cleanup; } } va_end (ap); - if (BBS_OK != hash_to_scalar_finalize (&hctx, out, dst, dst_len)) + if (BBS_OK != hash_to_scalar_finalize (cipher_suite, + cipher_suite->hash_ctx, + out, + dst, + dst_len)) { goto cleanup; } @@ -403,25 +635,26 @@ hash_to_scalar ( int calculate_domain_init ( - SHA256Context *ctx, - const uint8_t pk[BBS_PK_LEN], - uint64_t num_messages + bbs_cipher_suite_t *cipher_suite, + void *ctx, + const uint8_t pk[BBS_PK_LEN], + uint64_t num_messages ) { uint64_t num_messages_be = UINT64_H2BE (num_messages); int res = BBS_ERROR; - if (BBS_OK != hash_to_scalar_init (ctx)) + if (BBS_OK != hash_to_scalar_init (cipher_suite, ctx)) { goto cleanup; } - if (BBS_OK != hash_to_scalar_update (ctx, pk, BBS_PK_LEN)) + if (BBS_OK != hash_to_scalar_update (cipher_suite, ctx, pk, BBS_PK_LEN)) { goto cleanup; } - if (BBS_OK != hash_to_scalar_update (ctx, (uint8_t*) &num_messages_be, 8)) + if (BBS_OK != hash_to_scalar_update (cipher_suite, ctx, (uint8_t*) &num_messages_be, 8)) { goto cleanup; } @@ -434,8 +667,9 @@ calculate_domain_init ( int calculate_domain_update ( - SHA256Context *ctx, - const ep_t generator + bbs_cipher_suite_t *cipher_suite, + void *ctx, + const ep_t generator ) { int res = BBS_ERROR; @@ -448,7 +682,7 @@ calculate_domain_update ( goto cleanup; } - if (BBS_OK != hash_to_scalar_update (ctx, buffer, BBS_G1_ELEM_LEN)) + if (BBS_OK != hash_to_scalar_update (cipher_suite, ctx, buffer, BBS_G1_ELEM_LEN)) { goto cleanup; } @@ -461,12 +695,13 @@ calculate_domain_update ( int calculate_domain_finalize ( - SHA256Context *ctx, - bn_t out, - const uint8_t *header, - uint64_t header_len, - const uint8_t *api_id, - uint8_t api_id_len + bbs_cipher_suite_t *cipher_suite, + void *ctx, + bn_t out, + const uint8_t *header, + uint64_t header_len, + const uint8_t *api_id, + uint8_t api_id_len ) { int res = BBS_ERROR; @@ -483,22 +718,22 @@ calculate_domain_finalize ( for (int i = 0; i < 4; i++) domain_dst[i + api_id_len] = "H2S_"[i]; - if (BBS_OK != hash_to_scalar_update (ctx, api_id, api_id_len)) + if (BBS_OK != hash_to_scalar_update (cipher_suite, ctx, api_id, api_id_len)) { goto cleanup; } - if (BBS_OK != hash_to_scalar_update (ctx, (uint8_t*) &header_len_be, 8)) + if (BBS_OK != hash_to_scalar_update (cipher_suite, ctx, (uint8_t*) &header_len_be, 8)) { goto cleanup; } - if (BBS_OK != hash_to_scalar_update (ctx, header, header_len)) + if (BBS_OK != hash_to_scalar_update (cipher_suite, ctx, header, header_len)) { goto cleanup; } - if (BBS_OK != hash_to_scalar_finalize (ctx, out, domain_dst, api_id_len + 4)) + if (BBS_OK != hash_to_scalar_finalize (cipher_suite, ctx, out, domain_dst, api_id_len + 4)) { goto cleanup; } @@ -511,22 +746,23 @@ calculate_domain_finalize ( int calculate_domain ( - bn_t out, - const uint8_t pk[BBS_PK_LEN], - uint64_t num_messages, - const uint8_t *header, - uint64_t header_len, - const uint8_t *api_id, - uint8_t api_id_len, + bbs_cipher_suite_t *cipher_suite, + bn_t out, + const uint8_t pk[BBS_PK_LEN], + uint64_t num_messages, + const uint8_t *header, + uint64_t header_len, + const uint8_t *api_id, + uint8_t api_id_len, ... ) { - va_list ap; - SHA256Context hctx; - ep_t *generator; - int res = BBS_ERROR; + va_list ap; + ep_t *generator; + int res = BBS_ERROR; - if (BBS_OK != calculate_domain_init (&hctx, pk, num_messages)) + if (BBS_OK != calculate_domain_init (cipher_suite, cipher_suite->hash_ctx, pk, + num_messages)) { goto cleanup; } @@ -534,15 +770,23 @@ calculate_domain ( va_start (ap, api_id_len); while ((generator = va_arg (ap, ep_t*))) { - if (BBS_OK != calculate_domain_update (&hctx, *generator)) + if (BBS_OK != calculate_domain_update (cipher_suite, + cipher_suite->hash_ctx, + *generator)) { goto cleanup; } } va_end (ap); - if (BBS_OK != calculate_domain_finalize (&hctx, out, header, header_len, api_id, - api_id_len)) + if (BBS_OK != calculate_domain_finalize (cipher_suite, + cipher_suite->hash_ctx, + out, + header, + header_len, + api_id, + api_id_len) + ) { goto cleanup; } @@ -555,14 +799,14 @@ calculate_domain ( int create_generator_init ( - uint8_t state[48 + 8], - const uint8_t *api_id, - uint8_t api_id_len + bbs_cipher_suite_t *cipher_suite, + uint8_t state[48 + 8], + const uint8_t *api_id, + uint8_t api_id_len ) { - uint8_t buffer[256]; - SHA256Context hctx; - int res = BBS_ERROR; + uint8_t buffer[256]; + int res = BBS_ERROR; if (api_id_len > 255 - 19) { @@ -574,22 +818,32 @@ create_generator_init ( for (int i = 0; i < 19; i++) buffer[i + api_id_len] = "SIG_GENERATOR_SEED_"[i]; - if (BBS_OK != expand_message_init (&hctx)) + if (BBS_OK != expand_message_init (cipher_suite, cipher_suite->hash_ctx)) { goto cleanup; } - if (BBS_OK != expand_message_update (&hctx, api_id, api_id_len)) + if (BBS_OK != expand_message_update (cipher_suite, + cipher_suite->hash_ctx, + api_id, + api_id_len)) { goto cleanup; } - if (BBS_OK != expand_message_update (&hctx, (uint8_t*) "MESSAGE_GENERATOR_SEED", 22)) + if (BBS_OK != expand_message_update (cipher_suite, + cipher_suite->hash_ctx, + (uint8_t*) "MESSAGE_GENERATOR_SEED", + 22)) { goto cleanup; } - if (BBS_OK != expand_message_finalize (&hctx, state, buffer, api_id_len + 19)) + if (BBS_OK != expand_message_finalize_48B (cipher_suite, + cipher_suite->hash_ctx, + state, + buffer, + api_id_len + 19)) { goto cleanup; } @@ -695,23 +949,29 @@ ep_map_from_field (ep_t p, int create_generator_next ( - uint8_t state[48 + 8], - ep_t generator, - const uint8_t *api_id, - uint8_t api_id_len + bbs_cipher_suite_t *cipher_suite, + uint8_t state[48 + 8], + ep_t generator, + const uint8_t *api_id, + uint8_t api_id_len ) { - uint8_t dst_buf[256]; - uint8_t rand_buf[128]; - SHA256Context hctx; - uint64_t i_be = UINT64_H2BE (*((uint64_t*) (state + 48))); - int res = BBS_ERROR; + uint8_t dst_buf[256]; + uint8_t rand_buf[128]; + uint64_t i_be = UINT64_H2BE (*((uint64_t*) (state + 48))); + int res = BBS_ERROR; if (api_id_len > 255 - 19) { goto cleanup; } + // check that count (i.e. *((uint64_t*) state + 48) < 2**64 + if (0xffffffffffffffff == *((uint64_t*) (state + 48))) + { + goto cleanup; + } + *((uint64_t*) (state + 48)) += 1LL; for (int i = 0; i < api_id_len; i++) @@ -719,22 +979,29 @@ create_generator_next ( for (int i = 0; i < 19; i++) dst_buf[i + api_id_len] = "SIG_GENERATOR_SEED_"[i]; - if (BBS_OK != expand_message_init (&hctx)) + if (BBS_OK != expand_message_init (cipher_suite, cipher_suite->hash_ctx)) { goto cleanup; } - if (BBS_OK != expand_message_update (&hctx, state, 48)) + if (BBS_OK != expand_message_update (cipher_suite, cipher_suite->hash_ctx, state, 48)) { goto cleanup; } - if (BBS_OK != expand_message_update (&hctx, (uint8_t*) &i_be, 8)) + if (BBS_OK != expand_message_update (cipher_suite, + cipher_suite->hash_ctx, + (uint8_t*) &i_be, + 8)) { goto cleanup; } - if (BBS_OK != expand_message_finalize (&hctx, state, dst_buf, api_id_len + 19)) + if (BBS_OK != expand_message_finalize_48B (cipher_suite, + cipher_suite->hash_ctx, + state, + dst_buf, + api_id_len + 19)) { goto cleanup; } @@ -742,11 +1009,18 @@ create_generator_next ( for (int i = 0; i < 18; i++) dst_buf[i + api_id_len] = "SIG_GENERATOR_DST_"[i]; - // Hash to curve g1 - // relic does implement this as ep_map_sswum, but hard-codes the dst, so - // we need to reimplement the high level parts here + if (BBS_OK != cipher_suite->expand_message_dyn (cipher_suite->hash_ctx, + rand_buf, + 128, + state, + 48, + dst_buf, + cipher_suite->api_id_len + 18)) + { + goto cleanup; + } + RLC_TRY { - md_xmd (rand_buf, 128, state, 48, dst_buf, api_id_len + 18); ep_map_from_field (generator, rand_buf, 128, ep_map_sswu); } RLC_CATCH_ANY { diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt index 1215388..b2852aa 100644 --- a/test/CMakeLists.txt +++ b/test/CMakeLists.txt @@ -7,6 +7,8 @@ create_test_sourcelist(fixture-tests bbs_fix_verify.c bbs_fix_proof_gen.c bbs_fix_proof_verify.c + bbs_fix_hash_to_scalar.c + bbs_fix_expand_message.c ) create_test_sourcelist(e2e-tests diff --git a/test/bbs_e2e_sign_n_proof.c b/test/bbs_e2e_sign_n_proof.c index ca05093..1ac2fa2 100644 --- a/test/bbs_e2e_sign_n_proof.c +++ b/test/bbs_e2e_sign_n_proof.c @@ -2,108 +2,141 @@ #include "test_util.h" #include -int bbs_e2e_sign_n_proof() { - if (core_init() != RLC_OK) { - core_clean(); - return 1; - } - if (pc_param_set_any() != RLC_OK) { - core_clean(); - return 1; - } +int +bbs_e2e_sign_n_proof () +{ + int (*bbs_keygen_full[]) ( + bbs_secret_key sk, + bbs_public_key pk + ) = { + bbs_sha256_keygen_full, bbs_shake256_keygen_full + }; - bbs_secret_key sk; - bbs_public_key pk; + int (*sign[])( + const bbs_secret_key sk, + const bbs_public_key pk, + bbs_signature signature, + const uint8_t *header, + uint64_t header_len, + uint64_t num_messages, + ... + ) = { + bbs_sha256_sign, bbs_shake256_sign + }; + int (*verify[])( + const bbs_public_key pk, + const bbs_signature signature, + const uint8_t *header, + uint64_t header_len, + uint64_t num_messages, + ... + ) = { + bbs_sha256_verify, bbs_shake256_verify + }; + int (*proof_gen[])( + const bbs_public_key pk, + const bbs_signature signature, + uint8_t *proof, + const uint8_t *header, + uint64_t header_len, + const uint8_t *presentation_header, + uint64_t presentation_header_len, + const uint64_t *disclosed_indexes, + uint64_t disclosed_indexes_len, + uint64_t num_messages, + ... + ) = { + bbs_sha256_proof_gen, bbs_shake256_proof_gen + }; + int (*proof_verify[])( + const bbs_public_key pk, + const uint8_t *proof, + uint64_t proof_len, + const uint8_t *header, + uint64_t header_len, + const uint8_t *challenge, + uint64_t challenge_len, + const uint64_t *disclosed_indexes, + uint64_t num_disclosed_indexes, + uint64_t num_messages, + ... + ) = { + bbs_sha256_proof_verify, bbs_shake256_proof_verify + }; - BBS_BENCH_START() - if(BBS_OK != bbs_keygen_full(sk, pk)) { - puts("Error during key generation"); - return 1; - } - BBS_BENCH_END("bbs_keygen_full") + for (int cipher_suite_index = 0; cipher_suite_index < 2; cipher_suite_index++) + { + char *cipher_suite_names[] = {"SHA256", "SHAKE256"}; + printf("Testing cipher suite %s\n", cipher_suite_names[cipher_suite_index]); + if (core_init () != RLC_OK) + { + core_clean (); + return 1; + } + if (pc_param_set_any () != RLC_OK) + { + core_clean (); + return 1; + } - bbs_signature sig; - static char msg1[] = "I am a message"; - static char msg2[] = "And so am I. Crazy..."; - static char header[] = "But I am a header!"; + bbs_secret_key sk; + bbs_public_key pk; - BBS_BENCH_START() - if(BBS_OK != bbs_sign( - sk, - pk, - sig, - (uint8_t*)header, - strlen(header), - 2, - msg1, - strlen(msg1), - msg2, - strlen(msg2))) { - puts("Error during signing"); - return 1; - } - BBS_BENCH_END("bbs_sign (2 messages, 1 header)") + BBS_BENCH_START () + if (BBS_OK != bbs_keygen_full[cipher_suite_index] (sk, pk)) + { + puts ("Error during key generation"); + return 1; + } + BBS_BENCH_END ("bbs_keygen_full") - BBS_BENCH_START() - if(BBS_OK != bbs_verify( - pk, - sig, - (uint8_t*)header, - strlen(header), - 2, - msg1, - strlen(msg1), - msg2, - strlen(msg2))) { - puts("Error during signature verification"); - return 1; - } - BBS_BENCH_END("bbs_verify (2 messages, 1 header)") + bbs_signature sig; + static char msg1[] = "I am a message"; + static char msg2[] = "And so am I. Crazy..."; + static char header[] = "But I am a header!"; - uint8_t proof[BBS_PROOF_LEN(1)]; - uint64_t disclosed_indexes[] = {0}; - static char ph[] = "I am a challenge nonce!"; + BBS_BENCH_START () + if (BBS_OK != sign[cipher_suite_index] (sk, pk, sig, (uint8_t*) header, strlen (header), 2, msg1, + strlen (msg1), msg2, strlen (msg2))) + { + puts ("Error during signing"); + return 1; + } + BBS_BENCH_END ("bbs_sign (2 messages, 1 header)") - BBS_BENCH_START() - if(BBS_OK != bbs_proof_gen( - pk, - sig, - proof, - (uint8_t*)header, - strlen(header), - (uint8_t*)ph, - strlen(ph), - disclosed_indexes, - 1, - 2, - msg1, - strlen(msg1), - msg2, - strlen(msg2))) { - puts("Error during proof generation"); - return 1; - } - BBS_BENCH_END("bbs_proof_gen (2 messages, 1 header, 1 disclosed index)") + BBS_BENCH_START () + if (BBS_OK != verify[cipher_suite_index] (pk, sig, (uint8_t*) header, strlen (header), 2, msg1, + strlen (msg1), msg2, strlen (msg2))) + { + puts ("Error during signature verification"); + return 1; + } + BBS_BENCH_END ("bbs_verify (2 messages, 1 header)") - BBS_BENCH_START() - if(BBS_OK != bbs_proof_verify( - pk, - proof, - BBS_PROOF_LEN(1), - (uint8_t*)header, - strlen(header), - (uint8_t*)ph, - strlen(ph), - disclosed_indexes, - 1, - 2, - msg1, - strlen(msg1))) { - puts("Error during proof verification"); - return 1; - } - BBS_BENCH_END("bbs_proof_verify (2 messages, 1 header, 1 disclosed index)") + uint8_t proof[BBS_PROOF_LEN (1)]; + uint64_t disclosed_indexes[] = {0}; + static char ph[] = "I am a challenge nonce!"; + + BBS_BENCH_START () + if (BBS_OK != proof_gen[cipher_suite_index] (pk, sig, proof, (uint8_t*) header, strlen (header), + (uint8_t*) ph, strlen (ph), disclosed_indexes, 1, 2, + msg1, strlen (msg1), msg2, strlen (msg2))) + { + puts ("Error during proof generation"); + return 1; + } + BBS_BENCH_END ("bbs_proof_gen (2 messages, 1 header, 1 disclosed index)") + + BBS_BENCH_START () + if (BBS_OK != proof_verify[cipher_suite_index] (pk, proof, BBS_PROOF_LEN (1), (uint8_t*) header, + strlen (header), (uint8_t*) ph, strlen (ph), + disclosed_indexes, 1, 2, msg1, strlen (msg1))) + { + puts ("Error during proof verification"); + return 1; + } + BBS_BENCH_END ("bbs_proof_verify (2 messages, 1 header, 1 disclosed index)") + } return 0; } - diff --git a/test/bbs_fix_expand_message.c b/test/bbs_fix_expand_message.c new file mode 100644 index 0000000..81771f4 --- /dev/null +++ b/test/bbs_fix_expand_message.c @@ -0,0 +1,124 @@ +#include "fixtures.h" +#include "test_util.h" +#include "bbs_util.h" + +typedef struct +{ + uint8_t *msg; + size_t msg_len; + size_t out_len; + uint8_t *expected_output; +} expand_message_rfc_9380_expand_message_xof_test; + +/// Only tests shake256 +int +bbs_fix_expand_message () +{ + if (core_init () != RLC_OK) + { + core_clean (); + return 1; + } + if (pc_param_set_any () != RLC_OK) + { + core_clean (); + return 1; + } + + uint8_t out_1[ + rfc_9380_k6_expand_message_xof_out_len_1]; + uint8_t out_2[ + rfc_9380_k6_expand_message_xof_out_len_2]; + uint8_t out_3[ + rfc_9380_k6_expand_message_xof_out_len_3]; + uint8_t out_4[ + rfc_9380_k6_expand_message_xof_out_len_4]; + uint8_t out_5[ + rfc_9380_k6_expand_message_xof_out_len_5]; + uint8_t out_6[ + rfc_9380_k6_expand_message_xof_out_len_6]; + uint8_t out_7[ + rfc_9380_k6_expand_message_xof_out_len_7]; + uint8_t out_8[ + rfc_9380_k6_expand_message_xof_out_len_8]; + uint8_t out_9[ + rfc_9380_k6_expand_message_xof_out_len_9]; + uint8_t out_10[ + rfc_9380_k6_expand_message_xof_out_len_10]; + + uint8_t *out_buffers[10] = { out_1, out_2, out_3, out_4, out_5, out_6, out_7, out_8, out_9, out_10 }; + + expand_message_rfc_9380_expand_message_xof_test test_cases[10] = { + { + .msg = rfc_9380_k6_expand_message_xof_msg_1, + .msg_len = rfc_9380_k6_expand_message_xof_msg_1_len, + .out_len = rfc_9380_k6_expand_message_xof_out_len_1, + .expected_output = fixture_rfc_9380_k6_expand_message_xof_output_1 + },{ + .msg = rfc_9380_k6_expand_message_xof_msg_2, + .msg_len = rfc_9380_k6_expand_message_xof_msg_2_len, + .out_len = rfc_9380_k6_expand_message_xof_out_len_2, + .expected_output = fixture_rfc_9380_k6_expand_message_xof_output_2 + },{ + .msg = rfc_9380_k6_expand_message_xof_msg_3, + .msg_len = rfc_9380_k6_expand_message_xof_msg_3_len, + .out_len = rfc_9380_k6_expand_message_xof_out_len_3, + .expected_output = fixture_rfc_9380_k6_expand_message_xof_output_3 + },{ + .msg = rfc_9380_k6_expand_message_xof_msg_4, + .msg_len = rfc_9380_k6_expand_message_xof_msg_4_len, + .out_len = rfc_9380_k6_expand_message_xof_out_len_4, + .expected_output = fixture_rfc_9380_k6_expand_message_xof_output_4 + },{ + .msg = rfc_9380_k6_expand_message_xof_msg_5, + .msg_len = rfc_9380_k6_expand_message_xof_msg_5_len, + .out_len = rfc_9380_k6_expand_message_xof_out_len_5, + .expected_output = fixture_rfc_9380_k6_expand_message_xof_output_5 + },{ + .msg = rfc_9380_k6_expand_message_xof_msg_6, + .msg_len = rfc_9380_k6_expand_message_xof_msg_6_len, + .out_len = rfc_9380_k6_expand_message_xof_out_len_6, + .expected_output = fixture_rfc_9380_k6_expand_message_xof_output_6 + },{ + .msg = rfc_9380_k6_expand_message_xof_msg_7, + .msg_len = rfc_9380_k6_expand_message_xof_msg_7_len, + .out_len = rfc_9380_k6_expand_message_xof_out_len_7, + .expected_output = fixture_rfc_9380_k6_expand_message_xof_output_7 + },{ + .msg = rfc_9380_k6_expand_message_xof_msg_8, + .msg_len = rfc_9380_k6_expand_message_xof_msg_8_len, + .out_len = rfc_9380_k6_expand_message_xof_out_len_8, + .expected_output = fixture_rfc_9380_k6_expand_message_xof_output_8 + },{ + .msg = rfc_9380_k6_expand_message_xof_msg_9, + .msg_len = rfc_9380_k6_expand_message_xof_msg_9_len, + .out_len = rfc_9380_k6_expand_message_xof_out_len_9, + .expected_output = fixture_rfc_9380_k6_expand_message_xof_output_9 + },{ + .msg = rfc_9380_k6_expand_message_xof_msg_10, + .msg_len = rfc_9380_k6_expand_message_xof_msg_10_len, + .out_len = rfc_9380_k6_expand_message_xof_out_len_10, + .expected_output = fixture_rfc_9380_k6_expand_message_xof_output_10 + } + }; + for (int i = 0; i < 10; i++) + { + if (BBS_OK != expand_message_dyn (&bbs_shake256_cipher_suite, + bbs_shake256_cipher_suite.hash_ctx, + out_buffers[i], test_cases[i].out_len, + test_cases[i].msg, test_cases[i].msg_len, + rfc_9380_k6_expand_message_xof_dst, + rfc_9380_k6_expand_message_xof_dst_len)) + { + printf ("Error in expand_message_dyn test case %d\n", i); + + return 1; + } + ASSERT_EQ_PTR ("expand_message_dyn", + out_buffers[i], + test_cases[i].expected_output, + test_cases[i].out_len); + } + + return 0; +} diff --git a/test/bbs_fix_generators.c b/test/bbs_fix_generators.c index 6210baf..8731849 100644 --- a/test/bbs_fix_generators.c +++ b/test/bbs_fix_generators.c @@ -1,134 +1,104 @@ #include "fixtures.h" #include "test_util.h" -int bbs_fix_generators() { - if (core_init() != RLC_OK) { - core_clean(); - return 1; +typedef struct +{ + uint8_t *q_1; + uint8_t *hs[10]; +} bbs_fix_generators_fixture_t; + +int +bbs_fix_generators () +{ + bbs_cipher_suite_t cipher_suites[] = { + bbs_sha256_cipher_suite, bbs_shake256_cipher_suite + }; + + bbs_fix_generators_fixture_t test_cases[] = { + { + .q_1 = fixture_bls12_381_sha_256_Q_1, + .hs = { + fixture_bls12_381_sha_256_H_1, fixture_bls12_381_sha_256_H_2, + fixture_bls12_381_sha_256_H_3, fixture_bls12_381_sha_256_H_4, + fixture_bls12_381_sha_256_H_5, fixture_bls12_381_sha_256_H_6, + fixture_bls12_381_sha_256_H_7, fixture_bls12_381_sha_256_H_8, + fixture_bls12_381_sha_256_H_9, fixture_bls12_381_sha_256_H_10 + }, + }, + { + .q_1 = fixture_bls12_381_shake_256_Q_1, + .hs = { + fixture_bls12_381_shake_256_H_1, fixture_bls12_381_shake_256_H_2, + fixture_bls12_381_shake_256_H_3, fixture_bls12_381_shake_256_H_4, + fixture_bls12_381_shake_256_H_5, fixture_bls12_381_shake_256_H_6, + fixture_bls12_381_shake_256_H_7, fixture_bls12_381_shake_256_H_8, + fixture_bls12_381_shake_256_H_9, fixture_bls12_381_shake_256_H_10 + }, + }, + }; + + + for (int i = 0; i < 2; i++) + { + bbs_cipher_suite_t cipher_suite = cipher_suites[i]; + bbs_fix_generators_fixture_t fixture = test_cases[i]; + + printf("Testing %s\n", cipher_suite.cipher_suite_id); + + if (core_init () != RLC_OK) + { + core_clean (); + return 1; + } + if (pc_param_set_any () != RLC_OK) + { + core_clean (); + return 1; + } + + uint8_t state[48 + 8]; + uint8_t bin[BBS_G1_ELEM_LEN]; + ep_t generator; + ep_null (generator); + RLC_TRY { + ep_new (generator); // Yes, this might leak. This is a test and thus + // short lived + } + RLC_CATCH_ANY { puts ("Internal Error"); return 1; } + + const uint8_t *api_id = (uint8_t *) cipher_suite.api_id; + const uint8_t api_id_len = cipher_suite.api_id_len; + + if (BBS_OK != create_generator_init (&cipher_suite, state, api_id, api_id_len)) + { + puts ("Error during generator initialization"); + return 1; + } + + if (BBS_OK != create_generator_next (&cipher_suite, state, generator, api_id, + api_id_len)) + { + puts ("Error during generator Q_1 creation"); + return 1; + } + RLC_TRY { + ep_write_bbs (bin, generator); + } RLC_CATCH_ANY { puts ("Internal Error"); return 1; } + + ASSERT_EQ ("generator Q_1 creation", bin, fixture.q_1); + + for (int j = 0; j < 10; j++) { + if (BBS_OK != create_generator_next (&cipher_suite, state, generator, api_id, + api_id_len)) + { + printf ("Error during generator %d creation", j + 1); + return 1; + } + RLC_TRY { + ep_write_bbs (bin, generator); + } RLC_CATCH_ANY { puts ("Internal Error"); return 1; } + ASSERT_EQ_PTR ("generator creation", bin, fixture.hs[j], BBS_G1_ELEM_LEN); + } } - if (pc_param_set_any() != RLC_OK) { - core_clean(); - return 1; - } - - uint8_t state[48 + 8]; - uint8_t bin[BBS_G1_ELEM_LEN]; - ep_t generator; - ep_null(generator); - RLC_TRY { - ep_new(generator); // Yes, this might leak. This is a test and thus - // short lived - } - RLC_CATCH_ANY { puts("Internal Error"); return 1; } - - static uint8_t api_id[] = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_"; - static uint8_t api_id_len = 44; - - if(BBS_OK != create_generator_init(state, api_id, api_id_len)) { - puts("Error during generator initialization"); - return 1; - } - - if(BBS_OK != create_generator_next(state, generator, api_id, api_id_len)) { - puts("Error during generator Q_1 creation"); - return 1; - } - RLC_TRY { - ep_write_bbs(bin, generator); - } RLC_CATCH_ANY { puts("Internal Error"); return 1; } - ASSERT_EQ("generator Q_1 creation", bin, fixture_bls12_381_sha_256_Q_1); - - if(BBS_OK != create_generator_next(state, generator, api_id, api_id_len)) { - puts("Error during generator H_1 creation"); - return 1; - } - RLC_TRY { - ep_write_bbs(bin, generator); - } RLC_CATCH_ANY { puts("Internal Error"); return 1; } - ASSERT_EQ("generator H_1 creation", bin, fixture_bls12_381_sha_256_H_1); - - if(BBS_OK != create_generator_next(state, generator, api_id, api_id_len)) { - puts("Error during generator H_2 creation"); - return 1; - } - RLC_TRY { - ep_write_bbs(bin, generator); - } RLC_CATCH_ANY { puts("Internal Error"); return 1; } - ASSERT_EQ("generator H_2 creation", bin, fixture_bls12_381_sha_256_H_2); - - if(BBS_OK != create_generator_next(state, generator, api_id, api_id_len)) { - puts("Error during generator H_3 creation"); - return 1; - } - RLC_TRY { - ep_write_bbs(bin, generator); - } RLC_CATCH_ANY { puts("Internal Error"); return 1; } - ASSERT_EQ("generator H_3 creation", bin, fixture_bls12_381_sha_256_H_3); - - if(BBS_OK != create_generator_next(state, generator, api_id, api_id_len)) { - puts("Error during generator H_4 creation"); - return 1; - } - RLC_TRY { - ep_write_bbs(bin, generator); - } RLC_CATCH_ANY { puts("Internal Error"); return 1; } - ASSERT_EQ("generator H_4 creation", bin, fixture_bls12_381_sha_256_H_4); - - if(BBS_OK != create_generator_next(state, generator, api_id, api_id_len)) { - puts("Error during generator H_5 creation"); - return 1; - } - RLC_TRY { - ep_write_bbs(bin, generator); - } RLC_CATCH_ANY { puts("Internal Error"); return 1; } - ASSERT_EQ("generator H_5 creation", bin, fixture_bls12_381_sha_256_H_5); - - if(BBS_OK != create_generator_next(state, generator, api_id, api_id_len)) { - puts("Error during generator H_6 creation"); - return 1; - } - RLC_TRY { - ep_write_bbs(bin, generator); - } RLC_CATCH_ANY { puts("Internal Error"); return 1; } - ASSERT_EQ("generator H_6 creation", bin, fixture_bls12_381_sha_256_H_6); - - if(BBS_OK != create_generator_next(state, generator, api_id, api_id_len)) { - puts("Error during generator H_7 creation"); - return 1; - } - RLC_TRY { - ep_write_bbs(bin, generator); - } RLC_CATCH_ANY { puts("Internal Error"); return 1; } - ASSERT_EQ("generator H_7 creation", bin, fixture_bls12_381_sha_256_H_7); - - if(BBS_OK != create_generator_next(state, generator, api_id, api_id_len)) { - puts("Error during generator H_8 creation"); - return 1; - } - RLC_TRY { - ep_write_bbs(bin, generator); - } RLC_CATCH_ANY { puts("Internal Error"); return 1; } - ASSERT_EQ("generator H_8 creation", bin, fixture_bls12_381_sha_256_H_8); - - if(BBS_OK != create_generator_next(state, generator, api_id, api_id_len)) { - puts("Error during generator H_9 creation"); - return 1; - } - RLC_TRY { - ep_write_bbs(bin, generator); - } RLC_CATCH_ANY { puts("Internal Error"); return 1; } - ASSERT_EQ("generator H_9 creation", bin, fixture_bls12_381_sha_256_H_9); - - if(BBS_OK != create_generator_next(state, generator, api_id, api_id_len)) { - puts("Error during generator H_10 creation"); - return 1; - } - RLC_TRY { - ep_write_bbs(bin, generator); - } RLC_CATCH_ANY { puts("Internal Error"); return 1; } - ASSERT_EQ("generator H_10 creation", bin, fixture_bls12_381_sha_256_H_10); - - ep_free(generator); return 0; } - diff --git a/test/bbs_fix_hash_to_scalar.c b/test/bbs_fix_hash_to_scalar.c new file mode 100644 index 0000000..f1629fa --- /dev/null +++ b/test/bbs_fix_hash_to_scalar.c @@ -0,0 +1,73 @@ +#include "fixtures.h" +#include "test_util.h" + + +typedef struct +{ + bbs_cipher_suite_t *cipher_suite; + uint8_t *msg; + uint16_t msg_len; + uint8_t *dst; + uint16_t dst_len; + uint8_t *scalar; + uint16_t scalar_len; +} bbs_fix_hash_to_scalar_fixture_t; + +int +bbs_fix_hash_to_scalar () +{ + bbs_fix_hash_to_scalar_fixture_t test_cases[] = { + { + .cipher_suite = &bbs_sha256_cipher_suite, + .msg = fixture_bls12_381_sha_256_h2s_msg, .msg_len = 32, + .dst = fixture_bls12_381_sha_256_h2s_dst, .dst_len = 48, + .scalar = fixture_bls12_381_sha_256_h2s_scalar, .scalar_len = 32, + },{ + .cipher_suite = &bbs_shake256_cipher_suite, + .msg = fixture_bls12_381_shake_256_h2s_msg, .msg_len = 32, + .dst = fixture_bls12_381_shake_256_h2s_dst, .dst_len = 50, + .scalar = fixture_bls12_381_shake_256_h2s_scalar, .scalar_len = 32, + } + }; + + for (int i = 0; i < 2; i++) + { + bbs_fix_hash_to_scalar_fixture_t fixture = test_cases[i]; + + if (core_init () != RLC_OK) + { + core_clean (); + return 1; + } + if (pc_param_set_any () != RLC_OK) + { + core_clean (); + return 1; + } + + uint8_t bin[BBS_SCALAR_LEN]; + bn_t scalar; + bn_null (scalar); + RLC_TRY { + bn_new (scalar); + } + RLC_CATCH_ANY { + puts ("Internal Error"); + return 1; + } + + if (BBS_OK != hash_to_scalar (fixture.cipher_suite, scalar, fixture.dst, fixture.dst_len, + fixture.msg, fixture.msg_len, 0)) + { + puts ("Error during hash to scalar"); + return 1; + } + RLC_TRY { + bn_write_bbs (bin, scalar); + } RLC_CATCH_ANY { puts ("Internal Error"); return 1; } + + ASSERT_EQ_PTR ("hash to scalar", bin, fixture.scalar, fixture.scalar_len); + } + + return 0; +} diff --git a/test/bbs_fix_keygen.c b/test/bbs_fix_keygen.c index 542a7b2..b065aa6 100644 --- a/test/bbs_fix_keygen.c +++ b/test/bbs_fix_keygen.c @@ -1,37 +1,87 @@ #include "fixtures.h" #include "test_util.h" -int bbs_fix_keygen() { - if (core_init() != RLC_OK) { - core_clean(); +typedef struct +{ + int (*key_gen) ( + bbs_secret_key sk, + const uint8_t *key_material, + uint16_t key_material_len, + const uint8_t *key_info, + uint16_t key_info_len, + const uint8_t *key_dst, + uint8_t key_dst_len + ); + uint8_t *key_material; + uint16_t key_material_len; + uint8_t *key_info; + uint16_t key_info_len; + uint8_t *key_dst; + uint16_t key_dst_len; + uint8_t *expected_SK; + uint8_t *expected_PK; +} bbs_fix_keygen_fixture_t; + +int +bbs_fix_keygen () +{ + bbs_fix_keygen_fixture_t test_cases[] = { + { + .key_gen = bbs_sha256_keygen, + .key_material = fixture_bls12_381_sha_256_key_material, + .key_material_len = sizeof(fixture_bls12_381_sha_256_key_material), + .key_info = fixture_bls12_381_sha_256_key_info, + .key_info_len = sizeof(fixture_bls12_381_sha_256_key_info), + .key_dst = fixture_bls12_381_sha_256_key_dst, + .key_dst_len = sizeof(fixture_bls12_381_sha_256_key_dst), + .expected_SK = fixture_bls12_381_sha_256_SK, + .expected_PK = fixture_bls12_381_sha_256_PK, + },{ + .key_gen = bbs_shake256_keygen, + .key_material = fixture_bls12_381_shake_256_key_material, + .key_material_len = sizeof(fixture_bls12_381_shake_256_key_material), + .key_info = fixture_bls12_381_shake_256_key_info, + .key_info_len = sizeof(fixture_bls12_381_shake_256_key_info), + .key_dst = fixture_bls12_381_shake_256_key_dst, + .key_dst_len = sizeof(fixture_bls12_381_shake_256_key_dst), + .expected_SK = fixture_bls12_381_shake_256_SK, + .expected_PK = fixture_bls12_381_shake_256_PK, + } + }; + + if (core_init () != RLC_OK) + { + core_clean (); return 1; } - if (pc_param_set_any() != RLC_OK) { - core_clean(); + if (pc_param_set_any () != RLC_OK) + { + core_clean (); return 1; } - bbs_secret_key sk; - if(BBS_OK != bbs_keygen( - sk, - fixture_bls12_381_sha_256_key_material, - sizeof(fixture_bls12_381_sha_256_key_material), - fixture_bls12_381_sha_256_key_info, - sizeof(fixture_bls12_381_sha_256_key_info), - fixture_bls12_381_sha_256_key_dst, - sizeof(fixture_bls12_381_sha_256_key_dst))) { - puts("Error during secret key generation"); - return 1; - } - ASSERT_EQ("secret key generation", sk, fixture_bls12_381_sha_256_SK); + for (int i = 0; i < 2; i++) + { + bbs_fix_keygen_fixture_t fixture = test_cases[i]; - bbs_public_key pk; - if(BBS_OK != bbs_sk_to_pk(fixture_bls12_381_sha_256_SK, pk)) { - puts("Error during public key generation"); - return 1; - } - ASSERT_EQ("public key generation", pk, fixture_bls12_381_sha_256_PK); + bbs_secret_key sk; + if (BBS_OK != fixture.key_gen (sk, fixture.key_material, fixture.key_material_len + , fixture.key_info, + fixture.key_info_len, fixture.key_dst, + fixture.key_dst_len)) + { + puts ("Error during secret key generation"); + return 1; + } + ASSERT_EQ_PTR ("secret key generation", sk, fixture.expected_SK, BBS_SK_LEN); + bbs_public_key pk; + if (BBS_OK != bbs_sk_to_pk (fixture.expected_SK, pk)) + { + puts ("Error during public key generation"); + return 1; + } + ASSERT_EQ_PTR ("public key generation", pk, fixture.expected_PK, BBS_PK_LEN); + } return 0; } - diff --git a/test/bbs_fix_msg_scalars.c b/test/bbs_fix_msg_scalars.c index 96145d6..70166c7 100644 --- a/test/bbs_fix_msg_scalars.c +++ b/test/bbs_fix_msg_scalars.c @@ -1,119 +1,104 @@ #include "fixtures.h" #include "test_util.h" -int bbs_fix_msg_scalars() { - if (core_init() != RLC_OK) { - core_clean(); - return 1; - } - if (pc_param_set_any() != RLC_OK) { - core_clean(); - return 1; - } - - uint8_t bin[BBS_SCALAR_LEN]; - bn_t scalar; - bn_null(scalar); - RLC_TRY { - bn_new(scalar); // Yes, this might leak. This is a test and thus - // short lived - } - RLC_CATCH_ANY { puts("Internal Error"); return 1; } - - static uint8_t map_dst[] = "BBS_BLS12381G1_XMD:SHA-256_SSWU_RO_H2G_HM2S_MAP_MSG_TO_SCALAR_AS_HASH_"; - static uint8_t map_dst_len = 70; - - if(BBS_OK != hash_to_scalar(scalar, map_dst, map_dst_len, fixture_m_1, sizeof(fixture_m_1), 0)) { - puts("Error during hash to scalar for message 1"); - return 1; - } - RLC_TRY { - bn_write_bbs(bin, scalar); - } RLC_CATCH_ANY { puts("Internal Error"); return 1; } - ASSERT_EQ("scalar 1 generation", bin, fixture_bls12_381_sha_256_msg_scalar_1); - - if(BBS_OK != hash_to_scalar(scalar, map_dst, map_dst_len, fixture_m_2, sizeof(fixture_m_2), 0)) { - puts("Error during hash to scalar for message 2"); - return 1; - } - RLC_TRY { - bn_write_bbs(bin, scalar); - } RLC_CATCH_ANY { puts("Internal Error"); return 1; } - ASSERT_EQ("scalar 2 generation", bin, fixture_bls12_381_sha_256_msg_scalar_2); +typedef struct +{ + bbs_cipher_suite_t cipher_suite; + const uint8_t *msg[10]; + size_t msg_len; +} fixture_msg_scalar; - if(BBS_OK != hash_to_scalar(scalar, map_dst, map_dst_len, fixture_m_3, sizeof(fixture_m_3), 0)) { - puts("Error during hash to scalar for message 3"); - return 1; - } - RLC_TRY { - bn_write_bbs(bin, scalar); - } RLC_CATCH_ANY { puts("Internal Error"); return 1; } - ASSERT_EQ("scalar 3 generation", bin, fixture_bls12_381_sha_256_msg_scalar_3); +int +bbs_fix_msg_scalars () +{ + fixture_msg_scalar test_cases[] = { + { + .cipher_suite = bbs_sha256_cipher_suite, + .msg = { + fixture_bls12_381_sha_256_msg_scalar_1, + fixture_bls12_381_sha_256_msg_scalar_2, + fixture_bls12_381_sha_256_msg_scalar_3, + fixture_bls12_381_sha_256_msg_scalar_4, + fixture_bls12_381_sha_256_msg_scalar_5, + fixture_bls12_381_sha_256_msg_scalar_6, + fixture_bls12_381_sha_256_msg_scalar_7, + fixture_bls12_381_sha_256_msg_scalar_8, + fixture_bls12_381_sha_256_msg_scalar_9, + fixture_bls12_381_sha_256_msg_scalar_10, + }, + .msg_len = sizeof(fixture_bls12_381_sha_256_msg_scalar_1) + }, + { + .cipher_suite = bbs_shake256_cipher_suite, + .msg = { + fixture_bls12_381_shake_256_msg_scalar_1, + fixture_bls12_381_shake_256_msg_scalar_2, + fixture_bls12_381_shake_256_msg_scalar_3, + fixture_bls12_381_shake_256_msg_scalar_4, + fixture_bls12_381_shake_256_msg_scalar_5, + fixture_bls12_381_shake_256_msg_scalar_6, + fixture_bls12_381_shake_256_msg_scalar_7, + fixture_bls12_381_shake_256_msg_scalar_8, + fixture_bls12_381_shake_256_msg_scalar_9, + fixture_bls12_381_shake_256_msg_scalar_10, + }, + .msg_len = sizeof(fixture_bls12_381_shake_256_msg_scalar_1) + } + }; - if(BBS_OK != hash_to_scalar(scalar, map_dst, map_dst_len, fixture_m_4, sizeof(fixture_m_4), 0)) { - puts("Error during hash to scalar for message 4"); - return 1; - } - RLC_TRY { - bn_write_bbs(bin, scalar); - } RLC_CATCH_ANY { puts("Internal Error"); return 1; } - ASSERT_EQ("scalar 4 generation", bin, fixture_bls12_381_sha_256_msg_scalar_4); + uint8_t *fixture_ms[10] = { + fixture_m_1, fixture_m_2, fixture_m_3, fixture_m_4, fixture_m_5, fixture_m_6, + fixture_m_7, fixture_m_8, fixture_m_9, fixture_m_10 + }; + uint32_t fixture_ms_len[10] = { + sizeof(fixture_m_1), sizeof(fixture_m_2), sizeof(fixture_m_3), sizeof(fixture_m_4), + sizeof(fixture_m_5), sizeof(fixture_m_6), sizeof(fixture_m_7), sizeof(fixture_m_8), + sizeof(fixture_m_9), sizeof(fixture_m_10) + }; - if(BBS_OK != hash_to_scalar(scalar, map_dst, map_dst_len, fixture_m_5, sizeof(fixture_m_5), 0)) { - puts("Error during hash to scalar for message 5"); - return 1; - } - RLC_TRY { - bn_write_bbs(bin, scalar); - } RLC_CATCH_ANY { puts("Internal Error"); return 1; } - ASSERT_EQ("scalar 5 generation", bin, fixture_bls12_381_sha_256_msg_scalar_5); + for (int cipher_suite_index = 0; cipher_suite_index < 2; cipher_suite_index++) + { + fixture_msg_scalar fixture = test_cases[cipher_suite_index]; + if (core_init () != RLC_OK) + { + core_clean (); + return 1; + } + if (pc_param_set_any () != RLC_OK) + { + core_clean (); + return 1; + } - if(BBS_OK != hash_to_scalar(scalar, map_dst, map_dst_len, fixture_m_6, sizeof(fixture_m_6), 0)) { - puts("Error during hash to scalar for message 6"); - return 1; - } - RLC_TRY { - bn_write_bbs(bin, scalar); - } RLC_CATCH_ANY { puts("Internal Error"); return 1; } - ASSERT_EQ("scalar 6 generation", bin, fixture_bls12_381_sha_256_msg_scalar_6); + uint8_t bin[BBS_SCALAR_LEN]; + bn_t scalar; + bn_null (scalar); + RLC_TRY { + bn_new (scalar); // Yes, this might leak. This is a test and thus + // short lived + } + RLC_CATCH_ANY { puts ("Internal Error"); return 1; } - if(BBS_OK != hash_to_scalar(scalar, map_dst, map_dst_len, fixture_m_7, sizeof(fixture_m_7), 0)) { - puts("Error during hash to scalar for message 7"); - return 1; - } - RLC_TRY { - bn_write_bbs(bin, scalar); - } RLC_CATCH_ANY { puts("Internal Error"); return 1; } - ASSERT_EQ("scalar 7 generation", bin, fixture_bls12_381_sha_256_msg_scalar_7); + const uint8_t *map_dst = (uint8_t *) fixture.cipher_suite.map_dst; + const uint8_t map_dst_len = fixture.cipher_suite.map_dst_len; - if(BBS_OK != hash_to_scalar(scalar, map_dst, map_dst_len, fixture_m_8, sizeof(fixture_m_8), 0)) { - puts("Error during hash to scalar for message 8"); - return 1; - } - RLC_TRY { - bn_write_bbs(bin, scalar); - } RLC_CATCH_ANY { puts("Internal Error"); return 1; } - ASSERT_EQ("scalar 8 generation", bin, fixture_bls12_381_sha_256_msg_scalar_8); - - if(BBS_OK != hash_to_scalar(scalar, map_dst, map_dst_len, fixture_m_9, sizeof(fixture_m_9), 0)) { - puts("Error during hash to scalar for message 9"); - return 1; - } - RLC_TRY { - bn_write_bbs(bin, scalar); - } RLC_CATCH_ANY { puts("Internal Error"); return 1; } - ASSERT_EQ("scalar 9 generation", bin, fixture_bls12_381_sha_256_msg_scalar_9); + for (int i = 0; i < 10; i++) + { - if(BBS_OK != hash_to_scalar(scalar, map_dst, map_dst_len, fixture_m_10, sizeof(fixture_m_10), 0)) { - puts("Error during hash to scalar for message 10"); - return 1; + if (BBS_OK != hash_to_scalar (&fixture.cipher_suite, scalar, map_dst, + map_dst_len, fixture_ms[i], fixture_ms_len[i], + 0)) + { + puts ("Error during hash to scalar for message 1"); + return 1; + } + RLC_TRY { + bn_write_bbs (bin, scalar); + } RLC_CATCH_ANY { puts ("Internal Error"); return 1; } + ASSERT_EQ_PTR ("scalar 1 generation", bin, fixture.msg[i], fixture.msg_len); + } } - RLC_TRY { - bn_write_bbs(bin, scalar); - } RLC_CATCH_ANY { puts("Internal Error"); return 1; } - ASSERT_EQ("scalar 10 generation", bin, fixture_bls12_381_sha_256_msg_scalar_10); - bn_free(scalar); + bn_free (scalar); return 0; } - diff --git a/test/bbs_fix_proof_gen.c b/test/bbs_fix_proof_gen.c index dfdb79a..640cb66 100644 --- a/test/bbs_fix_proof_gen.c +++ b/test/bbs_fix_proof_gen.c @@ -1,28 +1,89 @@ #include "fixtures.h" #include "test_util.h" +typedef struct +{ + bbs_cipher_suite_t cipher_suite; + + uint8_t *proof_SEED; + size_t proof_SEED_len; + + uint8_t *proof_DST; + size_t proof_DST_len; + + uint8_t *proof_random_scalar[10]; + size_t proof_random_scalar_len[10]; + + uint8_t *proof1_public_key; + uint8_t *proof1_signature; + size_t proof1_signature_len; + uint8_t *proof1_header; + size_t proof1_header_len; + uint8_t *proof1_presentation_header; + size_t proof1_presentation_header_len; + uint64_t *proof1_revealed_indexes; + size_t proof1_revealed_indexes_len; + uint8_t *proof1_m_1; + size_t proof1_m_1_len; + uint8_t *proof1_proof; + size_t proof1_proof_len; + + uint8_t *proof2_public_key; + uint8_t *proof2_signature; + size_t proof2_signature_len; + uint8_t *proof2_header; + size_t proof2_header_len; + uint8_t *proof2_presentation_header; + size_t proof2_presentation_header_len; + uint64_t *proof2_revealed_indexes; + size_t proof2_revealed_indexes_len; + uint8_t *proof2_m[10]; + size_t proof2_m_len[10]; + uint8_t *proof2_proof; + size_t proof2_proof_len; + + uint8_t *proof3_public_key; + uint8_t *proof3_signature; + size_t proof3_signature_len; + uint8_t *proof3_header; + size_t proof3_header_len; + uint8_t *proof3_presentation_header; + size_t proof3_presentation_header_len; + uint64_t *proof3_revealed_indexes; + size_t proof3_revealed_indexes_len; + uint8_t *proof3_proof; + size_t proof3_proof_len; +} fixture_proof_gen_t; + // Mocked random scalars for bbs_proof_gen_det -int mocked_prf( - bn_t out, - uint8_t input_type, - uint64_t input, - void* cookie) { - uint8_t *rand = (uint8_t*)cookie; - int res = BBS_ERROR; - - if(0 == input_type && 10 > input) { +int +mocked_prf ( + bbs_cipher_suite_t *cipher_suite, + bn_t out, + uint8_t input_type, + uint64_t input, + void *cookie + ) +{ + uint8_t *rand = (uint8_t*) cookie; + int res = BBS_ERROR; + + if (0 == input_type && 10 > input) + { // msg_tilde rand += (5 + input) * 48; } - else if (0 == input && 5 >= input_type) { + else if (0 == input && 5 >= input_type) + { // other stuff rand += (input_type - 1) * 48; } - else goto cleanup; + else + goto cleanup; RLC_TRY { - bn_read_bin(out, rand, 48); - bn_mod(out, out, &(core_get()->ep_r)); + bn_read_bin (out, rand, 48); + bn_mod (out, out, &(core_get ()->ep_r)); } RLC_CATCH_ANY { goto cleanup; @@ -33,274 +94,397 @@ int mocked_prf( return res; } -int fill_randomness( - uint8_t *rand, - int count, - const uint8_t *seed, - uint64_t seed_len, - const uint8_t *dst, - uint64_t dst_len - ) { - int ret = BBS_ERROR; - RLC_TRY { - md_xmd(rand, count * 48, seed, seed_len, dst, dst_len); - } - RLC_CATCH_ANY { + +int +fill_randomness ( + bbs_cipher_suite_t cipher_suite, + uint8_t *rand, + int count, + const uint8_t *seed, + uint64_t seed_len, + const uint8_t *dst, + uint64_t dst_len + ) +{ + int ret = BBS_ERROR; + int out_len = count * 48; + + if (BBS_OK != expand_message_dyn (&cipher_suite, + cipher_suite.hash_ctx, + rand, + out_len, + seed, + seed_len, + dst, + dst_len)) + { goto cleanup; } + ret = BBS_OK; + cleanup: return ret; } -int mocked_proof_gen( - const bbs_public_key pk, - const bbs_signature signature, - uint8_t *proof, - const uint8_t *header, - uint64_t header_len, - const uint8_t *presentation_header, - uint64_t presentation_header_len, - const uint64_t *disclosed_indexes, - uint64_t disclosed_indexes_len, - uint64_t num_messages, - ... - ) { + +int +mocked_proof_gen ( + fixture_proof_gen_t test_case, + const bbs_public_key pk, + const bbs_signature signature, + uint8_t *proof, + const uint8_t *header, + uint64_t header_len, + const uint8_t *presentation_header, + uint64_t presentation_header_len, + const uint64_t *disclosed_indexes, + uint64_t disclosed_indexes_len, + uint64_t num_messages, + ... + ) +{ // Stores randomness for 15 random scalars, which is as much as we need uint8_t randomness[48 * 15]; va_list ap; - int ret = BBS_ERROR; - va_start(ap, num_messages); - - if(BBS_OK != fill_randomness( - randomness, - 5 + num_messages - disclosed_indexes_len, - fixture_bls12_381_sha_256_proof_SEED, - sizeof(fixture_bls12_381_sha_256_proof_SEED), - fixture_bls12_381_sha_256_proof_DST, - sizeof(fixture_bls12_381_sha_256_proof_DST) - )) { + int ret = BBS_ERROR; + va_start (ap, num_messages); + + if (BBS_OK != fill_randomness (test_case.cipher_suite, + randomness, + 5 + num_messages - disclosed_indexes_len, + test_case.proof_SEED, + test_case.proof_SEED_len, + test_case.proof_DST, + test_case.proof_DST_len) + ) + { goto cleanup; } - if (BBS_OK != bbs_proof_gen_det (pk, signature, proof, header, header_len, - presentation_header, presentation_header_len, - disclosed_indexes, disclosed_indexes_len, - num_messages, mocked_prf, randomness, ap)) + if (BBS_OK != bbs_proof_gen_det (&test_case.cipher_suite, + pk, + signature, + proof, + header, + header_len, + presentation_header, + presentation_header_len, + disclosed_indexes, + disclosed_indexes_len, + num_messages, + mocked_prf, + randomness, + ap)) { goto cleanup; } ret = BBS_OK; cleanup: - va_end(ap); + va_end (ap); return ret; } -int bbs_fix_proof_gen() { - if (core_init() != RLC_OK) { - core_clean(); - return 1; - } - if (pc_param_set_any() != RLC_OK) { - core_clean(); - return 1; - } - // Stores randomness for 15 random scalars, which is as much as we need - uint8_t randomness[48 * 15]; +int +bbs_fix_proof_gen () +{ + // *INDENT-OFF* - Preserve formatting + fixture_proof_gen_t test_cases[] = { + { + .cipher_suite = bbs_sha256_cipher_suite, - // Randomness generation self check, to catch any errors related to this - // step - uint8_t scalar_buffer[BBS_SCALAR_LEN]; - bn_t scalar; + .proof_SEED = fixture_bls12_381_sha_256_proof_SEED, + .proof_SEED_len = sizeof(fixture_bls12_381_sha_256_proof_SEED), - bn_null(scalar); - RLC_TRY { bn_new(scalar) } - RLC_CATCH_ANY { - puts("Internal error"); - return 1; - } - if(BBS_OK != fill_randomness( - randomness, - 10, - fixture_bls12_381_sha_256_proof_SEED, - LEN(fixture_bls12_381_sha_256_proof_SEED), - fixture_bls12_381_sha_256_proof_DST, - LEN(fixture_bls12_381_sha_256_proof_DST))) { - puts("Error during randomness generation self test"); - return 1; - } -#define WRITE_SCALAR RLC_TRY { bn_write_bbs(scalar_buffer, scalar); } \ - RLC_CATCH_ANY { puts("Write error"); return 1;} - if(BBS_OK != mocked_prf(scalar, 1, 0, randomness)) { - puts("Read error"); - return 1; - } - WRITE_SCALAR; - ASSERT_EQ("scalar_1 test", scalar_buffer, fixture_bls12_381_sha_256_proof_random_scalar_1); + .proof_DST = fixture_bls12_381_sha_256_proof_DST, + .proof_DST_len = sizeof(fixture_bls12_381_sha_256_proof_DST), - if(BBS_OK != mocked_prf(scalar, 2, 0, randomness)) { - puts("Read error"); - return 1; - } - WRITE_SCALAR; - ASSERT_EQ("scalar_2 test", scalar_buffer, fixture_bls12_381_sha_256_proof_random_scalar_2); + .proof_random_scalar = { + fixture_bls12_381_sha_256_proof_random_scalar_1, fixture_bls12_381_sha_256_proof_random_scalar_2, fixture_bls12_381_sha_256_proof_random_scalar_3, + fixture_bls12_381_sha_256_proof_random_scalar_4, fixture_bls12_381_sha_256_proof_random_scalar_5, fixture_bls12_381_sha_256_proof_random_scalar_6, + fixture_bls12_381_sha_256_proof_random_scalar_7, fixture_bls12_381_sha_256_proof_random_scalar_8, fixture_bls12_381_sha_256_proof_random_scalar_9, + fixture_bls12_381_sha_256_proof_random_scalar_10 + }, + .proof_random_scalar_len = { + sizeof(fixture_bls12_381_sha_256_proof_random_scalar_1), sizeof(fixture_bls12_381_sha_256_proof_random_scalar_2), sizeof(fixture_bls12_381_sha_256_proof_random_scalar_3), + sizeof(fixture_bls12_381_sha_256_proof_random_scalar_4), sizeof(fixture_bls12_381_sha_256_proof_random_scalar_5), sizeof(fixture_bls12_381_sha_256_proof_random_scalar_6), + sizeof(fixture_bls12_381_sha_256_proof_random_scalar_7), sizeof(fixture_bls12_381_sha_256_proof_random_scalar_8), sizeof(fixture_bls12_381_sha_256_proof_random_scalar_9), + sizeof(fixture_bls12_381_sha_256_proof_random_scalar_10) + }, - if(BBS_OK != mocked_prf(scalar, 3, 0, randomness)) { - puts("Read error"); - return 1; - } - WRITE_SCALAR; - ASSERT_EQ("scalar_3 test", scalar_buffer, fixture_bls12_381_sha_256_proof_random_scalar_3); + .proof1_public_key = fixture_bls12_381_sha_256_proof1_public_key, + .proof1_signature = fixture_bls12_381_sha_256_proof1_signature, + .proof1_signature_len = sizeof(fixture_bls12_381_sha_256_proof1_signature), + .proof1_header = fixture_bls12_381_sha_256_proof1_header, + .proof1_header_len = sizeof(fixture_bls12_381_sha_256_proof1_header), + .proof1_presentation_header = fixture_bls12_381_sha_256_proof1_presentation_header, + .proof1_presentation_header_len = sizeof(fixture_bls12_381_sha_256_proof1_presentation_header), + .proof1_revealed_indexes = fixture_bls12_381_sha_256_proof1_revealed_indexes, + .proof1_revealed_indexes_len = LEN (fixture_bls12_381_sha_256_proof1_revealed_indexes), + .proof1_m_1 = fixture_bls12_381_sha_256_proof1_m_1, + .proof1_m_1_len = sizeof(fixture_bls12_381_sha_256_proof1_m_1), + .proof1_proof = fixture_bls12_381_sha_256_proof1_proof, + .proof1_proof_len = sizeof(fixture_bls12_381_sha_256_proof1_proof), + .proof2_public_key = fixture_bls12_381_sha_256_proof2_public_key, + .proof2_signature = fixture_bls12_381_sha_256_proof2_signature, + .proof2_signature_len = sizeof(fixture_bls12_381_sha_256_proof2_signature), + .proof2_header = fixture_bls12_381_sha_256_proof2_header, + .proof2_header_len = sizeof(fixture_bls12_381_sha_256_proof2_header), + .proof2_presentation_header = fixture_bls12_381_sha_256_proof2_presentation_header, + .proof2_presentation_header_len = sizeof(fixture_bls12_381_sha_256_proof2_presentation_header), + .proof2_revealed_indexes = fixture_bls12_381_sha_256_proof2_revealed_indexes, + .proof2_revealed_indexes_len = LEN (fixture_bls12_381_sha_256_proof2_revealed_indexes), + .proof2_m = { + fixture_bls12_381_sha_256_proof2_m_1, fixture_bls12_381_sha_256_proof2_m_2, fixture_bls12_381_sha_256_proof2_m_3, + fixture_bls12_381_sha_256_proof2_m_4, fixture_bls12_381_sha_256_proof2_m_5, fixture_bls12_381_sha_256_proof2_m_6, + fixture_bls12_381_sha_256_proof2_m_7, fixture_bls12_381_sha_256_proof2_m_8, fixture_bls12_381_sha_256_proof2_m_9, + fixture_bls12_381_sha_256_proof2_m_10 + }, + .proof2_m_len = { + sizeof(fixture_bls12_381_sha_256_proof2_m_1), sizeof(fixture_bls12_381_sha_256_proof2_m_2), sizeof(fixture_bls12_381_sha_256_proof2_m_3), + sizeof(fixture_bls12_381_sha_256_proof2_m_4), sizeof(fixture_bls12_381_sha_256_proof2_m_5), sizeof(fixture_bls12_381_sha_256_proof2_m_6), + sizeof(fixture_bls12_381_sha_256_proof2_m_7), sizeof(fixture_bls12_381_sha_256_proof2_m_8), sizeof(fixture_bls12_381_sha_256_proof2_m_9), + sizeof(fixture_bls12_381_sha_256_proof2_m_10) + }, + .proof2_proof = fixture_bls12_381_sha_256_proof2_proof, + .proof2_proof_len = sizeof(fixture_bls12_381_sha_256_proof2_proof), - if(BBS_OK != mocked_prf(scalar, 4, 0, randomness)) { - puts("Read error"); - return 1; - } - WRITE_SCALAR; - ASSERT_EQ("scalar_4 test", scalar_buffer, fixture_bls12_381_sha_256_proof_random_scalar_4); + .proof3_public_key = fixture_bls12_381_sha_256_proof3_public_key, + .proof3_signature = fixture_bls12_381_sha_256_proof3_signature, + .proof3_signature_len = sizeof(fixture_bls12_381_sha_256_proof3_signature), + .proof3_header = fixture_bls12_381_sha_256_proof3_header, + .proof3_header_len = sizeof(fixture_bls12_381_sha_256_proof3_header), + .proof3_presentation_header = fixture_bls12_381_sha_256_proof3_presentation_header, + .proof3_presentation_header_len = sizeof(fixture_bls12_381_sha_256_proof3_presentation_header), + .proof3_revealed_indexes = fixture_bls12_381_sha_256_proof3_revealed_indexes, + .proof3_revealed_indexes_len = LEN (fixture_bls12_381_sha_256_proof3_revealed_indexes), + .proof3_proof = fixture_bls12_381_sha_256_proof3_proof, + .proof3_proof_len = sizeof(fixture_bls12_381_sha_256_proof3_proof), + }, + { + .cipher_suite = bbs_shake256_cipher_suite, - if(BBS_OK != mocked_prf(scalar, 5, 0, randomness)) { - puts("Read error"); - return 1; - } - WRITE_SCALAR; - ASSERT_EQ("scalar_5 test", scalar_buffer, fixture_bls12_381_sha_256_proof_random_scalar_5); + .proof_SEED = fixture_bls12_381_shake_256_proof_SEED, + .proof_SEED_len = sizeof(fixture_bls12_381_shake_256_proof_SEED), - if(BBS_OK != mocked_prf(scalar, 0, 0, randomness)) { - puts("Read error"); - return 1; - } - WRITE_SCALAR; - ASSERT_EQ("scalar_6 test", scalar_buffer, fixture_bls12_381_sha_256_proof_random_scalar_6); + .proof_DST = fixture_bls12_381_shake_256_proof_DST, + .proof_DST_len = sizeof(fixture_bls12_381_shake_256_proof_DST), - if(BBS_OK != mocked_prf(scalar, 0, 1, randomness)) { - puts("Read error"); - return 1; - } - WRITE_SCALAR; - ASSERT_EQ("scalar_7 test", scalar_buffer, fixture_bls12_381_sha_256_proof_random_scalar_7); + .proof_random_scalar = { + fixture_bls12_381_shake_256_proof_random_scalar_1, fixture_bls12_381_shake_256_proof_random_scalar_2, fixture_bls12_381_shake_256_proof_random_scalar_3, + fixture_bls12_381_shake_256_proof_random_scalar_4, fixture_bls12_381_shake_256_proof_random_scalar_5, fixture_bls12_381_shake_256_proof_random_scalar_6, + fixture_bls12_381_shake_256_proof_random_scalar_7, fixture_bls12_381_shake_256_proof_random_scalar_8, fixture_bls12_381_shake_256_proof_random_scalar_9, + fixture_bls12_381_shake_256_proof_random_scalar_10 + }, + .proof_random_scalar_len = { + sizeof(fixture_bls12_381_shake_256_proof_random_scalar_1), sizeof(fixture_bls12_381_shake_256_proof_random_scalar_2), sizeof(fixture_bls12_381_shake_256_proof_random_scalar_3), + sizeof(fixture_bls12_381_shake_256_proof_random_scalar_4), sizeof(fixture_bls12_381_shake_256_proof_random_scalar_5), sizeof(fixture_bls12_381_shake_256_proof_random_scalar_6), + sizeof(fixture_bls12_381_shake_256_proof_random_scalar_7), sizeof(fixture_bls12_381_shake_256_proof_random_scalar_8), sizeof(fixture_bls12_381_shake_256_proof_random_scalar_9), + sizeof(fixture_bls12_381_shake_256_proof_random_scalar_10) + }, - if(BBS_OK != mocked_prf(scalar, 0, 2, randomness)) { - puts("Read error"); - return 1; - } - WRITE_SCALAR; - ASSERT_EQ("scalar_8 test", scalar_buffer, fixture_bls12_381_sha_256_proof_random_scalar_8); + .proof1_public_key = fixture_bls12_381_shake_256_proof1_public_key, + .proof1_signature = fixture_bls12_381_shake_256_proof1_signature, + .proof1_signature_len = sizeof(fixture_bls12_381_shake_256_proof1_signature), + .proof1_header = fixture_bls12_381_shake_256_proof1_header, + .proof1_header_len = sizeof(fixture_bls12_381_shake_256_proof1_header), + .proof1_presentation_header = fixture_bls12_381_shake_256_proof1_presentation_header, + .proof1_presentation_header_len = sizeof(fixture_bls12_381_shake_256_proof1_presentation_header), + .proof1_revealed_indexes = fixture_bls12_381_shake_256_proof1_revealed_indexes, + .proof1_revealed_indexes_len = LEN (fixture_bls12_381_shake_256_proof1_revealed_indexes), + .proof1_m_1 = fixture_bls12_381_shake_256_proof1_m_1, + .proof1_m_1_len = sizeof(fixture_bls12_381_shake_256_proof1_m_1), + .proof1_proof = fixture_bls12_381_shake_256_proof1_proof, + .proof1_proof_len = sizeof(fixture_bls12_381_shake_256_proof1_proof), + .proof2_public_key = fixture_bls12_381_shake_256_proof2_public_key, + .proof2_signature = fixture_bls12_381_shake_256_proof2_signature, + .proof2_signature_len = sizeof(fixture_bls12_381_shake_256_proof2_signature), + .proof2_header = fixture_bls12_381_shake_256_proof2_header, + .proof2_header_len = sizeof(fixture_bls12_381_shake_256_proof2_header), + .proof2_presentation_header = fixture_bls12_381_shake_256_proof2_presentation_header, + .proof2_presentation_header_len = sizeof(fixture_bls12_381_shake_256_proof2_presentation_header), + .proof2_revealed_indexes = fixture_bls12_381_shake_256_proof2_revealed_indexes, + .proof2_revealed_indexes_len = LEN (fixture_bls12_381_shake_256_proof2_revealed_indexes), + .proof2_m = { + fixture_bls12_381_shake_256_proof2_m_1, fixture_bls12_381_shake_256_proof2_m_2, fixture_bls12_381_shake_256_proof2_m_3, + fixture_bls12_381_shake_256_proof2_m_4, fixture_bls12_381_shake_256_proof2_m_5, fixture_bls12_381_shake_256_proof2_m_6, + fixture_bls12_381_shake_256_proof2_m_7, fixture_bls12_381_shake_256_proof2_m_8, fixture_bls12_381_shake_256_proof2_m_9, + fixture_bls12_381_shake_256_proof2_m_10 + }, + .proof2_m_len = { + sizeof(fixture_bls12_381_shake_256_proof2_m_1), sizeof(fixture_bls12_381_shake_256_proof2_m_2), sizeof(fixture_bls12_381_shake_256_proof2_m_3), + sizeof(fixture_bls12_381_shake_256_proof2_m_4), sizeof(fixture_bls12_381_shake_256_proof2_m_5), sizeof(fixture_bls12_381_shake_256_proof2_m_6), + sizeof(fixture_bls12_381_shake_256_proof2_m_7), sizeof(fixture_bls12_381_shake_256_proof2_m_8), sizeof(fixture_bls12_381_shake_256_proof2_m_9), + sizeof(fixture_bls12_381_shake_256_proof2_m_10) + }, + .proof2_proof = fixture_bls12_381_shake_256_proof2_proof, + .proof2_proof_len = sizeof(fixture_bls12_381_shake_256_proof2_proof), - if(BBS_OK != mocked_prf(scalar, 0, 3, randomness)) { - puts("Read error"); - return 1; - } - WRITE_SCALAR; - ASSERT_EQ("scalar_9 test", scalar_buffer, fixture_bls12_381_sha_256_proof_random_scalar_9); + .proof3_public_key = fixture_bls12_381_shake_256_proof3_public_key, + .proof3_signature = fixture_bls12_381_shake_256_proof3_signature, + .proof3_signature_len = sizeof(fixture_bls12_381_shake_256_proof3_signature), + .proof3_header = fixture_bls12_381_shake_256_proof3_header, + .proof3_header_len = sizeof(fixture_bls12_381_shake_256_proof3_header), + .proof3_presentation_header = fixture_bls12_381_shake_256_proof3_presentation_header, + .proof3_presentation_header_len = sizeof(fixture_bls12_381_shake_256_proof3_presentation_header), + .proof3_revealed_indexes = fixture_bls12_381_shake_256_proof3_revealed_indexes, + .proof3_revealed_indexes_len = LEN (fixture_bls12_381_shake_256_proof3_revealed_indexes), + .proof3_proof = fixture_bls12_381_shake_256_proof3_proof, + .proof3_proof_len = sizeof(fixture_bls12_381_shake_256_proof3_proof), + } + }; + // *INDENT-ON* - Preserve formatting - if(BBS_OK != mocked_prf(scalar, 0, 4, randomness)) { - puts("Read error"); - return 1; - } - WRITE_SCALAR; - ASSERT_EQ("scalar_10 test", scalar_buffer, fixture_bls12_381_sha_256_proof_random_scalar_10); - - uint8_t proof1[BBS_PROOF_LEN(0)]; - BBS_BENCH_START() - if(BBS_OK != mocked_proof_gen( - fixture_bls12_381_sha_256_proof1_public_key, - fixture_bls12_381_sha_256_proof1_signature, - proof1, - fixture_bls12_381_sha_256_proof1_header, - sizeof(fixture_bls12_381_sha_256_proof1_header), - fixture_bls12_381_sha_256_proof1_presentation_header, - sizeof(fixture_bls12_381_sha_256_proof1_presentation_header), - fixture_bls12_381_sha_256_proof1_revealed_indexes, - LEN(fixture_bls12_381_sha_256_proof1_revealed_indexes), - 1, - fixture_bls12_381_sha_256_proof1_m_1, - sizeof(fixture_bls12_381_sha_256_proof1_m_1))) { - puts("Error during proof 1 generation"); - return 1; - } - BBS_BENCH_END("Valid Single Message Proof") - ASSERT_EQ("proof 1 generation", proof1, fixture_bls12_381_sha_256_proof1_proof); - - uint8_t proof2[BBS_PROOF_LEN(0)]; - if(BBS_OK != mocked_proof_gen( - fixture_bls12_381_sha_256_proof2_public_key, - fixture_bls12_381_sha_256_proof2_signature, - proof2, - fixture_bls12_381_sha_256_proof2_header, - sizeof(fixture_bls12_381_sha_256_proof2_header), - fixture_bls12_381_sha_256_proof2_presentation_header, - sizeof(fixture_bls12_381_sha_256_proof2_presentation_header), - fixture_bls12_381_sha_256_proof2_revealed_indexes, - LEN(fixture_bls12_381_sha_256_proof2_revealed_indexes), - 10, - fixture_bls12_381_sha_256_proof2_m_1, - sizeof(fixture_bls12_381_sha_256_proof2_m_1), - fixture_bls12_381_sha_256_proof2_m_2, - sizeof(fixture_bls12_381_sha_256_proof2_m_2), - fixture_bls12_381_sha_256_proof2_m_3, - sizeof(fixture_bls12_381_sha_256_proof2_m_3), - fixture_bls12_381_sha_256_proof2_m_4, - sizeof(fixture_bls12_381_sha_256_proof2_m_4), - fixture_bls12_381_sha_256_proof2_m_5, - sizeof(fixture_bls12_381_sha_256_proof2_m_5), - fixture_bls12_381_sha_256_proof2_m_6, - sizeof(fixture_bls12_381_sha_256_proof2_m_6), - fixture_bls12_381_sha_256_proof2_m_7, - sizeof(fixture_bls12_381_sha_256_proof2_m_7), - fixture_bls12_381_sha_256_proof2_m_8, - sizeof(fixture_bls12_381_sha_256_proof2_m_8), - fixture_bls12_381_sha_256_proof2_m_9, - sizeof(fixture_bls12_381_sha_256_proof2_m_9), - fixture_bls12_381_sha_256_proof2_m_10, - sizeof(fixture_bls12_381_sha_256_proof2_m_10))) { - puts("Error during proof 2 generation"); - return 1; - } - BBS_BENCH_END("Valid Multi-Message, All Messages Disclosed Proof") - ASSERT_EQ("proof 2 generation", proof2, fixture_bls12_381_sha_256_proof2_proof); - - // Only some messages are being revealed here - uint8_t proof3[BBS_PROOF_LEN(6)]; - if(BBS_OK != mocked_proof_gen( - fixture_bls12_381_sha_256_proof3_public_key, - fixture_bls12_381_sha_256_proof3_signature, - proof3, - fixture_bls12_381_sha_256_proof3_header, - sizeof(fixture_bls12_381_sha_256_proof3_header), - fixture_bls12_381_sha_256_proof3_presentation_header, - sizeof(fixture_bls12_381_sha_256_proof3_presentation_header), - fixture_bls12_381_sha_256_proof3_revealed_indexes, - LEN(fixture_bls12_381_sha_256_proof3_revealed_indexes), - 10, - fixture_bls12_381_sha_256_proof2_m_1, - sizeof(fixture_bls12_381_sha_256_proof2_m_1), - fixture_bls12_381_sha_256_proof2_m_2, - sizeof(fixture_bls12_381_sha_256_proof2_m_2), - fixture_bls12_381_sha_256_proof2_m_3, - sizeof(fixture_bls12_381_sha_256_proof2_m_3), - fixture_bls12_381_sha_256_proof2_m_4, - sizeof(fixture_bls12_381_sha_256_proof2_m_4), - fixture_bls12_381_sha_256_proof2_m_5, - sizeof(fixture_bls12_381_sha_256_proof2_m_5), - fixture_bls12_381_sha_256_proof2_m_6, - sizeof(fixture_bls12_381_sha_256_proof2_m_6), - fixture_bls12_381_sha_256_proof2_m_7, - sizeof(fixture_bls12_381_sha_256_proof2_m_7), - fixture_bls12_381_sha_256_proof2_m_8, - sizeof(fixture_bls12_381_sha_256_proof2_m_8), - fixture_bls12_381_sha_256_proof2_m_9, - sizeof(fixture_bls12_381_sha_256_proof2_m_9), - fixture_bls12_381_sha_256_proof2_m_10, - sizeof(fixture_bls12_381_sha_256_proof2_m_10))) { - puts("Error during proof 3 generation"); - return 1; - } - BBS_BENCH_END("Valid Multi-Message, Some Messages Disclosed Proof") - ASSERT_EQ("proof 3 generation", proof3, fixture_bls12_381_sha_256_proof3_proof); + for (int cipher_suite_index = 0; cipher_suite_index < 2; cipher_suite_index++) + { + fixture_proof_gen_t test_case = test_cases[cipher_suite_index]; + printf ("Testing BBS Proof Generation with cipher suite %s\n", + test_case.cipher_suite.cipher_suite_id); + if (core_init () != RLC_OK) + { + core_clean (); + return 1; + } + if (pc_param_set_any () != RLC_OK) + { + core_clean (); + return 1; + } + + // Stores randomness for 15 random scalars, which is as much as we need + uint8_t randomness[48 * 15]; + + // Randomness generation self check, to catch any errors related to this + // step + uint8_t scalar_buffer[BBS_SCALAR_LEN]; + bn_t scalar; + + bn_null (scalar); + RLC_TRY { bn_new (scalar) } + RLC_CATCH_ANY { + puts ("Internal error"); + return 1; + } + if (BBS_OK != fill_randomness (test_case.cipher_suite, randomness, 10, + test_case.proof_SEED, test_case.proof_SEED_len, + test_case.proof_DST, test_case.proof_DST_len)) + { + puts ("Error during randomness generation self test"); + return 1; + } + #define WRITE_SCALAR RLC_TRY { bn_write_bbs (scalar_buffer, scalar); \ +} \ + RLC_CATCH_ANY { puts ("Write error"); return 1;} + for (int i = 0; i < 5; i++) + { + if (BBS_OK != mocked_prf (&test_case.cipher_suite, scalar, i + 1, 0, randomness)) + { + puts ("Read error"); + return 1; + } + WRITE_SCALAR; + ASSERT_EQ_PTR ("scalar test", + scalar_buffer, + test_case.proof_random_scalar[i], + test_case.proof_random_scalar_len[i]); + } - bn_free(scalar); + for (int i = 0; i < 5; i++) + { + if (BBS_OK != mocked_prf (&test_case.cipher_suite, scalar, 0, i, randomness)) + { + puts ("Read error"); + return 1; + } + WRITE_SCALAR; + ASSERT_EQ_PTR ("scalar test", + scalar_buffer, + test_case.proof_random_scalar[i + 5], + test_case.proof_random_scalar_len[i + 5]); + } + + uint8_t proof1[BBS_PROOF_LEN (0)]; + BBS_BENCH_START () + if (BBS_OK != mocked_proof_gen (test_case, test_case.proof1_public_key, + test_case.proof1_signature, proof1, + test_case.proof1_header, + test_case.proof1_header_len, + test_case.proof1_presentation_header, + test_case.proof1_presentation_header_len, + test_case.proof1_revealed_indexes, + test_case.proof1_revealed_indexes_len, 1, // num_messages + test_case.proof1_m_1, test_case.proof1_m_1_len)) + { + puts ("Error during proof 1 generation"); + return 1; + } + BBS_BENCH_END ("Valid Single Message Proof"); + ASSERT_EQ_PTR ("proof 1 generation", + proof1, + test_case.proof1_proof, + test_case.proof1_proof_len); + + uint8_t proof2[BBS_PROOF_LEN (0)]; + if (BBS_OK != mocked_proof_gen (test_case, test_case.proof2_public_key, + test_case.proof2_signature, proof2, + test_case.proof2_header, + test_case.proof2_header_len, + test_case.proof2_presentation_header, + test_case.proof2_presentation_header_len, + test_case.proof2_revealed_indexes, + test_case.proof2_revealed_indexes_len, 10, + test_case.proof2_m[0], test_case.proof2_m_len[0], + test_case.proof2_m[1], test_case.proof2_m_len[1], + test_case.proof2_m[2], test_case.proof2_m_len[2], + test_case.proof2_m[3], test_case.proof2_m_len[3], + test_case.proof2_m[4], test_case.proof2_m_len[4], + test_case.proof2_m[5], test_case.proof2_m_len[5], + test_case.proof2_m[6], test_case.proof2_m_len[6], + test_case.proof2_m[7], test_case.proof2_m_len[7], + test_case.proof2_m[8], test_case.proof2_m_len[8], + test_case.proof2_m[9], test_case.proof2_m_len[9])) + { + puts ("Error during proof 2 generation"); + return 1; + } + BBS_BENCH_END ("Valid Multi-Message, All Messages Disclosed Proof") + ASSERT_EQ_PTR ("proof 2 generation", + proof2, + test_case.proof2_proof, + test_case.proof2_proof_len); + + // Only some messages are being revealed here + uint8_t proof3[BBS_PROOF_LEN (6)]; + if (BBS_OK != mocked_proof_gen (test_case, test_case.proof3_public_key, + test_case.proof3_signature, proof3, + test_case.proof3_header, + test_case.proof3_header_len, + test_case.proof3_presentation_header, + test_case.proof3_presentation_header_len, + test_case.proof3_revealed_indexes, + test_case.proof3_revealed_indexes_len, 10, + test_case.proof2_m[0], test_case.proof2_m_len[0], + test_case.proof2_m[1], test_case.proof2_m_len[1], + test_case.proof2_m[2], test_case.proof2_m_len[2], + test_case.proof2_m[3], test_case.proof2_m_len[3], + test_case.proof2_m[4], test_case.proof2_m_len[4], + test_case.proof2_m[5], test_case.proof2_m_len[5], + test_case.proof2_m[6], test_case.proof2_m_len[6], + test_case.proof2_m[7], test_case.proof2_m_len[7], + test_case.proof2_m[8], test_case.proof2_m_len[8], + test_case.proof2_m[9], test_case.proof2_m_len[9])) + { + puts ("Error during proof 3 generation"); + return 1; + } + BBS_BENCH_END ("Valid Multi-Message, Some Messages Disclosed Proof") + ASSERT_EQ_PTR ("proof 3 generation", + proof3, + test_case.proof3_proof, + test_case.proof3_proof_len); + + bn_free (scalar); + } return 0; } - diff --git a/test/bbs_fix_proof_verify.c b/test/bbs_fix_proof_verify.c index 75c10e2..8a7ea52 100644 --- a/test/bbs_fix_proof_verify.c +++ b/test/bbs_fix_proof_verify.c @@ -1,92 +1,394 @@ #include "fixtures.h" #include "test_util.h" -int bbs_fix_proof_verify() { - if (core_init() != RLC_OK) { - core_clean(); +typedef struct +{ + int (*proof_verify) ( + const bbs_public_key pk, + const uint8_t *proof, + uint64_t proof_len, + const uint8_t *header, + uint64_t header_len, + const uint8_t *presentation_header, + uint64_t presentation_header_len, + const uint64_t *disclosed_indexes, + uint64_t disclosed_indexes_len, + uint64_t num_messages, + ... + ); + uint8_t *proof_SEED; + size_t proof_SEED_len; + uint8_t *proof_DST; + size_t proof_DST_len; + uint8_t *proof_random_scalar_1; + size_t proof_random_scalar_1_len; + uint8_t *proof_random_scalar_2; + size_t proof_random_scalar_2_len; + uint8_t *proof_random_scalar_3; + size_t proof_random_scalar_3_len; + uint8_t *proof_random_scalar_4; + size_t proof_random_scalar_4_len; + uint8_t *proof_random_scalar_5; + size_t proof_random_scalar_5_len; + uint8_t *proof_random_scalar_6; + size_t proof_random_scalar_6_len; + uint8_t *proof_random_scalar_7; + size_t proof_random_scalar_7_len; + uint8_t *proof_random_scalar_8; + size_t proof_random_scalar_8_len; + uint8_t *proof_random_scalar_9; + size_t proof_random_scalar_9_len; + uint8_t *proof_random_scalar_10; + size_t proof_random_scalar_10_len; + + uint8_t *proof1_public_key; + uint8_t *proof1_signature; + size_t proof1_signature_len; + uint8_t *proof1_header; + size_t proof1_header_len; + uint8_t *proof1_presentation_header; + size_t proof1_presentation_header_len; + uint64_t *proof1_revealed_indexes; + size_t proof1_revealed_indexes_len; + uint8_t *proof1_m_1; + size_t proof1_m_1_len; + uint8_t *proof1_proof; + size_t proof1_proof_len; + + uint8_t *proof2_public_key; + uint8_t *proof2_signature; + size_t proof2_signature_len; + uint8_t *proof2_header; + size_t proof2_header_len; + uint8_t *proof2_presentation_header; + size_t proof2_presentation_header_len; + uint64_t *proof2_revealed_indexes; + size_t proof2_revealed_indexes_len; + uint8_t *proof2_m_1; + size_t proof2_m_1_len; + uint8_t *proof2_m_2; + size_t proof2_m_2_len; + uint8_t *proof2_m_3; + size_t proof2_m_3_len; + uint8_t *proof2_m_4; + size_t proof2_m_4_len; + uint8_t *proof2_m_5; + size_t proof2_m_5_len; + uint8_t *proof2_m_6; + size_t proof2_m_6_len; + uint8_t *proof2_m_7; + size_t proof2_m_7_len; + uint8_t *proof2_m_8; + size_t proof2_m_8_len; + uint8_t *proof2_m_9; + size_t proof2_m_9_len; + uint8_t *proof2_m_10; + size_t proof2_m_10_len; + uint8_t *proof2_proof; + size_t proof2_proof_len; + + uint8_t *proof3_public_key; + uint8_t *proof3_signature; + size_t proof3_signature_len; + uint8_t *proof3_header; + size_t proof3_header_len; + uint8_t *proof3_presentation_header; + size_t proof3_presentation_header_len; + uint64_t *proof3_revealed_indexes; + size_t proof3_revealed_indexes_len; + uint8_t *proof3_proof; + size_t proof3_proof_len; + uint8_t *proof3_m_1; + size_t proof3_m_1_len; + uint8_t *proof3_m_3; + size_t proof3_m_3_len; + uint8_t *proof3_m_5; + size_t proof3_m_5_len; + uint8_t *proof3_m_7; + size_t proof3_m_7_len; +} proof_fixture_t; + +int +bbs_fix_proof_verify () +{ + // *INDENT-OFF* - Preserve formatting + proof_fixture_t test_cases[] = { + { + .proof_verify = &bbs_sha256_proof_verify, + .proof_SEED = fixture_bls12_381_sha_256_proof_SEED, + .proof_SEED_len = sizeof(fixture_bls12_381_sha_256_proof_SEED), + .proof_DST = fixture_bls12_381_sha_256_proof_DST, + .proof_DST_len = sizeof(fixture_bls12_381_sha_256_proof_DST), + .proof_random_scalar_1 = fixture_bls12_381_sha_256_proof_random_scalar_1, + .proof_random_scalar_1_len = sizeof(fixture_bls12_381_sha_256_proof_random_scalar_1), + .proof_random_scalar_2 = fixture_bls12_381_sha_256_proof_random_scalar_2, + .proof_random_scalar_2_len = sizeof(fixture_bls12_381_sha_256_proof_random_scalar_2), + .proof_random_scalar_3 = fixture_bls12_381_sha_256_proof_random_scalar_3, + .proof_random_scalar_3_len = sizeof(fixture_bls12_381_sha_256_proof_random_scalar_3), + .proof_random_scalar_4 = fixture_bls12_381_sha_256_proof_random_scalar_4, + .proof_random_scalar_4_len = sizeof(fixture_bls12_381_sha_256_proof_random_scalar_4), + .proof_random_scalar_5 = fixture_bls12_381_sha_256_proof_random_scalar_5, + .proof_random_scalar_5_len = sizeof(fixture_bls12_381_sha_256_proof_random_scalar_5), + .proof_random_scalar_6 = fixture_bls12_381_sha_256_proof_random_scalar_6, + .proof_random_scalar_6_len = sizeof(fixture_bls12_381_sha_256_proof_random_scalar_6), + .proof_random_scalar_7 = fixture_bls12_381_sha_256_proof_random_scalar_7, + .proof_random_scalar_7_len = sizeof(fixture_bls12_381_sha_256_proof_random_scalar_7), + .proof_random_scalar_8 = fixture_bls12_381_sha_256_proof_random_scalar_8, + .proof_random_scalar_8_len = sizeof(fixture_bls12_381_sha_256_proof_random_scalar_8), + .proof_random_scalar_9 = fixture_bls12_381_sha_256_proof_random_scalar_9, + .proof_random_scalar_9_len = sizeof(fixture_bls12_381_sha_256_proof_random_scalar_9), + .proof_random_scalar_10 = fixture_bls12_381_sha_256_proof_random_scalar_10, + .proof_random_scalar_10_len = sizeof(fixture_bls12_381_sha_256_proof_random_scalar_10), + + .proof1_public_key = fixture_bls12_381_sha_256_proof1_public_key, + .proof1_signature = fixture_bls12_381_sha_256_proof1_signature, + .proof1_signature_len = sizeof(fixture_bls12_381_sha_256_proof1_signature), + .proof1_header = fixture_bls12_381_sha_256_proof1_header, + .proof1_header_len = sizeof(fixture_bls12_381_sha_256_proof1_header), + .proof1_presentation_header = fixture_bls12_381_sha_256_proof1_presentation_header, + .proof1_presentation_header_len = sizeof(fixture_bls12_381_sha_256_proof1_presentation_header), + .proof1_revealed_indexes = fixture_bls12_381_sha_256_proof1_revealed_indexes, + .proof1_revealed_indexes_len = LEN (fixture_bls12_381_sha_256_proof1_revealed_indexes), + .proof1_m_1 = fixture_bls12_381_sha_256_proof1_m_1, + .proof1_m_1_len = sizeof(fixture_bls12_381_sha_256_proof1_m_1), + .proof1_proof = fixture_bls12_381_sha_256_proof1_proof, + .proof1_proof_len = sizeof(fixture_bls12_381_sha_256_proof1_proof), + + .proof2_public_key = fixture_bls12_381_sha_256_proof2_public_key, + .proof2_signature = fixture_bls12_381_sha_256_proof2_signature, + .proof2_signature_len = sizeof(fixture_bls12_381_sha_256_proof2_signature), + .proof2_header = fixture_bls12_381_sha_256_proof2_header, + .proof2_header_len = sizeof(fixture_bls12_381_sha_256_proof2_header), + .proof2_presentation_header = fixture_bls12_381_sha_256_proof2_presentation_header, + .proof2_presentation_header_len = sizeof(fixture_bls12_381_sha_256_proof2_presentation_header), + .proof2_revealed_indexes = fixture_bls12_381_sha_256_proof2_revealed_indexes, + .proof2_revealed_indexes_len = LEN (fixture_bls12_381_sha_256_proof2_revealed_indexes), + .proof2_m_1 = fixture_bls12_381_sha_256_proof2_m_1, + .proof2_m_1_len = sizeof(fixture_bls12_381_sha_256_proof2_m_1), + .proof2_m_2 = fixture_bls12_381_sha_256_proof2_m_2, + .proof2_m_2_len = sizeof(fixture_bls12_381_sha_256_proof2_m_2), + .proof2_m_3 = fixture_bls12_381_sha_256_proof2_m_3, + .proof2_m_3_len = sizeof(fixture_bls12_381_sha_256_proof2_m_3), + .proof2_m_4 = fixture_bls12_381_sha_256_proof2_m_4, + .proof2_m_4_len = sizeof(fixture_bls12_381_sha_256_proof2_m_4), + .proof2_m_5 = fixture_bls12_381_sha_256_proof2_m_5, + .proof2_m_5_len = sizeof(fixture_bls12_381_sha_256_proof2_m_5), + .proof2_m_6 = fixture_bls12_381_sha_256_proof2_m_6, + .proof2_m_6_len = sizeof(fixture_bls12_381_sha_256_proof2_m_6), + .proof2_m_7 = fixture_bls12_381_sha_256_proof2_m_7, + .proof2_m_7_len = sizeof(fixture_bls12_381_sha_256_proof2_m_7), + .proof2_m_8 = fixture_bls12_381_sha_256_proof2_m_8, + .proof2_m_8_len = sizeof(fixture_bls12_381_sha_256_proof2_m_8), + .proof2_m_9 = fixture_bls12_381_sha_256_proof2_m_9, + .proof2_m_9_len = sizeof(fixture_bls12_381_sha_256_proof2_m_9), + .proof2_m_10 = fixture_bls12_381_sha_256_proof2_m_10, + .proof2_m_10_len = sizeof(fixture_bls12_381_sha_256_proof2_m_10), + .proof2_proof = fixture_bls12_381_sha_256_proof2_proof, + .proof2_proof_len = sizeof(fixture_bls12_381_sha_256_proof2_proof), + + .proof3_public_key = fixture_bls12_381_sha_256_proof3_public_key, + .proof3_signature = fixture_bls12_381_sha_256_proof3_signature, + .proof3_signature_len = sizeof(fixture_bls12_381_sha_256_proof3_signature), + .proof3_header = fixture_bls12_381_sha_256_proof3_header, + .proof3_header_len = sizeof(fixture_bls12_381_sha_256_proof3_header), + .proof3_presentation_header = fixture_bls12_381_sha_256_proof3_presentation_header, + .proof3_presentation_header_len = sizeof(fixture_bls12_381_sha_256_proof3_presentation_header), + .proof3_revealed_indexes = fixture_bls12_381_sha_256_proof3_revealed_indexes, + .proof3_revealed_indexes_len = LEN (fixture_bls12_381_sha_256_proof3_revealed_indexes), + .proof3_proof = fixture_bls12_381_sha_256_proof3_proof, + .proof3_proof_len = sizeof(fixture_bls12_381_sha_256_proof3_proof), + .proof3_m_1 = fixture_bls12_381_sha_256_proof3_m_1, + .proof3_m_1_len = sizeof(fixture_bls12_381_sha_256_proof3_m_1), + .proof3_m_3 = fixture_bls12_381_sha_256_proof3_m_3, + .proof3_m_3_len = sizeof(fixture_bls12_381_sha_256_proof3_m_3), + .proof3_m_5 = fixture_bls12_381_sha_256_proof3_m_5, + .proof3_m_5_len = sizeof(fixture_bls12_381_sha_256_proof3_m_5), + .proof3_m_7 = fixture_bls12_381_sha_256_proof3_m_7, + .proof3_m_7_len = sizeof(fixture_bls12_381_sha_256_proof3_m_7), + }, + { + .proof_verify = &bbs_shake256_proof_verify, + .proof_SEED = fixture_bls12_381_shake_256_proof_SEED, + .proof_SEED_len = sizeof(fixture_bls12_381_shake_256_proof_SEED), + .proof_DST = fixture_bls12_381_shake_256_proof_DST, + .proof_DST_len = sizeof(fixture_bls12_381_shake_256_proof_DST), + .proof_random_scalar_1 = fixture_bls12_381_shake_256_proof_random_scalar_1, + .proof_random_scalar_1_len = sizeof(fixture_bls12_381_shake_256_proof_random_scalar_1), + .proof_random_scalar_2 = fixture_bls12_381_shake_256_proof_random_scalar_2, + .proof_random_scalar_2_len = sizeof(fixture_bls12_381_shake_256_proof_random_scalar_2), + .proof_random_scalar_3 = fixture_bls12_381_shake_256_proof_random_scalar_3, + .proof_random_scalar_3_len = sizeof(fixture_bls12_381_shake_256_proof_random_scalar_3), + .proof_random_scalar_4 = fixture_bls12_381_shake_256_proof_random_scalar_4, + .proof_random_scalar_4_len = sizeof(fixture_bls12_381_shake_256_proof_random_scalar_4), + .proof_random_scalar_5 = fixture_bls12_381_shake_256_proof_random_scalar_5, + .proof_random_scalar_5_len = sizeof(fixture_bls12_381_shake_256_proof_random_scalar_5), + .proof_random_scalar_6 = fixture_bls12_381_shake_256_proof_random_scalar_6, + .proof_random_scalar_6_len = sizeof(fixture_bls12_381_shake_256_proof_random_scalar_6), + .proof_random_scalar_7 = fixture_bls12_381_shake_256_proof_random_scalar_7, + .proof_random_scalar_7_len = sizeof(fixture_bls12_381_shake_256_proof_random_scalar_7), + .proof_random_scalar_8 = fixture_bls12_381_shake_256_proof_random_scalar_8, + .proof_random_scalar_8_len = sizeof(fixture_bls12_381_shake_256_proof_random_scalar_8), + .proof_random_scalar_9 = fixture_bls12_381_shake_256_proof_random_scalar_9, + .proof_random_scalar_9_len = sizeof(fixture_bls12_381_shake_256_proof_random_scalar_9), + .proof_random_scalar_10 = fixture_bls12_381_shake_256_proof_random_scalar_10, + .proof_random_scalar_10_len = sizeof(fixture_bls12_381_shake_256_proof_random_scalar_10), + + .proof1_public_key = fixture_bls12_381_shake_256_proof1_public_key, + .proof1_signature = fixture_bls12_381_shake_256_proof1_signature, + .proof1_signature_len = sizeof(fixture_bls12_381_shake_256_proof1_signature), + .proof1_header = fixture_bls12_381_shake_256_proof1_header, + .proof1_header_len = sizeof(fixture_bls12_381_shake_256_proof1_header), + .proof1_presentation_header = fixture_bls12_381_shake_256_proof1_presentation_header, + .proof1_presentation_header_len = sizeof(fixture_bls12_381_shake_256_proof1_presentation_header), + .proof1_revealed_indexes = fixture_bls12_381_shake_256_proof1_revealed_indexes, + .proof1_revealed_indexes_len = LEN (fixture_bls12_381_shake_256_proof1_revealed_indexes), + .proof1_m_1 = fixture_bls12_381_shake_256_proof1_m_1, + .proof1_m_1_len = sizeof(fixture_bls12_381_shake_256_proof1_m_1), + .proof1_proof = fixture_bls12_381_shake_256_proof1_proof, + .proof1_proof_len = sizeof(fixture_bls12_381_shake_256_proof1_proof), + + .proof2_public_key = fixture_bls12_381_shake_256_proof2_public_key, + .proof2_signature = fixture_bls12_381_shake_256_proof2_signature, + .proof2_signature_len = sizeof(fixture_bls12_381_shake_256_proof2_signature), + .proof2_header = fixture_bls12_381_shake_256_proof2_header, + .proof2_header_len = sizeof(fixture_bls12_381_shake_256_proof2_header), + .proof2_presentation_header = fixture_bls12_381_shake_256_proof2_presentation_header, + .proof2_presentation_header_len = sizeof(fixture_bls12_381_shake_256_proof2_presentation_header), + .proof2_revealed_indexes = fixture_bls12_381_shake_256_proof2_revealed_indexes, + .proof2_revealed_indexes_len = LEN (fixture_bls12_381_shake_256_proof2_revealed_indexes), + .proof2_m_1 = fixture_bls12_381_shake_256_proof2_m_1, + .proof2_m_1_len = sizeof(fixture_bls12_381_shake_256_proof2_m_1), + .proof2_m_2 = fixture_bls12_381_shake_256_proof2_m_2, + .proof2_m_2_len = sizeof(fixture_bls12_381_shake_256_proof2_m_2), + .proof2_m_3 = fixture_bls12_381_shake_256_proof2_m_3, + .proof2_m_3_len = sizeof(fixture_bls12_381_shake_256_proof2_m_3), + .proof2_m_4 = fixture_bls12_381_shake_256_proof2_m_4, + .proof2_m_4_len = sizeof(fixture_bls12_381_shake_256_proof2_m_4), + .proof2_m_5 = fixture_bls12_381_shake_256_proof2_m_5, + .proof2_m_5_len = sizeof(fixture_bls12_381_shake_256_proof2_m_5), + .proof2_m_6 = fixture_bls12_381_shake_256_proof2_m_6, + .proof2_m_6_len = sizeof(fixture_bls12_381_shake_256_proof2_m_6), + .proof2_m_7 = fixture_bls12_381_shake_256_proof2_m_7, + .proof2_m_7_len = sizeof(fixture_bls12_381_shake_256_proof2_m_7), + .proof2_m_8 = fixture_bls12_381_shake_256_proof2_m_8, + .proof2_m_8_len = sizeof(fixture_bls12_381_shake_256_proof2_m_8), + .proof2_m_9 = fixture_bls12_381_shake_256_proof2_m_9, + .proof2_m_9_len = sizeof(fixture_bls12_381_shake_256_proof2_m_9), + .proof2_m_10 = fixture_bls12_381_shake_256_proof2_m_10, + .proof2_m_10_len = sizeof(fixture_bls12_381_shake_256_proof2_m_10), + .proof2_proof = fixture_bls12_381_shake_256_proof2_proof, + .proof2_proof_len = sizeof(fixture_bls12_381_shake_256_proof2_proof), + + .proof3_public_key = fixture_bls12_381_shake_256_proof3_public_key, + .proof3_signature = fixture_bls12_381_shake_256_proof3_signature, + .proof3_signature_len = sizeof(fixture_bls12_381_shake_256_proof3_signature), + .proof3_header = fixture_bls12_381_shake_256_proof3_header, + .proof3_header_len = sizeof(fixture_bls12_381_shake_256_proof3_header), + .proof3_presentation_header = fixture_bls12_381_shake_256_proof3_presentation_header, + .proof3_presentation_header_len = sizeof(fixture_bls12_381_shake_256_proof3_presentation_header), + .proof3_revealed_indexes = fixture_bls12_381_shake_256_proof3_revealed_indexes, + .proof3_revealed_indexes_len = LEN (fixture_bls12_381_shake_256_proof3_revealed_indexes), + .proof3_proof = fixture_bls12_381_shake_256_proof3_proof, + .proof3_proof_len = sizeof(fixture_bls12_381_shake_256_proof3_proof), + .proof3_m_1 = fixture_bls12_381_shake_256_proof3_m_1, + .proof3_m_1_len = sizeof(fixture_bls12_381_shake_256_proof3_m_1), + .proof3_m_3 = fixture_bls12_381_shake_256_proof3_m_3, + .proof3_m_3_len = sizeof(fixture_bls12_381_shake_256_proof3_m_3), + .proof3_m_5 = fixture_bls12_381_shake_256_proof3_m_5, + .proof3_m_5_len = sizeof(fixture_bls12_381_shake_256_proof3_m_5), + .proof3_m_7 = fixture_bls12_381_shake_256_proof3_m_7, + .proof3_m_7_len = sizeof(fixture_bls12_381_shake_256_proof3_m_7), + }, + }; + // *INDENT-ON* - Preserve formatting + + if (core_init () != RLC_OK) + { + core_clean (); return 1; } - if (pc_param_set_any() != RLC_OK) { - core_clean(); + if (pc_param_set_any () != RLC_OK) + { + core_clean (); return 1; } + for (int cipher_suite_index = 0; cipher_suite_index < 2; cipher_suite_index++) + { + proof_fixture_t test_case = test_cases[cipher_suite_index]; + if (BBS_OK != test_case.proof_verify (test_case.proof1_public_key, + test_case.proof1_proof, + test_case.proof1_proof_len, + test_case.proof1_header, + test_case.proof1_header_len, + test_case.proof1_presentation_header, + test_case.proof1_presentation_header_len, + test_case.proof1_revealed_indexes, + test_case.proof1_revealed_indexes_len, 1, + test_case.proof1_m_1, + test_case.proof1_m_1_len)) + { + puts ("Error during proof 1 verification"); + return 1; + } - if(BBS_OK != bbs_proof_verify( - fixture_bls12_381_sha_256_proof1_public_key, - fixture_bls12_381_sha_256_proof1_proof, - sizeof(fixture_bls12_381_sha_256_proof1_proof), - fixture_bls12_381_sha_256_proof1_header, - sizeof(fixture_bls12_381_sha_256_proof1_header), - fixture_bls12_381_sha_256_proof1_presentation_header, - sizeof(fixture_bls12_381_sha_256_proof1_presentation_header), - fixture_bls12_381_sha_256_proof1_revealed_indexes, - LEN(fixture_bls12_381_sha_256_proof1_revealed_indexes), - 1, - fixture_bls12_381_sha_256_proof1_m_1, - sizeof(fixture_bls12_381_sha_256_proof1_m_1))) { - puts("Error during proof 1 verification"); - return 1; - } + if (BBS_OK != test_case.proof_verify (test_case.proof2_public_key, + test_case.proof2_proof, + test_case.proof2_proof_len, + test_case.proof2_header, + test_case.proof2_header_len, + test_case.proof2_presentation_header, + test_case.proof2_presentation_header_len, + test_case.proof2_revealed_indexes, + test_case.proof2_revealed_indexes_len, 10, + test_case.proof2_m_1, + test_case.proof2_m_1_len, + test_case.proof2_m_2, + test_case.proof2_m_2_len, + test_case.proof2_m_3, + test_case.proof2_m_3_len, + test_case.proof2_m_4, + test_case.proof2_m_4_len, + test_case.proof2_m_5, + test_case.proof2_m_5_len, + test_case.proof2_m_6, + test_case.proof2_m_6_len, + test_case.proof2_m_7, + test_case.proof2_m_7_len, + test_case.proof2_m_8, + test_case.proof2_m_8_len, + test_case.proof2_m_9, + test_case.proof2_m_9_len, + test_case.proof2_m_10, + test_case.proof2_m_10_len)) + { + puts ("Error during proof 2 verification"); + return 1; + } - if(BBS_OK != bbs_proof_verify( - fixture_bls12_381_sha_256_proof2_public_key, - fixture_bls12_381_sha_256_proof2_proof, - sizeof(fixture_bls12_381_sha_256_proof2_proof), - fixture_bls12_381_sha_256_proof2_header, - sizeof(fixture_bls12_381_sha_256_proof2_header), - fixture_bls12_381_sha_256_proof2_presentation_header, - sizeof(fixture_bls12_381_sha_256_proof2_presentation_header), - fixture_bls12_381_sha_256_proof2_revealed_indexes, - LEN(fixture_bls12_381_sha_256_proof2_revealed_indexes), - 10, - fixture_bls12_381_sha_256_proof2_m_1, - sizeof(fixture_bls12_381_sha_256_proof2_m_1), - fixture_bls12_381_sha_256_proof2_m_2, - sizeof(fixture_bls12_381_sha_256_proof2_m_2), - fixture_bls12_381_sha_256_proof2_m_3, - sizeof(fixture_bls12_381_sha_256_proof2_m_3), - fixture_bls12_381_sha_256_proof2_m_4, - sizeof(fixture_bls12_381_sha_256_proof2_m_4), - fixture_bls12_381_sha_256_proof2_m_5, - sizeof(fixture_bls12_381_sha_256_proof2_m_5), - fixture_bls12_381_sha_256_proof2_m_6, - sizeof(fixture_bls12_381_sha_256_proof2_m_6), - fixture_bls12_381_sha_256_proof2_m_7, - sizeof(fixture_bls12_381_sha_256_proof2_m_7), - fixture_bls12_381_sha_256_proof2_m_8, - sizeof(fixture_bls12_381_sha_256_proof2_m_8), - fixture_bls12_381_sha_256_proof2_m_9, - sizeof(fixture_bls12_381_sha_256_proof2_m_9), - fixture_bls12_381_sha_256_proof2_m_10, - sizeof(fixture_bls12_381_sha_256_proof2_m_10))) { - puts("Error during proof 2 verification"); - return 1; - } + // Only some messages are being revealed here + if (BBS_OK != test_case.proof_verify (test_case.proof3_public_key, + test_case.proof3_proof, + test_case.proof3_proof_len, + test_case.proof3_header, + test_case.proof3_header_len, + test_case.proof3_presentation_header, + test_case.proof3_presentation_header_len, + test_case.proof3_revealed_indexes, + test_case.proof3_revealed_indexes_len, 10, + test_case.proof3_m_1, + test_case.proof3_m_1_len, + test_case.proof3_m_3, + test_case.proof3_m_3_len, + test_case.proof3_m_5, + test_case.proof3_m_5_len, + test_case.proof3_m_7, + test_case.proof3_m_7_len)) + { + puts ("Error during proof 3 verification"); + return 1; + } - // Only some messages are being revealed here - if(BBS_OK != bbs_proof_verify( - fixture_bls12_381_sha_256_proof3_public_key, - fixture_bls12_381_sha_256_proof3_proof, - sizeof(fixture_bls12_381_sha_256_proof3_proof), - fixture_bls12_381_sha_256_proof3_header, - sizeof(fixture_bls12_381_sha_256_proof3_header), - fixture_bls12_381_sha_256_proof3_presentation_header, - sizeof(fixture_bls12_381_sha_256_proof3_presentation_header), - fixture_bls12_381_sha_256_proof3_revealed_indexes, - LEN(fixture_bls12_381_sha_256_proof3_revealed_indexes), - 10, - fixture_bls12_381_sha_256_proof3_m_1, - sizeof(fixture_bls12_381_sha_256_proof3_m_1), - fixture_bls12_381_sha_256_proof3_m_3, - sizeof(fixture_bls12_381_sha_256_proof3_m_3), - fixture_bls12_381_sha_256_proof3_m_5, - sizeof(fixture_bls12_381_sha_256_proof3_m_5), - fixture_bls12_381_sha_256_proof3_m_7, - sizeof(fixture_bls12_381_sha_256_proof3_m_7))) { - puts("Error during proof 3 verification"); - return 1; } return 0; } - diff --git a/test/bbs_fix_sign.c b/test/bbs_fix_sign.c index 30869d3..08e6106 100644 --- a/test/bbs_fix_sign.c +++ b/test/bbs_fix_sign.c @@ -1,63 +1,202 @@ #include "fixtures.h" #include "test_util.h" -int bbs_fix_sign() { - if (core_init() != RLC_OK) { - core_clean(); - return 1; - } - if (pc_param_set_any() != RLC_OK) { - core_clean(); - return 1; - } +typedef struct +{ + bbs_cipher_suite_t cipher_suite; + int (*sign)(const uint8_t *sk, + const uint8_t *pk, + uint8_t *signature, + const uint8_t *header, + uint64_t header_len, + uint64_t num_messages, + ... + ); + uint8_t *signature1_SK; + uint8_t *signature1_PK; + uint8_t *signature1_header; + uint32_t signature1_header_len; + uint8_t *signature1_m_1; + uint32_t signature1_m_1_len; + uint8_t *signature1_signature; + uint32_t signature1_signature_len; - bbs_signature sig; - if(BBS_OK != bbs_sign( - fixture_bls12_381_sha_256_signature1_SK, - fixture_bls12_381_sha_256_signature1_PK, - sig, - fixture_bls12_381_sha_256_signature1_header, - sizeof(fixture_bls12_381_sha_256_signature1_header), - 1, - fixture_bls12_381_sha_256_signature1_m_1, - sizeof(fixture_bls12_381_sha_256_signature1_m_1))) { - puts("Error during signature 1 generation"); - return 1; - } - ASSERT_EQ("signature 1 generation", sig, fixture_bls12_381_sha_256_signature1_signature); - - if(BBS_OK != bbs_sign( - fixture_bls12_381_sha_256_signature2_SK, - fixture_bls12_381_sha_256_signature2_PK, - sig, - fixture_bls12_381_sha_256_signature2_header, - sizeof(fixture_bls12_381_sha_256_signature2_header), - 10, - fixture_bls12_381_sha_256_signature2_m_1, - sizeof(fixture_bls12_381_sha_256_signature2_m_1), - fixture_bls12_381_sha_256_signature2_m_2, - sizeof(fixture_bls12_381_sha_256_signature2_m_2), - fixture_bls12_381_sha_256_signature2_m_3, - sizeof(fixture_bls12_381_sha_256_signature2_m_3), - fixture_bls12_381_sha_256_signature2_m_4, - sizeof(fixture_bls12_381_sha_256_signature2_m_4), - fixture_bls12_381_sha_256_signature2_m_5, - sizeof(fixture_bls12_381_sha_256_signature2_m_5), - fixture_bls12_381_sha_256_signature2_m_6, - sizeof(fixture_bls12_381_sha_256_signature2_m_6), - fixture_bls12_381_sha_256_signature2_m_7, - sizeof(fixture_bls12_381_sha_256_signature2_m_7), - fixture_bls12_381_sha_256_signature2_m_8, - sizeof(fixture_bls12_381_sha_256_signature2_m_8), - fixture_bls12_381_sha_256_signature2_m_9, - sizeof(fixture_bls12_381_sha_256_signature2_m_9), - fixture_bls12_381_sha_256_signature2_m_10, - sizeof(fixture_bls12_381_sha_256_signature2_m_10))) { - puts("Error during signature 2 generation"); - return 1; - } - ASSERT_EQ("signature 2 generation", sig, fixture_bls12_381_sha_256_signature2_signature); + uint8_t *signature2_SK; + uint8_t *signature2_PK; + uint8_t *signature2_header; + uint32_t signature2_header_len; + uint8_t *signature2_m_1; + uint32_t signature2_m_1_len; + uint8_t *signature2_m_2; + uint32_t signature2_m_2_len; + uint8_t *signature2_m_3; + uint32_t signature2_m_3_len; + uint8_t *signature2_m_4; + uint32_t signature2_m_4_len; + uint8_t *signature2_m_5; + uint32_t signature2_m_5_len; + uint8_t *signature2_m_6; + uint32_t signature2_m_6_len; + uint8_t *signature2_m_7; + uint32_t signature2_m_7_len; + uint8_t *signature2_m_8; + uint32_t signature2_m_8_len; + uint8_t *signature2_m_9; + uint32_t signature2_m_9_len; + uint8_t *signature2_m_10; + uint32_t signature2_m_10_len; + uint8_t *signature2_signature; + uint32_t signature2_signature_len; +} bbs_fix_sign_fixture_t; + +int +bbs_fix_sign () +{ + // *INDENT-OFF* - Preserve formatting + bbs_fix_sign_fixture_t fixtures[] = { + { + .cipher_suite = bbs_shake256_cipher_suite, + .sign = &bbs_shake256_sign, + .signature1_SK = fixture_bls12_381_shake_256_signature1_SK, + .signature1_PK = fixture_bls12_381_shake_256_signature1_PK, + .signature1_header = fixture_bls12_381_shake_256_signature1_header, + .signature1_header_len = sizeof(fixture_bls12_381_shake_256_signature1_header), + .signature1_m_1 = fixture_bls12_381_shake_256_signature1_m_1, + .signature1_m_1_len = sizeof(fixture_bls12_381_shake_256_signature1_m_1), + .signature1_signature = fixture_bls12_381_shake_256_signature1_signature, + .signature1_signature_len = sizeof(fixture_bls12_381_shake_256_signature1_signature), + + .signature2_SK = fixture_bls12_381_shake_256_signature2_SK, + .signature2_PK = fixture_bls12_381_shake_256_signature2_PK, + .signature2_header = fixture_bls12_381_shake_256_signature2_header, + .signature2_header_len = sizeof(fixture_bls12_381_shake_256_signature2_header), + .signature2_m_1 = fixture_bls12_381_shake_256_signature2_m_1, + .signature2_m_1_len = sizeof(fixture_bls12_381_shake_256_signature2_m_1), + .signature2_m_2 = fixture_bls12_381_shake_256_signature2_m_2, + .signature2_m_2_len = sizeof(fixture_bls12_381_shake_256_signature2_m_2), + .signature2_m_3 = fixture_bls12_381_shake_256_signature2_m_3, + .signature2_m_3_len = sizeof(fixture_bls12_381_shake_256_signature2_m_3), + .signature2_m_4 = fixture_bls12_381_shake_256_signature2_m_4, + .signature2_m_4_len = sizeof(fixture_bls12_381_shake_256_signature2_m_4), + .signature2_m_5 = fixture_bls12_381_shake_256_signature2_m_5, + .signature2_m_5_len = sizeof(fixture_bls12_381_shake_256_signature2_m_5), + .signature2_m_6 = fixture_bls12_381_shake_256_signature2_m_6, + .signature2_m_6_len = sizeof(fixture_bls12_381_shake_256_signature2_m_6), + .signature2_m_7 = fixture_bls12_381_shake_256_signature2_m_7, + .signature2_m_7_len = sizeof(fixture_bls12_381_shake_256_signature2_m_7), + .signature2_m_8 = fixture_bls12_381_shake_256_signature2_m_8, + .signature2_m_8_len = sizeof(fixture_bls12_381_shake_256_signature2_m_8), + .signature2_m_9 = fixture_bls12_381_shake_256_signature2_m_9, + .signature2_m_9_len = sizeof(fixture_bls12_381_shake_256_signature2_m_9), + .signature2_m_10 = fixture_bls12_381_shake_256_signature2_m_10, + .signature2_m_10_len = sizeof(fixture_bls12_381_shake_256_signature2_m_10), + .signature2_signature = fixture_bls12_381_shake_256_signature2_signature, + .signature2_signature_len = sizeof(fixture_bls12_381_shake_256_signature2_signature), + }, + { + .cipher_suite = bbs_sha256_cipher_suite, + .sign = &bbs_sha256_sign, + .signature1_SK = fixture_bls12_381_sha_256_signature1_SK, + .signature1_PK = fixture_bls12_381_sha_256_signature1_PK, + .signature1_header = fixture_bls12_381_sha_256_signature1_header, + .signature1_header_len = sizeof(fixture_bls12_381_sha_256_signature1_header), + .signature1_m_1 = fixture_bls12_381_sha_256_signature1_m_1, + .signature1_m_1_len = sizeof(fixture_bls12_381_sha_256_signature1_m_1), + .signature1_signature = fixture_bls12_381_sha_256_signature1_signature, + .signature1_signature_len = sizeof(fixture_bls12_381_sha_256_signature1_signature), + .signature2_SK = fixture_bls12_381_sha_256_signature2_SK, + .signature2_PK = fixture_bls12_381_sha_256_signature2_PK, + .signature2_header = fixture_bls12_381_sha_256_signature2_header, + .signature2_header_len = sizeof(fixture_bls12_381_sha_256_signature2_header), + .signature2_m_1 = fixture_bls12_381_sha_256_signature2_m_1, + .signature2_m_1_len = sizeof(fixture_bls12_381_sha_256_signature2_m_1), + .signature2_m_2 = fixture_bls12_381_sha_256_signature2_m_2, + .signature2_m_2_len = sizeof(fixture_bls12_381_sha_256_signature2_m_2), + .signature2_m_3 = fixture_bls12_381_sha_256_signature2_m_3, + .signature2_m_3_len = sizeof(fixture_bls12_381_sha_256_signature2_m_3), + .signature2_m_4 = fixture_bls12_381_sha_256_signature2_m_4, + .signature2_m_4_len = sizeof(fixture_bls12_381_sha_256_signature2_m_4), + .signature2_m_5 = fixture_bls12_381_sha_256_signature2_m_5, + .signature2_m_5_len = sizeof(fixture_bls12_381_sha_256_signature2_m_5), + .signature2_m_6 = fixture_bls12_381_sha_256_signature2_m_6, + .signature2_m_6_len = sizeof(fixture_bls12_381_sha_256_signature2_m_6), + .signature2_m_7 = fixture_bls12_381_sha_256_signature2_m_7, + .signature2_m_7_len = sizeof(fixture_bls12_381_sha_256_signature2_m_7), + .signature2_m_8 = fixture_bls12_381_sha_256_signature2_m_8, + .signature2_m_8_len = sizeof(fixture_bls12_381_sha_256_signature2_m_8), + .signature2_m_9 = fixture_bls12_381_sha_256_signature2_m_9, + .signature2_m_9_len = sizeof(fixture_bls12_381_sha_256_signature2_m_9), + .signature2_m_10 = fixture_bls12_381_sha_256_signature2_m_10, + .signature2_m_10_len = sizeof(fixture_bls12_381_sha_256_signature2_m_10), + .signature2_signature = fixture_bls12_381_sha_256_signature2_signature, + .signature2_signature_len = sizeof(fixture_bls12_381_sha_256_signature2_signature), + } + }; + // *INDENT-ON* - Preserve formatting + + for (int cipher_suite_index = 0; cipher_suite_index < 2; cipher_suite_index++ ) + { + bbs_fix_sign_fixture_t test_case = fixtures[cipher_suite_index]; + printf("Testing cipher suite %s\n", test_case.cipher_suite.cipher_suite_id); + if (core_init () != RLC_OK) + { + core_clean (); + return 1; + } + if (pc_param_set_any () != RLC_OK) + { + core_clean (); + return 1; + } + + bbs_signature sig; + if (BBS_OK != test_case.sign (test_case.signature1_SK, test_case.signature1_PK, sig, + test_case.signature1_header, + test_case.signature1_header_len, 1, // num_messages + test_case.signature1_m_1, + test_case.signature1_m_1_len)) + { + puts ("Error during signature 1 generation"); + return 1; + } + ASSERT_EQ_PTR ("signature 1 generation", + sig, + test_case.signature1_signature, + test_case.signature1_signature_len); + + if (BBS_OK != test_case.sign (test_case.signature2_SK, test_case.signature2_PK, sig, + test_case.signature2_header, + test_case.signature2_header_len, 10, + // num_messages + test_case.signature2_m_1, + test_case.signature2_m_1_len, + test_case.signature2_m_2, + test_case.signature2_m_2_len, + test_case.signature2_m_3, + test_case.signature2_m_3_len, + test_case.signature2_m_4, + test_case.signature2_m_4_len, + test_case.signature2_m_5, + test_case.signature2_m_5_len, + test_case.signature2_m_6, + test_case.signature2_m_6_len, + test_case.signature2_m_7, + test_case.signature2_m_7_len, + test_case.signature2_m_8, + test_case.signature2_m_8_len, + test_case.signature2_m_9, + test_case.signature2_m_9_len, + test_case.signature2_m_10, + test_case.signature2_m_10_len)) + { + puts ("Error during signature 2 generation"); + return 1; + } + ASSERT_EQ_PTR ("signature 2 generation", + sig, + test_case.signature2_signature, + test_case.signature2_signature_len); + } return 0; } - diff --git a/test/bbs_fix_verify.c b/test/bbs_fix_verify.c index a4625b9..070c9e9 100644 --- a/test/bbs_fix_verify.c +++ b/test/bbs_fix_verify.c @@ -1,58 +1,195 @@ #include "fixtures.h" #include "test_util.h" -int bbs_fix_verify() { - if (core_init() != RLC_OK) { - core_clean(); - return 1; - } - if (pc_param_set_any() != RLC_OK) { - core_clean(); - return 1; - } - if(BBS_OK != bbs_verify( - fixture_bls12_381_sha_256_signature1_PK, - fixture_bls12_381_sha_256_signature1_signature, - fixture_bls12_381_sha_256_signature1_header, - sizeof(fixture_bls12_381_sha_256_signature1_header), - 1, - fixture_bls12_381_sha_256_signature1_m_1, - sizeof(fixture_bls12_381_sha_256_signature1_m_1))) { - puts("Error during signature 1 verification"); - return 1; - } +typedef struct +{ + bbs_cipher_suite_t cipher_suite; + int (*verify)(const uint8_t *pk, + const uint8_t *signature, + const uint8_t *header, + uint64_t header_len, + uint64_t num_messages, + ... + ); + uint8_t *signature1_SK; + uint8_t *signature1_PK; + uint8_t *signature1_header; + uint32_t signature1_header_len; + uint8_t *signature1_m_1; + uint32_t signature1_m_1_len; + uint8_t *signature1_signature; + uint32_t signature1_signature_len; - if(BBS_OK != bbs_verify( - fixture_bls12_381_sha_256_signature2_PK, - fixture_bls12_381_sha_256_signature2_signature, - fixture_bls12_381_sha_256_signature2_header, - sizeof(fixture_bls12_381_sha_256_signature2_header), - 10, - fixture_bls12_381_sha_256_signature2_m_1, - sizeof(fixture_bls12_381_sha_256_signature2_m_1), - fixture_bls12_381_sha_256_signature2_m_2, - sizeof(fixture_bls12_381_sha_256_signature2_m_2), - fixture_bls12_381_sha_256_signature2_m_3, - sizeof(fixture_bls12_381_sha_256_signature2_m_3), - fixture_bls12_381_sha_256_signature2_m_4, - sizeof(fixture_bls12_381_sha_256_signature2_m_4), - fixture_bls12_381_sha_256_signature2_m_5, - sizeof(fixture_bls12_381_sha_256_signature2_m_5), - fixture_bls12_381_sha_256_signature2_m_6, - sizeof(fixture_bls12_381_sha_256_signature2_m_6), - fixture_bls12_381_sha_256_signature2_m_7, - sizeof(fixture_bls12_381_sha_256_signature2_m_7), - fixture_bls12_381_sha_256_signature2_m_8, - sizeof(fixture_bls12_381_sha_256_signature2_m_8), - fixture_bls12_381_sha_256_signature2_m_9, - sizeof(fixture_bls12_381_sha_256_signature2_m_9), - fixture_bls12_381_sha_256_signature2_m_10, - sizeof(fixture_bls12_381_sha_256_signature2_m_10))) { - puts("Error during signature 2 verification"); - return 1; - } + uint8_t *signature2_SK; + uint8_t *signature2_PK; + uint8_t *signature2_header; + uint32_t signature2_header_len; + uint8_t *signature2_m_1; + uint32_t signature2_m_1_len; + uint8_t *signature2_m_2; + uint32_t signature2_m_2_len; + uint8_t *signature2_m_3; + uint32_t signature2_m_3_len; + uint8_t *signature2_m_4; + uint32_t signature2_m_4_len; + uint8_t *signature2_m_5; + uint32_t signature2_m_5_len; + uint8_t *signature2_m_6; + uint32_t signature2_m_6_len; + uint8_t *signature2_m_7; + uint32_t signature2_m_7_len; + uint8_t *signature2_m_8; + uint32_t signature2_m_8_len; + uint8_t *signature2_m_9; + uint32_t signature2_m_9_len; + uint8_t *signature2_m_10; + uint32_t signature2_m_10_len; + uint8_t *signature2_signature; + uint32_t signature2_signature_len; +} bbs_fix_verify_fixture_t; + + +int +bbs_fix_verify () +{ + // *INDENT-OFF* - Preserve formatting + bbs_fix_verify_fixture_t test_cases[] = { + { + .cipher_suite = bbs_sha256_cipher_suite, + .verify = bbs_sha256_verify, + .signature1_SK = fixture_bls12_381_sha_256_signature1_SK, + .signature1_PK = fixture_bls12_381_sha_256_signature1_PK, + .signature1_header = fixture_bls12_381_sha_256_signature1_header, + .signature1_header_len = sizeof(fixture_bls12_381_sha_256_signature1_header), + .signature1_m_1 = fixture_bls12_381_sha_256_signature1_m_1, + .signature1_m_1_len = sizeof(fixture_bls12_381_sha_256_signature1_m_1), + .signature1_signature = fixture_bls12_381_sha_256_signature1_signature, + .signature1_signature_len = sizeof(fixture_bls12_381_sha_256_signature1_signature), + .signature2_SK = fixture_bls12_381_sha_256_signature2_SK, + .signature2_PK = fixture_bls12_381_sha_256_signature2_PK, + .signature2_header = fixture_bls12_381_sha_256_signature2_header, + .signature2_header_len = sizeof(fixture_bls12_381_sha_256_signature2_header), + .signature2_m_1 = fixture_bls12_381_sha_256_signature2_m_1, + .signature2_m_1_len = sizeof(fixture_bls12_381_sha_256_signature2_m_1), + .signature2_m_2 = fixture_bls12_381_sha_256_signature2_m_2, + .signature2_m_2_len = sizeof(fixture_bls12_381_sha_256_signature2_m_2), + .signature2_m_3 = fixture_bls12_381_sha_256_signature2_m_3, + .signature2_m_3_len = sizeof(fixture_bls12_381_sha_256_signature2_m_3), + .signature2_m_4 = fixture_bls12_381_sha_256_signature2_m_4, + .signature2_m_4_len = sizeof(fixture_bls12_381_sha_256_signature2_m_4), + .signature2_m_5 = fixture_bls12_381_sha_256_signature2_m_5, + .signature2_m_5_len = sizeof(fixture_bls12_381_sha_256_signature2_m_5), + .signature2_m_6 = fixture_bls12_381_sha_256_signature2_m_6, + .signature2_m_6_len = sizeof(fixture_bls12_381_sha_256_signature2_m_6), + .signature2_m_7 = fixture_bls12_381_sha_256_signature2_m_7, + .signature2_m_7_len = sizeof(fixture_bls12_381_sha_256_signature2_m_7), + .signature2_m_8 = fixture_bls12_381_sha_256_signature2_m_8, + .signature2_m_8_len = sizeof(fixture_bls12_381_sha_256_signature2_m_8), + .signature2_m_9 = fixture_bls12_381_sha_256_signature2_m_9, + .signature2_m_9_len = sizeof(fixture_bls12_381_sha_256_signature2_m_9), + .signature2_m_10 = fixture_bls12_381_sha_256_signature2_m_10, + .signature2_m_10_len = sizeof(fixture_bls12_381_sha_256_signature2_m_10), + .signature2_signature = fixture_bls12_381_sha_256_signature2_signature, + .signature2_signature_len = sizeof(fixture_bls12_381_sha_256_signature2_signature), + }, + { + .cipher_suite = bbs_shake256_cipher_suite, + .verify = bbs_shake256_verify, + .signature1_SK = fixture_bls12_381_shake_256_signature1_SK, + .signature1_PK = fixture_bls12_381_shake_256_signature1_PK, + .signature1_header = fixture_bls12_381_shake_256_signature1_header, + .signature1_header_len = sizeof(fixture_bls12_381_shake_256_signature1_header), + .signature1_m_1 = fixture_bls12_381_shake_256_signature1_m_1, + .signature1_m_1_len = sizeof(fixture_bls12_381_shake_256_signature1_m_1), + .signature1_signature = fixture_bls12_381_shake_256_signature1_signature, + .signature1_signature_len = sizeof(fixture_bls12_381_shake_256_signature1_signature), + + .signature2_SK = fixture_bls12_381_shake_256_signature2_SK, + .signature2_PK = fixture_bls12_381_shake_256_signature2_PK, + .signature2_header = fixture_bls12_381_shake_256_signature2_header, + .signature2_header_len = sizeof(fixture_bls12_381_shake_256_signature2_header), + .signature2_m_1 = fixture_bls12_381_shake_256_signature2_m_1, + .signature2_m_1_len = sizeof(fixture_bls12_381_shake_256_signature2_m_1), + .signature2_m_2 = fixture_bls12_381_shake_256_signature2_m_2, + .signature2_m_2_len = sizeof(fixture_bls12_381_shake_256_signature2_m_2), + .signature2_m_3 = fixture_bls12_381_shake_256_signature2_m_3, + .signature2_m_3_len = sizeof(fixture_bls12_381_shake_256_signature2_m_3), + .signature2_m_4 = fixture_bls12_381_shake_256_signature2_m_4, + .signature2_m_4_len = sizeof(fixture_bls12_381_shake_256_signature2_m_4), + .signature2_m_5 = fixture_bls12_381_shake_256_signature2_m_5, + .signature2_m_5_len = sizeof(fixture_bls12_381_shake_256_signature2_m_5), + .signature2_m_6 = fixture_bls12_381_shake_256_signature2_m_6, + .signature2_m_6_len = sizeof(fixture_bls12_381_shake_256_signature2_m_6), + .signature2_m_7 = fixture_bls12_381_shake_256_signature2_m_7, + .signature2_m_7_len = sizeof(fixture_bls12_381_shake_256_signature2_m_7), + .signature2_m_8 = fixture_bls12_381_shake_256_signature2_m_8, + .signature2_m_8_len = sizeof(fixture_bls12_381_shake_256_signature2_m_8), + .signature2_m_9 = fixture_bls12_381_shake_256_signature2_m_9, + .signature2_m_9_len = sizeof(fixture_bls12_381_shake_256_signature2_m_9), + .signature2_m_10 = fixture_bls12_381_shake_256_signature2_m_10, + .signature2_m_10_len = sizeof(fixture_bls12_381_shake_256_signature2_m_10), + .signature2_signature = fixture_bls12_381_shake_256_signature2_signature, + .signature2_signature_len = sizeof(fixture_bls12_381_shake_256_signature2_signature), + } + }; + // *INDENT-ON* - Continue formatting + + for (int cipher_suite_index = 0; cipher_suite_index < 2; cipher_suite_index++) + { + bbs_fix_verify_fixture_t test_case = test_cases[cipher_suite_index]; + printf("Testing cipher suite %s\n", test_case.cipher_suite.cipher_suite_id); + if (core_init () != RLC_OK) + { + core_clean (); + return 1; + } + if (pc_param_set_any () != RLC_OK) + { + core_clean (); + return 1; + } + + if (BBS_OK != test_case.verify (test_case.signature1_PK, + test_case.signature1_signature, + test_case.signature1_header, + test_case.signature1_header_len, 1, + test_case.signature1_m_1, + test_case.signature1_m_1_len)) + { + puts ("Error during signature 1 verification"); + return 1; + } + + if (BBS_OK != test_case.verify (test_case.signature2_PK, + test_case.signature2_signature, + test_case.signature2_header, + test_case.signature2_header_len, 10, + test_case.signature2_m_1, + test_case.signature2_m_1_len, + test_case.signature2_m_2, + test_case.signature2_m_2_len, + test_case.signature2_m_3, + test_case.signature2_m_3_len, + test_case.signature2_m_4, + test_case.signature2_m_4_len, + test_case.signature2_m_5, + test_case.signature2_m_5_len, + test_case.signature2_m_6, + test_case.signature2_m_6_len, + test_case.signature2_m_7, + test_case.signature2_m_7_len, + test_case.signature2_m_8, + test_case.signature2_m_8_len, + test_case.signature2_m_9, + test_case.signature2_m_9_len, + test_case.signature2_m_10, + test_case.signature2_m_10_len)) + { + puts ("Error during signature 2 verification"); + return 1; + } + } return 0; } - diff --git a/test/fixture_data/bls12-381-shake-256/expandMessage.json b/test/fixture_data/bls12-381-shake-256/expandMessage.json new file mode 100644 index 0000000..91cc164 --- /dev/null +++ b/test/fixture_data/bls12-381-shake-256/expandMessage.json @@ -0,0 +1,76 @@ +{ + "name": "expand_message_xof", + "DST": "QUUX-V01-CS02-with-expander-SHAKE256", + "vectors": [ + { + "msg": "", + "len_in_bytes": "0x20", + "DST_prime": "515555582d5630312d435330322d776974682d657870616e6465722d5348414b4532353624", + "msg_prime": "0020515555582d5630312d435330322d776974682d657870616e6465722d5348414b4532353624", + "uniform_bytes": "2ffc05c48ed32b95d72e807f6eab9f7530dd1c2f013914c8fed38c5ccc15ad76" + }, + { + "msg": "abc", + "len_in_bytes": "0x20", + "DST_prime": "515555582d5630312d435330322d776974682d657870616e6465722d5348414b4532353624", + "msg_prime": "6162630020515555582d5630312d435330322d776974682d657870616e6465722d5348414b4532353624", + "uniform_bytes": "b39e493867e2767216792abce1f2676c197c0692aed061560ead251821808e07" + }, + { + "msg": "abcdef0123456789", + "len_in_bytes": "0x20", + "DST_prime": "515555582d5630312d435330322d776974682d657870616e6465722d5348414b4532353624", + "msg_prime": "616263646566303132333435363738390020515555582d5630312d435330322d776974682d657870616e6465722d5348414b4532353624", + "uniform_bytes": "245389cf44a13f0e70af8665fe5337ec2dcd138890bb7901c4ad9cfceb054b65" + }, + { + "msg": "q128_qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq", + "len_in_bytes": "0x20", + "DST_prime": "515555582d5630312d435330322d776974682d657870616e6465722d5348414b4532353624", + "msg_prime": "713132385f71717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171710020515555582d5630312d435330322d776974682d657870616e6465722d5348414b4532353624", + "uniform_bytes": "719b3911821e6428a5ed9b8e600f2866bcf23c8f0515e52d6c6c019a03f16f0e" + }, + { + "msg": "a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", + "len_in_bytes": "0x20", + "DST_prime": "515555582d5630312d435330322d776974682d657870616e6465722d5348414b4532353624", + "msg_prime": "613531325f61616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161610020515555582d5630312d435330322d776974682d657870616e6465722d5348414b4532353624", + "uniform_bytes": "9181ead5220b1963f1b5951f35547a5ea86a820562287d6ca4723633d17ccbbc" + }, + { + "msg": "", + "len_in_bytes": "0x80", + "DST_prime": "515555582d5630312d435330322d776974682d657870616e6465722d5348414b4532353624", + "msg_prime": "0080515555582d5630312d435330322d776974682d657870616e6465722d5348414b4532353624", + "uniform_bytes": "7a1361d2d7d82d79e035b8880c5a3c86c5afa719478c007d96e6c88737a3f631dd74a2c88df79a4cb5e5d9f7504957c70d669ec6bfedc31e01e2bacc4ff3fdf9b6a00b17cc18d9d72ace7d6b81c2e481b4f73f34f9a7505dccbe8f5485f3d20c5409b0310093d5d6492dea4e18aa6979c23c8ea5de01582e9689612afbb353df" + }, + { + "msg": "abc", + "len_in_bytes": "0x80", + "DST_prime": "515555582d5630312d435330322d776974682d657870616e6465722d5348414b4532353624", + "msg_prime": "6162630080515555582d5630312d435330322d776974682d657870616e6465722d5348414b4532353624", + "uniform_bytes": "a54303e6b172909783353ab05ef08dd435a558c3197db0c132134649708e0b9b4e34fb99b92a9e9e28fc1f1d8860d85897a8e021e6382f3eea10577f968ff6df6c45fe624ce65ca25932f679a42a404bc3681efe03fcd45ef73bb3a8f79ba784f80f55ea8a3c367408f30381299617f50c8cf8fbb21d0f1e1d70b0131a7b6fbe" + }, + { + "msg": "abcdef0123456789", + "len_in_bytes": "0x80", + "DST_prime": "515555582d5630312d435330322d776974682d657870616e6465722d5348414b4532353624", + "msg_prime": "616263646566303132333435363738390080515555582d5630312d435330322d776974682d657870616e6465722d5348414b4532353624", + "uniform_bytes": "e42e4d9538a189316e3154b821c1bafb390f78b2f010ea404e6ac063deb8c0852fcd412e098e231e43427bd2be1330bb47b4039ad57b30ae1fc94e34993b162ff4d695e42d59d9777ea18d3848d9d336c25d2acb93adcad009bcfb9cde12286df267ada283063de0bb1505565b2eb6c90e31c48798ecdc71a71756a9110ff373" + }, + { + "msg": "q128_qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq", + "len_in_bytes": "0x80", + "DST_prime": "515555582d5630312d435330322d776974682d657870616e6465722d5348414b4532353624", + "msg_prime": "713132385f71717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171710080515555582d5630312d435330322d776974682d657870616e6465722d5348414b4532353624", + "uniform_bytes": "4ac054dda0a38a65d0ecf7afd3c2812300027c8789655e47aecf1ecc1a2426b17444c7482c99e5907afd9c25b991990490bb9c686f43e79b4471a23a703d4b02f23c669737a886a7ec28bddb92c3a98de63ebf878aa363a501a60055c048bea11840c4717beae7eee28c3cfa42857b3d130188571943a7bd747de831bd6444e0" + }, + { + "msg": "a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", + "len_in_bytes": "0x80", + "DST_prime": "515555582d5630312d435330322d776974682d657870616e6465722d5348414b4532353624", + "msg_prime": "613531325f61616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161610080515555582d5630312d435330322d776974682d657870616e6465722d5348414b4532353624", + "uniform_bytes": "09afc76d51c2cccbc129c2315df66c2be7295a231203b8ab2dd7f95c2772c68e500bc72e20c602abc9964663b7a03a389be128c56971ce81001a0b875e7fd17822db9d69792ddf6a23a151bf470079c518279aef3e75611f8f828994a9988f4a8a256ddb8bae161e658d5a2a09bcfe839c6396dc06ee5c8ff3c22d3b1f9deb7e" + } + ] +} diff --git a/test/fixtures.c b/test/fixtures.c index 4abd68c..68703f4 100644 --- a/test/fixtures.c +++ b/test/fixtures.c @@ -933,3 +933,227 @@ uint8_t fixture_bls12_381_sha_256_h2s_dst[] = uint8_t fixture_bls12_381_sha_256_h2s_scalar[] = {0x0f,0x90,0xcb,0xee,0x27,0xbe,0xb2,0x14,0xe6,0x54,0x5b,0xec,0xb8,0x40,0x46,0x40, 0xd3,0x61,0x2d,0xa5,0xd6,0x75,0x8d,0xff,0xec,0xcd,0x77,0xed,0x71,0x69,0x80,0x7c}; + +// +// RFC 9380 K.6 expand_message_xof SHAKE256 Test Vectors +// + +// Expand Message Test Vectors +uint8_t rfc_9380_k6_expand_message_xof_dst[] = { 81, 85, 85, 88, 45, 86, 48, 49, 45, 67, 83, 48, 50, 45, 119, 105, 116, 104, 45, 101, 120, 112, 97, 110, 100, 101, 114, 45, 83, 72, 65, 75, 69, 50, 53, 54 }; +size_t rfc_9380_k6_expand_message_xof_dst_len = 36; +uint8_t rfc_9380_k6_expand_message_xof_msg_1[] = { }; +size_t rfc_9380_k6_expand_message_xof_msg_1_len = 0; +size_t rfc_9380_k6_expand_message_xof_out_len_1 = 0x20; +uint8_t fixture_rfc_9380_k6_expand_message_xof_dst_prime_1[] = + {0x51,0x55,0x55,0x58,0x2d,0x56,0x30,0x31,0x2d,0x43,0x53,0x30,0x32,0x2d,0x77,0x69, + 0x74,0x68,0x2d,0x65,0x78,0x70,0x61,0x6e,0x64,0x65,0x72,0x2d,0x53,0x48,0x41,0x4b, + 0x45,0x32,0x35,0x36,0x24}; +uint8_t fixture_rfc_9380_k6_expand_message_xof_msg_prime_1[] = + {0x00,0x20,0x51,0x55,0x55,0x58,0x2d,0x56,0x30,0x31,0x2d,0x43,0x53,0x30,0x32,0x2d, + 0x77,0x69,0x74,0x68,0x2d,0x65,0x78,0x70,0x61,0x6e,0x64,0x65,0x72,0x2d,0x53,0x48, + 0x41,0x4b,0x45,0x32,0x35,0x36,0x24}; +uint8_t fixture_rfc_9380_k6_expand_message_xof_output_1[] = + {0x2f,0xfc,0x05,0xc4,0x8e,0xd3,0x2b,0x95,0xd7,0x2e,0x80,0x7f,0x6e,0xab,0x9f,0x75, + 0x30,0xdd,0x1c,0x2f,0x01,0x39,0x14,0xc8,0xfe,0xd3,0x8c,0x5c,0xcc,0x15,0xad,0x76}; +uint8_t rfc_9380_k6_expand_message_xof_msg_2[] = { 97, 98, 99 }; +size_t rfc_9380_k6_expand_message_xof_msg_2_len = 3; +size_t rfc_9380_k6_expand_message_xof_out_len_2 = 0x20; +uint8_t fixture_rfc_9380_k6_expand_message_xof_msg_prime_2[] = + {0x61,0x62,0x63,0x00,0x20,0x51,0x55,0x55,0x58,0x2d,0x56,0x30,0x31,0x2d,0x43,0x53, + 0x30,0x32,0x2d,0x77,0x69,0x74,0x68,0x2d,0x65,0x78,0x70,0x61,0x6e,0x64,0x65,0x72, + 0x2d,0x53,0x48,0x41,0x4b,0x45,0x32,0x35,0x36,0x24}; +uint8_t fixture_rfc_9380_k6_expand_message_xof_output_2[] = + {0xb3,0x9e,0x49,0x38,0x67,0xe2,0x76,0x72,0x16,0x79,0x2a,0xbc,0xe1,0xf2,0x67,0x6c, + 0x19,0x7c,0x06,0x92,0xae,0xd0,0x61,0x56,0x0e,0xad,0x25,0x18,0x21,0x80,0x8e,0x07}; +uint8_t rfc_9380_k6_expand_message_xof_msg_3[] = { 97, 98, 99, 100, 101, 102, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57 }; +size_t rfc_9380_k6_expand_message_xof_msg_3_len = 16; +size_t rfc_9380_k6_expand_message_xof_out_len_3 = 0x20; +uint8_t fixture_rfc_9380_k6_expand_message_xof_msg_prime_3[] = + {0x61,0x62,0x63,0x64,0x65,0x66,0x30,0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39, + 0x00,0x20,0x51,0x55,0x55,0x58,0x2d,0x56,0x30,0x31,0x2d,0x43,0x53,0x30,0x32,0x2d, + 0x77,0x69,0x74,0x68,0x2d,0x65,0x78,0x70,0x61,0x6e,0x64,0x65,0x72,0x2d,0x53,0x48, + 0x41,0x4b,0x45,0x32,0x35,0x36,0x24}; +uint8_t fixture_rfc_9380_k6_expand_message_xof_output_3[] = + {0x24,0x53,0x89,0xcf,0x44,0xa1,0x3f,0x0e,0x70,0xaf,0x86,0x65,0xfe,0x53,0x37,0xec, + 0x2d,0xcd,0x13,0x88,0x90,0xbb,0x79,0x01,0xc4,0xad,0x9c,0xfc,0xeb,0x05,0x4b,0x65}; +uint8_t rfc_9380_k6_expand_message_xof_msg_4[] = { 113, 49, 50, 56, 95, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113 }; +size_t rfc_9380_k6_expand_message_xof_msg_4_len = 133; +size_t rfc_9380_k6_expand_message_xof_out_len_4 = 0x20; +uint8_t fixture_rfc_9380_k6_expand_message_xof_msg_prime_4[] = + {0x71,0x31,0x32,0x38,0x5f,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71, + 0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71, + 0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71, + 0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71, + 0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71, + 0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71, + 0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71, + 0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71, + 0x71,0x71,0x71,0x71,0x71,0x00,0x20,0x51,0x55,0x55,0x58,0x2d,0x56,0x30,0x31,0x2d, + 0x43,0x53,0x30,0x32,0x2d,0x77,0x69,0x74,0x68,0x2d,0x65,0x78,0x70,0x61,0x6e,0x64, + 0x65,0x72,0x2d,0x53,0x48,0x41,0x4b,0x45,0x32,0x35,0x36,0x24}; +uint8_t fixture_rfc_9380_k6_expand_message_xof_output_4[] = + {0x71,0x9b,0x39,0x11,0x82,0x1e,0x64,0x28,0xa5,0xed,0x9b,0x8e,0x60,0x0f,0x28,0x66, + 0xbc,0xf2,0x3c,0x8f,0x05,0x15,0xe5,0x2d,0x6c,0x6c,0x01,0x9a,0x03,0xf1,0x6f,0x0e}; +uint8_t rfc_9380_k6_expand_message_xof_msg_5[] = { 97, 53, 49, 50, 95, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97 }; +size_t rfc_9380_k6_expand_message_xof_msg_5_len = 517; +size_t rfc_9380_k6_expand_message_xof_out_len_5 = 0x20; +uint8_t fixture_rfc_9380_k6_expand_message_xof_msg_prime_5[] = + {0x61,0x35,0x31,0x32,0x5f,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x00,0x20,0x51,0x55,0x55,0x58,0x2d,0x56,0x30,0x31,0x2d, + 0x43,0x53,0x30,0x32,0x2d,0x77,0x69,0x74,0x68,0x2d,0x65,0x78,0x70,0x61,0x6e,0x64, + 0x65,0x72,0x2d,0x53,0x48,0x41,0x4b,0x45,0x32,0x35,0x36,0x24}; +uint8_t fixture_rfc_9380_k6_expand_message_xof_output_5[] = + {0x91,0x81,0xea,0xd5,0x22,0x0b,0x19,0x63,0xf1,0xb5,0x95,0x1f,0x35,0x54,0x7a,0x5e, + 0xa8,0x6a,0x82,0x05,0x62,0x28,0x7d,0x6c,0xa4,0x72,0x36,0x33,0xd1,0x7c,0xcb,0xbc}; +uint8_t rfc_9380_k6_expand_message_xof_msg_6[] = { }; +size_t rfc_9380_k6_expand_message_xof_msg_6_len = 0; +size_t rfc_9380_k6_expand_message_xof_out_len_6 = 0x80; +uint8_t fixture_rfc_9380_k6_expand_message_xof_msg_prime_6[] = + {0x00,0x80,0x51,0x55,0x55,0x58,0x2d,0x56,0x30,0x31,0x2d,0x43,0x53,0x30,0x32,0x2d, + 0x77,0x69,0x74,0x68,0x2d,0x65,0x78,0x70,0x61,0x6e,0x64,0x65,0x72,0x2d,0x53,0x48, + 0x41,0x4b,0x45,0x32,0x35,0x36,0x24}; +uint8_t fixture_rfc_9380_k6_expand_message_xof_output_6[] = + {0x7a,0x13,0x61,0xd2,0xd7,0xd8,0x2d,0x79,0xe0,0x35,0xb8,0x88,0x0c,0x5a,0x3c,0x86, + 0xc5,0xaf,0xa7,0x19,0x47,0x8c,0x00,0x7d,0x96,0xe6,0xc8,0x87,0x37,0xa3,0xf6,0x31, + 0xdd,0x74,0xa2,0xc8,0x8d,0xf7,0x9a,0x4c,0xb5,0xe5,0xd9,0xf7,0x50,0x49,0x57,0xc7, + 0x0d,0x66,0x9e,0xc6,0xbf,0xed,0xc3,0x1e,0x01,0xe2,0xba,0xcc,0x4f,0xf3,0xfd,0xf9, + 0xb6,0xa0,0x0b,0x17,0xcc,0x18,0xd9,0xd7,0x2a,0xce,0x7d,0x6b,0x81,0xc2,0xe4,0x81, + 0xb4,0xf7,0x3f,0x34,0xf9,0xa7,0x50,0x5d,0xcc,0xbe,0x8f,0x54,0x85,0xf3,0xd2,0x0c, + 0x54,0x09,0xb0,0x31,0x00,0x93,0xd5,0xd6,0x49,0x2d,0xea,0x4e,0x18,0xaa,0x69,0x79, + 0xc2,0x3c,0x8e,0xa5,0xde,0x01,0x58,0x2e,0x96,0x89,0x61,0x2a,0xfb,0xb3,0x53,0xdf}; +uint8_t rfc_9380_k6_expand_message_xof_msg_7[] = { 97, 98, 99 }; +size_t rfc_9380_k6_expand_message_xof_msg_7_len = 3; +size_t rfc_9380_k6_expand_message_xof_out_len_7 = 0x80; +uint8_t fixture_rfc_9380_k6_expand_message_xof_msg_prime_7[] = + {0x61,0x62,0x63,0x00,0x80,0x51,0x55,0x55,0x58,0x2d,0x56,0x30,0x31,0x2d,0x43,0x53, + 0x30,0x32,0x2d,0x77,0x69,0x74,0x68,0x2d,0x65,0x78,0x70,0x61,0x6e,0x64,0x65,0x72, + 0x2d,0x53,0x48,0x41,0x4b,0x45,0x32,0x35,0x36,0x24}; +uint8_t fixture_rfc_9380_k6_expand_message_xof_output_7[] = + {0xa5,0x43,0x03,0xe6,0xb1,0x72,0x90,0x97,0x83,0x35,0x3a,0xb0,0x5e,0xf0,0x8d,0xd4, + 0x35,0xa5,0x58,0xc3,0x19,0x7d,0xb0,0xc1,0x32,0x13,0x46,0x49,0x70,0x8e,0x0b,0x9b, + 0x4e,0x34,0xfb,0x99,0xb9,0x2a,0x9e,0x9e,0x28,0xfc,0x1f,0x1d,0x88,0x60,0xd8,0x58, + 0x97,0xa8,0xe0,0x21,0xe6,0x38,0x2f,0x3e,0xea,0x10,0x57,0x7f,0x96,0x8f,0xf6,0xdf, + 0x6c,0x45,0xfe,0x62,0x4c,0xe6,0x5c,0xa2,0x59,0x32,0xf6,0x79,0xa4,0x2a,0x40,0x4b, + 0xc3,0x68,0x1e,0xfe,0x03,0xfc,0xd4,0x5e,0xf7,0x3b,0xb3,0xa8,0xf7,0x9b,0xa7,0x84, + 0xf8,0x0f,0x55,0xea,0x8a,0x3c,0x36,0x74,0x08,0xf3,0x03,0x81,0x29,0x96,0x17,0xf5, + 0x0c,0x8c,0xf8,0xfb,0xb2,0x1d,0x0f,0x1e,0x1d,0x70,0xb0,0x13,0x1a,0x7b,0x6f,0xbe}; +uint8_t rfc_9380_k6_expand_message_xof_msg_8[] = { 97, 98, 99, 100, 101, 102, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57 }; +size_t rfc_9380_k6_expand_message_xof_msg_8_len = 16; +size_t rfc_9380_k6_expand_message_xof_out_len_8 = 0x80; +uint8_t fixture_rfc_9380_k6_expand_message_xof_msg_prime_8[] = + {0x61,0x62,0x63,0x64,0x65,0x66,0x30,0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39, + 0x00,0x80,0x51,0x55,0x55,0x58,0x2d,0x56,0x30,0x31,0x2d,0x43,0x53,0x30,0x32,0x2d, + 0x77,0x69,0x74,0x68,0x2d,0x65,0x78,0x70,0x61,0x6e,0x64,0x65,0x72,0x2d,0x53,0x48, + 0x41,0x4b,0x45,0x32,0x35,0x36,0x24}; +uint8_t fixture_rfc_9380_k6_expand_message_xof_output_8[] = + {0xe4,0x2e,0x4d,0x95,0x38,0xa1,0x89,0x31,0x6e,0x31,0x54,0xb8,0x21,0xc1,0xba,0xfb, + 0x39,0x0f,0x78,0xb2,0xf0,0x10,0xea,0x40,0x4e,0x6a,0xc0,0x63,0xde,0xb8,0xc0,0x85, + 0x2f,0xcd,0x41,0x2e,0x09,0x8e,0x23,0x1e,0x43,0x42,0x7b,0xd2,0xbe,0x13,0x30,0xbb, + 0x47,0xb4,0x03,0x9a,0xd5,0x7b,0x30,0xae,0x1f,0xc9,0x4e,0x34,0x99,0x3b,0x16,0x2f, + 0xf4,0xd6,0x95,0xe4,0x2d,0x59,0xd9,0x77,0x7e,0xa1,0x8d,0x38,0x48,0xd9,0xd3,0x36, + 0xc2,0x5d,0x2a,0xcb,0x93,0xad,0xca,0xd0,0x09,0xbc,0xfb,0x9c,0xde,0x12,0x28,0x6d, + 0xf2,0x67,0xad,0xa2,0x83,0x06,0x3d,0xe0,0xbb,0x15,0x05,0x56,0x5b,0x2e,0xb6,0xc9, + 0x0e,0x31,0xc4,0x87,0x98,0xec,0xdc,0x71,0xa7,0x17,0x56,0xa9,0x11,0x0f,0xf3,0x73}; +uint8_t rfc_9380_k6_expand_message_xof_msg_9[] = { 113, 49, 50, 56, 95, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113, 113 }; +size_t rfc_9380_k6_expand_message_xof_msg_9_len = 133; +size_t rfc_9380_k6_expand_message_xof_out_len_9 = 0x80; +uint8_t fixture_rfc_9380_k6_expand_message_xof_msg_prime_9[] = + {0x71,0x31,0x32,0x38,0x5f,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71, + 0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71, + 0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71, + 0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71, + 0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71, + 0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71, + 0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71, + 0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71,0x71, + 0x71,0x71,0x71,0x71,0x71,0x00,0x80,0x51,0x55,0x55,0x58,0x2d,0x56,0x30,0x31,0x2d, + 0x43,0x53,0x30,0x32,0x2d,0x77,0x69,0x74,0x68,0x2d,0x65,0x78,0x70,0x61,0x6e,0x64, + 0x65,0x72,0x2d,0x53,0x48,0x41,0x4b,0x45,0x32,0x35,0x36,0x24}; +uint8_t fixture_rfc_9380_k6_expand_message_xof_output_9[] = + {0x4a,0xc0,0x54,0xdd,0xa0,0xa3,0x8a,0x65,0xd0,0xec,0xf7,0xaf,0xd3,0xc2,0x81,0x23, + 0x00,0x02,0x7c,0x87,0x89,0x65,0x5e,0x47,0xae,0xcf,0x1e,0xcc,0x1a,0x24,0x26,0xb1, + 0x74,0x44,0xc7,0x48,0x2c,0x99,0xe5,0x90,0x7a,0xfd,0x9c,0x25,0xb9,0x91,0x99,0x04, + 0x90,0xbb,0x9c,0x68,0x6f,0x43,0xe7,0x9b,0x44,0x71,0xa2,0x3a,0x70,0x3d,0x4b,0x02, + 0xf2,0x3c,0x66,0x97,0x37,0xa8,0x86,0xa7,0xec,0x28,0xbd,0xdb,0x92,0xc3,0xa9,0x8d, + 0xe6,0x3e,0xbf,0x87,0x8a,0xa3,0x63,0xa5,0x01,0xa6,0x00,0x55,0xc0,0x48,0xbe,0xa1, + 0x18,0x40,0xc4,0x71,0x7b,0xea,0xe7,0xee,0xe2,0x8c,0x3c,0xfa,0x42,0x85,0x7b,0x3d, + 0x13,0x01,0x88,0x57,0x19,0x43,0xa7,0xbd,0x74,0x7d,0xe8,0x31,0xbd,0x64,0x44,0xe0}; +uint8_t rfc_9380_k6_expand_message_xof_msg_10[] = { 97, 53, 49, 50, 95, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97, 97 }; +size_t rfc_9380_k6_expand_message_xof_msg_10_len = 517; +size_t rfc_9380_k6_expand_message_xof_out_len_10 = 0x80; +uint8_t fixture_rfc_9380_k6_expand_message_xof_msg_prime_10[] = + {0x61,0x35,0x31,0x32,0x5f,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61, + 0x61,0x61,0x61,0x61,0x61,0x00,0x80,0x51,0x55,0x55,0x58,0x2d,0x56,0x30,0x31,0x2d, + 0x43,0x53,0x30,0x32,0x2d,0x77,0x69,0x74,0x68,0x2d,0x65,0x78,0x70,0x61,0x6e,0x64, + 0x65,0x72,0x2d,0x53,0x48,0x41,0x4b,0x45,0x32,0x35,0x36,0x24}; +uint8_t fixture_rfc_9380_k6_expand_message_xof_output_10[] = + {0x09,0xaf,0xc7,0x6d,0x51,0xc2,0xcc,0xcb,0xc1,0x29,0xc2,0x31,0x5d,0xf6,0x6c,0x2b, + 0xe7,0x29,0x5a,0x23,0x12,0x03,0xb8,0xab,0x2d,0xd7,0xf9,0x5c,0x27,0x72,0xc6,0x8e, + 0x50,0x0b,0xc7,0x2e,0x20,0xc6,0x02,0xab,0xc9,0x96,0x46,0x63,0xb7,0xa0,0x3a,0x38, + 0x9b,0xe1,0x28,0xc5,0x69,0x71,0xce,0x81,0x00,0x1a,0x0b,0x87,0x5e,0x7f,0xd1,0x78, + 0x22,0xdb,0x9d,0x69,0x79,0x2d,0xdf,0x6a,0x23,0xa1,0x51,0xbf,0x47,0x00,0x79,0xc5, + 0x18,0x27,0x9a,0xef,0x3e,0x75,0x61,0x1f,0x8f,0x82,0x89,0x94,0xa9,0x98,0x8f,0x4a, + 0x8a,0x25,0x6d,0xdb,0x8b,0xae,0x16,0x1e,0x65,0x8d,0x5a,0x2a,0x09,0xbc,0xfe,0x83, + 0x9c,0x63,0x96,0xdc,0x06,0xee,0x5c,0x8f,0xf3,0xc2,0x2d,0x3b,0x1f,0x9d,0xeb,0x7e}; diff --git a/test/fixtures.h b/test/fixtures.h index 0278a93..833a1e0 100644 --- a/test/fixtures.h +++ b/test/fixtures.h @@ -5,6 +5,7 @@ #define FIXTURESH #include +#include // Messages extern uint8_t fixture_m_1[32]; @@ -688,4 +689,72 @@ extern uint8_t fixture_bls12_381_sha_256_a_proof2_proof[464]; extern uint8_t fixture_bls12_381_sha_256_h2s_dst[48]; extern uint8_t fixture_bls12_381_sha_256_h2s_scalar[32]; +// +// RFC 9380 K.6 expand_message_xof SHAKE256 Test Vectors +// + +// Expand Message Test Vectors +extern uint8_t rfc_9380_k6_expand_message_xof_dst[]; +extern size_t rfc_9380_k6_expand_message_xof_dst_len; +extern uint8_t rfc_9380_k6_expand_message_xof_msg_1[]; +extern size_t rfc_9380_k6_expand_message_xof_msg_1_len; +extern size_t rfc_9380_k6_expand_message_xof_out_len_1; +extern uint8_t fixture_rfc_9380_k6_expand_message_xof_dst_prime_1[37]; +extern uint8_t fixture_rfc_9380_k6_expand_message_xof_msg_prime_1[39]; +extern uint8_t fixture_rfc_9380_k6_expand_message_xof_output_1[32]; +extern uint8_t rfc_9380_k6_expand_message_xof_msg_2[]; +extern size_t rfc_9380_k6_expand_message_xof_msg_2_len; +extern size_t rfc_9380_k6_expand_message_xof_out_len_2; +#define fixture_rfc_9380_k6_expand_message_xof_dst_prime_2 fixture_rfc_9380_k6_expand_message_xof_dst_prime_1 +extern uint8_t fixture_rfc_9380_k6_expand_message_xof_msg_prime_2[42]; +extern uint8_t fixture_rfc_9380_k6_expand_message_xof_output_2[32]; +extern uint8_t rfc_9380_k6_expand_message_xof_msg_3[]; +extern size_t rfc_9380_k6_expand_message_xof_msg_3_len; +extern size_t rfc_9380_k6_expand_message_xof_out_len_3; +#define fixture_rfc_9380_k6_expand_message_xof_dst_prime_3 fixture_rfc_9380_k6_expand_message_xof_dst_prime_1 +extern uint8_t fixture_rfc_9380_k6_expand_message_xof_msg_prime_3[55]; +extern uint8_t fixture_rfc_9380_k6_expand_message_xof_output_3[32]; +extern uint8_t rfc_9380_k6_expand_message_xof_msg_4[]; +extern size_t rfc_9380_k6_expand_message_xof_msg_4_len; +extern size_t rfc_9380_k6_expand_message_xof_out_len_4; +#define fixture_rfc_9380_k6_expand_message_xof_dst_prime_4 fixture_rfc_9380_k6_expand_message_xof_dst_prime_1 +extern uint8_t fixture_rfc_9380_k6_expand_message_xof_msg_prime_4[172]; +extern uint8_t fixture_rfc_9380_k6_expand_message_xof_output_4[32]; +extern uint8_t rfc_9380_k6_expand_message_xof_msg_5[]; +extern size_t rfc_9380_k6_expand_message_xof_msg_5_len; +extern size_t rfc_9380_k6_expand_message_xof_out_len_5; +#define fixture_rfc_9380_k6_expand_message_xof_dst_prime_5 fixture_rfc_9380_k6_expand_message_xof_dst_prime_1 +extern uint8_t fixture_rfc_9380_k6_expand_message_xof_msg_prime_5[556]; +extern uint8_t fixture_rfc_9380_k6_expand_message_xof_output_5[32]; +extern uint8_t rfc_9380_k6_expand_message_xof_msg_6[]; +extern size_t rfc_9380_k6_expand_message_xof_msg_6_len; +extern size_t rfc_9380_k6_expand_message_xof_out_len_6; +#define fixture_rfc_9380_k6_expand_message_xof_dst_prime_6 fixture_rfc_9380_k6_expand_message_xof_dst_prime_1 +extern uint8_t fixture_rfc_9380_k6_expand_message_xof_msg_prime_6[39]; +extern uint8_t fixture_rfc_9380_k6_expand_message_xof_output_6[128]; +extern uint8_t rfc_9380_k6_expand_message_xof_msg_7[]; +extern size_t rfc_9380_k6_expand_message_xof_msg_7_len; +extern size_t rfc_9380_k6_expand_message_xof_out_len_7; +#define fixture_rfc_9380_k6_expand_message_xof_dst_prime_7 fixture_rfc_9380_k6_expand_message_xof_dst_prime_1 +extern uint8_t fixture_rfc_9380_k6_expand_message_xof_msg_prime_7[42]; +extern uint8_t fixture_rfc_9380_k6_expand_message_xof_output_7[128]; +extern uint8_t rfc_9380_k6_expand_message_xof_msg_8[]; +extern size_t rfc_9380_k6_expand_message_xof_msg_8_len; +extern size_t rfc_9380_k6_expand_message_xof_out_len_8; +#define fixture_rfc_9380_k6_expand_message_xof_dst_prime_8 fixture_rfc_9380_k6_expand_message_xof_dst_prime_1 +extern uint8_t fixture_rfc_9380_k6_expand_message_xof_msg_prime_8[55]; +extern uint8_t fixture_rfc_9380_k6_expand_message_xof_output_8[128]; +extern uint8_t rfc_9380_k6_expand_message_xof_msg_9[]; +extern size_t rfc_9380_k6_expand_message_xof_msg_9_len; +extern size_t rfc_9380_k6_expand_message_xof_out_len_9; +#define fixture_rfc_9380_k6_expand_message_xof_dst_prime_9 fixture_rfc_9380_k6_expand_message_xof_dst_prime_1 +extern uint8_t fixture_rfc_9380_k6_expand_message_xof_msg_prime_9[172]; +extern uint8_t fixture_rfc_9380_k6_expand_message_xof_output_9[128]; +extern uint8_t rfc_9380_k6_expand_message_xof_msg_10[]; +extern size_t rfc_9380_k6_expand_message_xof_msg_10_len; +extern size_t rfc_9380_k6_expand_message_xof_out_len_10; +#define fixture_rfc_9380_k6_expand_message_xof_dst_prime_10 fixture_rfc_9380_k6_expand_message_xof_dst_prime_1 +extern uint8_t fixture_rfc_9380_k6_expand_message_xof_msg_prime_10[556]; +extern uint8_t fixture_rfc_9380_k6_expand_message_xof_output_10[128]; + #endif /* FIXTURESH */ diff --git a/test/genfixtures.rb b/test/genfixtures.rb index b977b59..7cd7b9f 100644 --- a/test/genfixtures.rb +++ b/test/genfixtures.rb @@ -35,6 +35,7 @@ file_name = "#{base_dir}bls12-381-sha-256/proof/proof#{n.to_s.rjust(3,'0')}.json" JSON.parse File.read(file_name) end +shake_expand_message = JSON.parse File.read(base_dir + 'bls12-381-shake-256/expandMessage.json') def comment(s) puts "// #{s}" @@ -50,9 +51,8 @@ def hex_string(name, s) #puts "unsigned char #{prefix}#{name}[] = #{prefix}#{$hex_to_name[s]};" puts "#define #{prefix}#{name} #{prefix}#{$hex_to_name[s]}" if $gen_header else - arr = s.scan(/../).map{|x| "0x#{x}"} + arr = s.scan(/.{1,2}/).map{|x| "0x#{x}"} $hex_to_name[s] = name - arr = s.scan(/../).map{|x| "0x#{x}"} preamble = "uint8_t #{prefix}#{name}[] =" short = (preamble.length + arr.length*5 + 3 <= 100) if $gen_header @@ -74,6 +74,35 @@ def hex_string(name, s) end end +def ascii_string_to_c_array(name, ascii_string) + if $gen_header + puts "extern uint8_t #{name}[];" + puts "extern size_t #{name}_len;" + return + end + prefix = " " + ascii_values = ascii_string.bytes.map { |byte| byte.to_s } + array_content = ascii_values.join(', ') + puts "uint8_t #{name}[] = { #{array_content} };" + puts "size_t #{name}_len = #{ascii_values.length};" +end + +def print_size_t_variable(variable_name, hex_string_or_number) + if $gen_header + puts "extern size_t #{variable_name};" + return + end + if hex_string_or_number.respond_to?(:start_with) + normalized_hex = hex_string_or_number.delete_prefix('0x') + number = normalized_hex.to_i(16) + else + number = hex_string_or_number + end + # Note: "%#x" formats the number back into hex, ensuring it includes the '0x' prefix + c_declaration = "size_t #{variable_name} = %#x;" % number + puts c_declaration +end + def number_array(name, a) prefix = "fixture_" if $gen_header @@ -130,6 +159,7 @@ def print_proof(proof, prefix) puts '#define FIXTURESH' puts puts '#include ' + puts '#include ' else puts '#include "fixtures.h"' end @@ -368,6 +398,25 @@ def print_proof(proof, prefix) hex_string(sha + "h2s_dst", sha_h2s['dst']) hex_string(sha + "h2s_scalar", sha_h2s['scalar']) +puts +comment("") +comment("RFC 9380 K.6 expand_message_xof SHAKE256 Test Vectors") +comment("") + +expand_message_xof = "rfc_9380_k6_expand_message_xof_" + +puts +comment("Expand Message Test Vectors") +ascii_string_to_c_array(expand_message_xof + "dst", shake_expand_message['DST']) +# print_size_t_variable(expand_message_xof + "dst_len", shake_expand_message['DST'].length) +shake_expand_message['vectors'].each_with_index do |m,idx| + ascii_string_to_c_array(expand_message_xof + "msg_#{idx+1}", m["msg"]) + print_size_t_variable(expand_message_xof + "out_len_#{idx+1}", m["len_in_bytes"]) + hex_string(expand_message_xof + "dst_prime_#{idx+1}", m["DST_prime"]) + hex_string(expand_message_xof + "msg_prime_#{idx+1}", m["msg_prime"]) + hex_string(expand_message_xof + "output_#{idx+1}", m["uniform_bytes"]) +end + if $gen_header puts puts '#endif /* FIXTURESH */' diff --git a/test/test_util.h b/test/test_util.h index 40b6e64..eb74a68 100644 --- a/test/test_util.h +++ b/test/test_util.h @@ -9,11 +9,23 @@ #include #define ASSERT_EQ(purpose, actual, ref) \ - for(int i=0; i < sizeof(ref); i++) { \ - if(actual[i] != ref[i]) { \ - puts("Mismatch in " purpose); \ - DEBUG("Should be:", ref, sizeof(ref)); \ - DEBUG("Is:", actual, sizeof(actual)); \ + for (int assert_eq_index = 0; assert_eq_index < sizeof(ref); assert_eq_index++) { \ + if (actual[assert_eq_index] != ref[assert_eq_index]) { \ + puts ("Mismatch in " purpose); \ + DEBUG ("Should be:", ref, sizeof(ref)); \ + DEBUG ("Is:", actual, sizeof(actual)); \ + return 1; \ + } \ + } + +#define ASSERT_EQ_PTR(purpose, actual, ref, len) \ + for (size_t assert_eq_index = 0; assert_eq_index < len; assert_eq_index++) { \ + if (actual[assert_eq_index] != ref[assert_eq_index]) { \ + puts ("Mismatch in " purpose); \ + printf ("actual[%zu]: %02x\n", assert_eq_index, actual[assert_eq_index]); \ + printf ("ref[%zu]: %02x\n", assert_eq_index, ref[assert_eq_index]); \ + DEBUG ("Should be:", ref, len); \ + DEBUG ("Is:", actual, len); \ return 1; \ } \ } @@ -25,12 +37,12 @@ struct timespec tp_end; #ifdef ENABLE_BENCHMARK #define BBS_BENCH_START() \ - clock_gettime (CLOCK_PROCESS_CPUTIME_ID, &tp_start); + clock_gettime (CLOCK_PROCESS_CPUTIME_ID, &tp_start); #define BBS_BENCH_END(hint) \ - clock_gettime (CLOCK_PROCESS_CPUTIME_ID, &tp_end); \ - fprintf (stdout, "%s: %"PRIu64" ns\n", hint, \ - (((uint64_t)tp_end.tv_sec*1000000000) + tp_end.tv_nsec) - \ - (((uint64_t)tp_start.tv_sec*1000000000) + tp_start.tv_nsec)); + clock_gettime (CLOCK_PROCESS_CPUTIME_ID, &tp_end); \ + fprintf (stdout, "%s: %" PRIu64 " ns\n", hint, \ + (((uint64_t) tp_end.tv_sec * 1000000000) + tp_end.tv_nsec) - \ + (((uint64_t) tp_start.tv_sec * 1000000000) + tp_start.tv_nsec)); #else #define BBS_BENCH_START() #define BBS_BENCH_END(hint)