Add basic C implementation of SPHINCS+-SHA2-128s.

The implementation is based on the current round 3 specification with
the modifications to FORS indices generation suggest on the mailing
list. The implementation passes test vectors and uses the default SHA256 implementation of BoringSSL.

Change-Id: Iab2dbaf5f692d490577dc940d9f3e298a72e9193
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60965
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: David Benjamin <davidben@google.com>

1 files changed, 87 insertions, 42 deletions

diff --git a/tool/speed.cc b/tool/speed.cc
index f05be90..942dcad 100644
--- a/tool/speed.cc
+++ b/tool/speed.cc
@@ -67,6 +67,7 @@ OPENSSL_MSVC_PRAGMA(warning(pop))
 #include "../crypto/fipsmodule/ec/internal.h"
 #include "../crypto/internal.h"
 #include "../crypto/trust_token/internal.h"
+#include "../crypto/spx/internal.h"
 #include "internal.h"
 
 // g_print_json is true if printed output is JSON formatted.
@@ -278,7 +279,7 @@ static bool TimeFunctionParallel(TimeResults *results,
 
   results->num_calls = 0;
   results->us = 0;
-  for (const auto& pair : thread_results) {
+  for (const auto &pair : thread_results) {
     if (!pair.ok) {
       return false;
     }
@@ -305,8 +306,8 @@ static bool SpeedRSA(const std::string &selected) {
     const uint8_t *key;
     const size_t key_len;
   } kRSAKeys[] = {
-    {"RSA 2048", kDERRSAPrivate2048, kDERRSAPrivate2048Len},
-    {"RSA 4096", kDERRSAPrivate4096, kDERRSAPrivate4096Len},
+      {"RSA 2048", kDERRSAPrivate2048, kDERRSAPrivate2048Len},
+      {"RSA 4096", kDERRSAPrivate4096, kDERRSAPrivate4096Len},
   };
 
   for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kRSAKeys); i++) {
@@ -492,7 +493,6 @@ static bool SpeedAEADChunk(const EVP_AEAD *aead, std::string name,
   OPENSSL_memset(ad.get(), 0, ad_len);
   auto tag_storage = std::make_unique<uint8_t[]>(overhead_len + kAlignment);
 
-
   uint8_t *const in =
       static_cast<uint8_t *>(align_pointer(in_storage.get(), kAlignment));
   OPENSSL_memset(in, 0, chunk_len);
@@ -947,15 +947,14 @@ static bool SpeedSPAKE2(const std::string &selected) {
   static const uint8_t kAliceName[] = {'A'};
   static const uint8_t kBobName[] = {'B'};
   static const uint8_t kPassword[] = "password";
-  bssl::UniquePtr<SPAKE2_CTX> alice(SPAKE2_CTX_new(spake2_role_alice,
-                                    kAliceName, sizeof(kAliceName), kBobName,
-                                    sizeof(kBobName)));
+  bssl::UniquePtr<SPAKE2_CTX> alice(
+      SPAKE2_CTX_new(spake2_role_alice, kAliceName, sizeof(kAliceName),
+                     kBobName, sizeof(kBobName)));
   uint8_t alice_msg[SPAKE2_MAX_MSG_SIZE];
   size_t alice_msg_len;
 
   if (!SPAKE2_generate_msg(alice.get(), alice_msg, &alice_msg_len,
-                           sizeof(alice_msg),
-                           kPassword, sizeof(kPassword))) {
+                           sizeof(alice_msg), kPassword, sizeof(kPassword))) {
     fprintf(stderr, "SPAKE2_generate_msg failed.\n");
     return false;
   }
@@ -1129,6 +1128,52 @@ static bool SpeedKyber(const std::string &selected) {
   return true;
 }
 
+static bool SpeedSpx(const std::string &selected) {
+  if (!selected.empty() && selected.find("spx") == std::string::npos) {
+    return true;
+  }
+
+  TimeResults results;
+  if (!TimeFunctionParallel(&results, []() -> bool {
+        uint8_t public_key[32], private_key[64];
+        spx_generate_key(public_key, private_key);
+        return true;
+      })) {
+    return false;
+  }
+
+  results.Print("SPHINCS+-SHA2-128s key generation");
+
+  uint8_t public_key[32], private_key[64];
+  spx_generate_key(public_key, private_key);
+  static const uint8_t kMessage[] = {0, 1, 2, 3, 4, 5};
+
+  if (!TimeFunctionParallel(&results, [&private_key]() -> bool {
+        uint8_t out[SPX_SIGNATURE_BYTES];
+        spx_sign(out, private_key, kMessage, sizeof(kMessage), true);
+        return true;
+      })) {
+    return false;
+  }
+
+  results.Print("SPHINCS+-SHA2-128s signing");
+
+  uint8_t signature[SPX_SIGNATURE_BYTES];
+  spx_sign(signature, private_key, kMessage, sizeof(kMessage), true);
+
+  if (!TimeFunctionParallel(&results, [&public_key, &signature]() -> bool {
+        return spx_verify(signature, public_key, kMessage, sizeof(kMessage)) ==
+               1;
+      })) {
+    fprintf(stderr, "SPHINCS+-SHA2-128s verify failed.\n");
+    return false;
+  }
+
+  results.Print("SPHINCS+-SHA2-128s verify");
+
+  return true;
+}
+
 static bool SpeedHashToCurve(const std::string &selected) {
   if (!selected.empty() && selected.find("hashtocurve") == std::string::npos) {
     return true;
@@ -1184,26 +1229,26 @@ static bool SpeedBase64(const std::string &selected) {
   }
 
   static const char kInput[] =
-    "MIIDtTCCAp2gAwIBAgIJALW2IrlaBKUhMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV"
-    "BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX"
-    "aWRnaXRzIFB0eSBMdGQwHhcNMTYwNzA5MDQzODA5WhcNMTYwODA4MDQzODA5WjBF"
-    "MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50"
-    "ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB"
-    "CgKCAQEAugvahBkSAUF1fC49vb1bvlPrcl80kop1iLpiuYoz4Qptwy57+EWssZBc"
-    "HprZ5BkWf6PeGZ7F5AX1PyJbGHZLqvMCvViP6pd4MFox/igESISEHEixoiXCzepB"
-    "rhtp5UQSjHD4D4hKtgdMgVxX+LRtwgW3mnu/vBu7rzpr/DS8io99p3lqZ1Aky+aN"
-    "lcMj6MYy8U+YFEevb/V0lRY9oqwmW7BHnXikm/vi6sjIS350U8zb/mRzYeIs2R65"
-    "LUduTL50+UMgat9ocewI2dv8aO9Dph+8NdGtg8LFYyTTHcUxJoMr1PTOgnmET19W"
-    "JH4PrFwk7ZE1QJQQ1L4iKmPeQistuQIDAQABo4GnMIGkMB0GA1UdDgQWBBT5m6Vv"
-    "zYjVYHG30iBE+j2XDhUE8jB1BgNVHSMEbjBsgBT5m6VvzYjVYHG30iBE+j2XDhUE"
-    "8qFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNV"
-    "BAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJALW2IrlaBKUhMAwGA1UdEwQF"
-    "MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAD7Jg68SArYWlcoHfZAB90Pmyrt5H6D8"
-    "LRi+W2Ri1fBNxREELnezWJ2scjl4UMcsKYp4Pi950gVN+62IgrImcCNvtb5I1Cfy"
-    "/MNNur9ffas6X334D0hYVIQTePyFk3umI+2mJQrtZZyMPIKSY/sYGQHhGGX6wGK+"
-    "GO/og0PQk/Vu6D+GU2XRnDV0YZg1lsAsHd21XryK6fDmNkEMwbIWrts4xc7scRrG"
-    "HWy+iMf6/7p/Ak/SIicM4XSwmlQ8pPxAZPr+E2LoVd9pMpWUwpW2UbtO5wsGTrY5"
-    "sO45tFNN/y+jtUheB1C2ijObG/tXELaiyCdM+S/waeuv0MXtI4xnn1A=";
+      "MIIDtTCCAp2gAwIBAgIJALW2IrlaBKUhMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV"
+      "BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX"
+      "aWRnaXRzIFB0eSBMdGQwHhcNMTYwNzA5MDQzODA5WhcNMTYwODA4MDQzODA5WjBF"
+      "MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50"
+      "ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB"
+      "CgKCAQEAugvahBkSAUF1fC49vb1bvlPrcl80kop1iLpiuYoz4Qptwy57+EWssZBc"
+      "HprZ5BkWf6PeGZ7F5AX1PyJbGHZLqvMCvViP6pd4MFox/igESISEHEixoiXCzepB"
+      "rhtp5UQSjHD4D4hKtgdMgVxX+LRtwgW3mnu/vBu7rzpr/DS8io99p3lqZ1Aky+aN"
+      "lcMj6MYy8U+YFEevb/V0lRY9oqwmW7BHnXikm/vi6sjIS350U8zb/mRzYeIs2R65"
+      "LUduTL50+UMgat9ocewI2dv8aO9Dph+8NdGtg8LFYyTTHcUxJoMr1PTOgnmET19W"
+      "JH4PrFwk7ZE1QJQQ1L4iKmPeQistuQIDAQABo4GnMIGkMB0GA1UdDgQWBBT5m6Vv"
+      "zYjVYHG30iBE+j2XDhUE8jB1BgNVHSMEbjBsgBT5m6VvzYjVYHG30iBE+j2XDhUE"
+      "8qFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNV"
+      "BAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJALW2IrlaBKUhMAwGA1UdEwQF"
+      "MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAD7Jg68SArYWlcoHfZAB90Pmyrt5H6D8"
+      "LRi+W2Ri1fBNxREELnezWJ2scjl4UMcsKYp4Pi950gVN+62IgrImcCNvtb5I1Cfy"
+      "/MNNur9ffas6X334D0hYVIQTePyFk3umI+2mJQrtZZyMPIKSY/sYGQHhGGX6wGK+"
+      "GO/og0PQk/Vu6D+GU2XRnDV0YZg1lsAsHd21XryK6fDmNkEMwbIWrts4xc7scRrG"
+      "HWy+iMf6/7p/Ak/SIicM4XSwmlQ8pPxAZPr+E2LoVd9pMpWUwpW2UbtO5wsGTrY5"
+      "sO45tFNN/y+jtUheB1C2ijObG/tXELaiyCdM+S/waeuv0MXtI4xnn1A=";
 
   TimeResults results;
   if (!TimeFunctionParallel(&results, [&]() -> bool {
@@ -1549,8 +1594,7 @@ bool Speed(const std::vector<std::string> &args) {
       char *ptr;
       unsigned long long val = strtoull(start, &ptr, 10);
       if (ptr == start /* no numeric characters found */ ||
-          errno == ERANGE /* overflow */ ||
-          static_cast<size_t>(val) != val) {
+          errno == ERANGE /* overflow */ || static_cast<size_t>(val) != val) {
         fprintf(stderr, "Error parsing -chunks argument\n");
         return false;
       }
@@ -1609,16 +1653,17 @@ bool Speed(const std::vector<std::string> &args) {
       !SpeedHash(EVP_sha256(), "SHA-256", selected) ||
       !SpeedHash(EVP_sha512(), "SHA-512", selected) ||
       !SpeedHash(EVP_blake2b256(), "BLAKE2b-256", selected) ||
-      !SpeedRandom(selected) ||
-      !SpeedECDH(selected) ||
-      !SpeedECDSA(selected) ||
-      !Speed25519(selected) ||
-      !SpeedSPAKE2(selected) ||
-      !SpeedScrypt(selected) ||
-      !SpeedRSAKeyGen(selected) ||
-      !SpeedHRSS(selected) ||
-      !SpeedKyber(selected) ||
-      !SpeedHashToCurve(selected) ||
+      !SpeedRandom(selected) ||      //
+      !SpeedECDH(selected) ||        //
+      !SpeedECDSA(selected) ||       //
+      !Speed25519(selected) ||       //
+      !SpeedSPAKE2(selected) ||      //
+      !SpeedScrypt(selected) ||      //
+      !SpeedRSAKeyGen(selected) ||   //
+      !SpeedHRSS(selected) ||        //
+      !SpeedKyber(selected) ||       //
+      !SpeedSpx(selected) ||         //
+      !SpeedHashToCurve(selected) || //
       !SpeedTrustToken("TrustToken-Exp1-Batch1", TRUST_TOKEN_experiment_v1(), 1,
                        selected) ||
       !SpeedTrustToken("TrustToken-Exp1-Batch10", TRUST_TOKEN_experiment_v1(),
@@ -1631,7 +1676,7 @@ bool Speed(const std::vector<std::string> &args) {
                        TRUST_TOKEN_experiment_v2_pmb(), 1, selected) ||
       !SpeedTrustToken("TrustToken-Exp2PMB-Batch10",
                        TRUST_TOKEN_experiment_v2_pmb(), 10, selected) ||
-      !SpeedBase64(selected) ||
+      !SpeedBase64(selected) || //
       !SpeedSipHash(selected)) {
     return false;
   }