fmtseq: all working

2012-12-28 17:14:22 +01:00 · 2012-12-28 17:14:22 +01:00 · 647f5e7fa3
parent 902a2f541d
commit 647f5e7fa3
3 changed files with 164 additions and 19 deletions
--- a/src/fmtseq.cpp
+++ b/src/fmtseq.cpp
@ -71,11 +71,156 @@ static void store_exist (privkey&priv, const privkey::tree_stk_item&i)
 	priv.exist[level][i.pos + (1 << sublevel) - 2] = i.item;
 }
-static void update_trees (privkey&priv, hash_func&hf)
+static void alloc_desired (privkey&priv, hash_func&hf)
 {
-	//TODO
+	//start the desired trees
 	priv.desired.resize (priv.l - 1);
 	priv.desired_stack.resize (priv.l - 1);
 	priv.desired_progress.resize (priv.l - 1, 0);
 	for (uint i = 0; i < priv.l - 1; ++i) {
 		priv.desired[i].resize ( (1 << (priv.h + 1) ) - 2);
 		for (uint j = 0; j < priv.desired[i].size(); ++j)
 			priv.desired[i][j].resize (hf.size(), 0);
 	}
 }
 static void store_desired (privkey&priv, uint did,
                           const privkey::tree_stk_item& i)
 {
 	if ( (i.level / priv.h) != did) return; //too below or above
 	uint depth = priv.h - (i.level % priv.h);
 	if (i.pos >= (1 << depth) ) return; //too far right, omg why?!
 	priv.desired[did][i.pos + (1 << depth) - 2] = i.item;
 }
 static void update_privkey (privkey&priv, hash_func&hf)
 {
 	uint i, j;
 	arcfour<byte> generator;
 	std::vector<byte> x, Y;
 	uint commitments = fmtseq_commitments (priv.hs);
 	/*
 	 * Perform one calculation step on all subtrees.
 	 *
 	 * Note the difference against original FMTseq:
 	 *
 	 * On every signature, we generate _one_ leaf and squash the subtree
 	 * stack all above it. This brings (on average) the same performance,
 	 * but some signatures are faster and some are slower. Not that much
 	 * that it would actually matter for this purpose. Timing attacks don't
 	 * count as we still publish the signature serial number, from which
 	 * anyone can easily see whether it's going to take a while or not.
 	 *
 	 * Generating one leaf on each signature brings a complete desired tree
 	 * exactly in time when exist tree gets exhausted (they have the same
 	 * number of leaves).
 	 *
 	 * Average time for signature is around 2 units (as in fmtseq), worst
 	 * case is around (h^2)/2 units (which isn't really that bad, for
 	 * practical purposes it's only around 200 and only in one case).
 	 *
 	 * FMTseq instead calculates exactly two of those operations
 	 * every round (e.g. 2 times stack squashing, or gen, gen, or
 	 * gen/squash...) This brings equivalent speed for all signatures (all
 	 * do exactly 2 operations), but storage of internal state and the
 	 * whole algorithm is kindof complex. Omitted for simplicity.
 	 */
 	uint d_leaves, d_startpos, d_h;
 	for (i = 0; i < priv.desired.size(); ++i) {
 		d_h = (i + 1) * priv.h;
 		d_leaves = 1 << d_h;
 		if (priv.desired_progress[i] >= d_leaves)
 			continue; //already done
 		//create the leaf
 		d_startpos = (1 + (priv.sigs_used >> d_h) ) << d_h;
 		uint leafid = d_startpos + priv.desired_progress[i];
 		prepare_keygen (generator, priv.SK, leafid);
 		Y.clear();
 		for (j = 0; j < commitments; ++j) {
 			generator.gen (hf.size(), x);
 			x = hf (x);
 			Y.insert (Y.end(), x.begin(), x.end() );
 		}
 		std::vector<privkey::tree_stk_item>
 		&stk = priv.desired_stack[i];
 		stk.push_back (privkey::tree_stk_item
 		               (0, priv.desired_progress[i], hf (Y) ) );
 		store_desired (priv, i, stk.back() );
 		++priv.desired_progress[i];
 		//stack squashing
 		for (;;) {
 			if (stk.size() < 2) break;
 			if ( (stk.end() - 1)->level !=
 			     (stk.end() - 2)->level) break;
 			Y.clear();
 			Y.insert (Y.end(),
 			          (stk.end() - 2)->item.begin(),
 			          (stk.end() - 2)->item.end() );
 			Y.insert (Y.end(),
 			          (stk.end() - 1)->item.begin(),
 			          (stk.end() - 1)->item.end() );
 			uint l = stk.back().level + 1;
 			uint p = stk.back().pos / 2;
 			stk.pop_back();
 			stk.pop_back();
 			stk.push_back (privkey::tree_stk_item
 			               (l, p, hf (Y) ) );
 			store_desired (priv, i, stk.back() );
 		}
 	}
 	//where needed, move desired to exist and reset or erase
 	uint next_sigs_used = priv.sigs_used + 1;
 	uint subtree_changes = priv.sigs_used ^ next_sigs_used;
 	uint one_subtree_mask = (1 << priv.h) - 1;
 	//go from the topmost subtree.
 	for (uint i = 0; i < priv.l; ++i) {
 		uint idx = priv.l - i - 1;
 		//ignore unused top levels
 		if (idx >= priv.desired.size() ) continue;
 		//if nothing changed, do nothing
 		if (! ( (subtree_changes >> (priv.h * (1 + idx) ) )
 		        & one_subtree_mask) ) continue;
 		//move desired to exist
 		priv.exist[idx] = priv.desired[idx];
 		priv.desired_progress[idx] = 0;
 		priv.desired_stack[idx].clear();
 		//if there aren't more desired subtrees on this level,
 		//strip it off.
 		uint next_subtree_start =
 		    (1 + (next_sigs_used >> ( (1 + idx) * priv.h) ) )
 		    << ( (1 + idx) * priv.h);
 		if (next_subtree_start >= (1 << (priv.h * priv.l) ) ) {
 			priv.desired.resize (idx);
 			priv.desired_stack.resize (idx);
 			priv.desired_progress.resize (idx);
 		}
 	}
 	priv.sigs_used = next_sigs_used;
 }
 /*
 * Key generator
 */
 int fmtseq::generate (pubkey&pub, privkey&priv,
                      prng&rng, hash_func&hf,
                      uint hs, uint h, uint l)
@ -106,10 +251,7 @@ int fmtseq::generate (pubkey&pub, privkey&priv,
 	uint commitments = fmtseq_commitments (hs);
 	arcfour<byte> generator;
-	std::vector<byte> x, y, Y;
+	std::vector<byte> x, Y;
 	x.resize (hf.size() );
 	y.resize (hf.size() );
 	alloc_exist (priv);
@ -120,8 +262,8 @@ int fmtseq::generate (pubkey&pub, privkey&priv,
 		prepare_keygen (generator, priv.SK, i);
 		for (j = 0; j < commitments; ++j) {
 			generator.gen (hf.size(), x);
-			y = hf (x);
+			x = hf (x);
-			Y.insert (Y.end(), y.begin(), y.end() );
+			Y.insert (Y.end(), x.begin(), x.end() );
 		}
 		stk.push_back (privkey::tree_stk_item (0, i, hf (Y) ) );
@ -130,7 +272,8 @@ int fmtseq::generate (pubkey&pub, privkey&priv,
 		//try squashing the stack
 		for (;;) {
 			if (stk.size() < 2) break;
-			if ( (stk.end() - 1)->level != (stk.end() - 2)->level) break;
+			if ( (stk.end() - 1)->level !=
 			     (stk.end() - 2)->level) break;
 			Y.clear();
 			Y.insert (Y.end(),
@ -143,11 +286,14 @@ int fmtseq::generate (pubkey&pub, privkey&priv,
 			uint p = stk.back().pos / 2;
 			stk.pop_back();
 			stk.pop_back();
-			stk.push_back (privkey::tree_stk_item (l, p, hf (Y) ) );
+			stk.push_back (privkey::tree_stk_item
 			               (l, p, hf (Y) ) );
 			store_exist (priv, stk.back() );
 		}
 	}
 	alloc_desired (priv, hf);
 	//now there's the public verification key available in the stack.
 	pub.check = stk.back().item;
 	pub.H = h * l;
@ -235,10 +381,8 @@ int privkey::sign (const bvector& hash, bvector& sig, hash_func& hf)
 		pos >>= 1;
 	}
-	//move on to the next signature
+	//move to the next signature and update the cache
-	++sigs_used;
+	update_privkey (*this, hf);
 	//update the cache
 	update_trees (*this, hf);
 	return 0;
 }
--- a/src/fmtseq.h
+++ b/src/fmtseq.h
@ -64,7 +64,7 @@ public:
 		tree_stk_item (uint L, uint P, std::vector<byte> i)
 			: level (L), pos (P), item (i) {}
 	};
-	std::vector<std::list<tree_stk_item> > desired_stack;
+	std::vector<std::vector<tree_stk_item> > desired_stack;
 	std::vector<uint> desired_progress;
 	int sign (const bvector&, bvector&, hash_func&);
--- a/src/main.cpp
+++ b/src/main.cpp
@ -84,11 +84,12 @@ int main()
 	cout << "HASH " << h;
-	for (uint i = 0; i < 8; ++i) {
+	while (priv.sigs_remaining() ) {
-		cout << priv.sign (h, sig, sha2) << endl;
+		h[r.random (h.size() )] = r.random (2);
 		//cout << i << "-th SIG " << sig;
-		cout << "VERIFY ERROR: " << pub.verify (sig, h, sha2) << endl;
+		priv.sign (h, sig, sha2);
 		//cout << i << "-th SIG " << sig;
 		cout << "VERIFY ERROR: " << pub.verify (sig, h, sha2) << " sigs left: " << priv.sigs_remaining() << endl;
 	}
 	return 0;