kris
/
SIDH_p751
1
0
Bifurcation 0
Code Tickets 0 Demandes d'ajout 0 Versions 0 Wiki Activité
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.
135 Révisions
14 Branches
653 KiB
 
 
 
Branche: master
Branches Tags
${ item.name }
Créer la branche ${ searchTerm }
de 'master'
${ noResults }
SIDH_p751/sidh/api.go

227 lignes
6.8 KiB
Brut Lien permanent Annotations Historique 

  1. package sidh

  2. 

  3. import (

  4. 	"errors"

  5. 	. "github.com/cloudflare/sidh/internal/isogeny"

  6. 	"io"

  7. )

  8. 

  9. // I keep it bool in order to be able to apply logical NOT

  10. type KeyVariant uint

  11. 

  12. // Id's correspond to bitlength of the prime field characteristic

  13. // Currently FP_751 is the only one supported by this implementation

  14. const (

  15. 	FP_503 uint8 = iota

  16. 	FP_751

  17. 	FP_964

  18. 	maxPrimeFieldId

  19. )

  20. 

  21. const (

  22. 	// First 2 bits identify SIDH variant third bit indicates

  23. 	// wether key is a SIKE variant (set) or SIDH (not set)

  24. 

  25. 	// 001 - SIDH: corresponds to 2-torsion group

  26. 	KeyVariant_SIDH_A KeyVariant = 1 << 0

  27. 	// 010 - SIDH: corresponds to 3-torsion group

  28. 	KeyVariant_SIDH_B = 1 << 1

  29. 	// 110 - SIKE

  30. 	KeyVariant_SIKE = 1<<2 | KeyVariant_SIDH_B

  31. )

  32. 

  33. // Base type for public and private key. Used mainly to carry domain

  34. // parameters.

  35. type key struct {

  36. 	// Domain parameters of the algorithm to be used with a key

  37. 	params *SidhParams

  38. 	// Flag indicates wether corresponds to 2-, 3-torsion group or SIKE

  39. 	keyVariant KeyVariant

  40. }

  41. 

  42. // Defines operations on public key

  43. type PublicKey struct {

  44. 	key

  45. 	affine_xP   Fp2Element

  46. 	affine_xQ   Fp2Element

  47. 	affine_xQmP Fp2Element

  48. }

  49. 

  50. // Defines operations on private key

  51. type PrivateKey struct {

  52. 	key

  53. 	// Secret key

  54. 	Scalar []byte

  55. 	// Used only by KEM

  56. 	S []byte

  57. }

  58. 

  59. // Accessor to the domain parameters

  60. func (key *key) Params() *SidhParams {

  61. 	return key.params

  62. }

  63. 

  64. // Accessor to key variant

  65. func (key *key) Variant() KeyVariant {

  66. 	return key.keyVariant

  67. }

  68. 

  69. // NewPrivateKey initializes private key.

  70. // Usage of this function guarantees that the object is correctly initialized.

  71. func NewPrivateKey(id uint8, v KeyVariant) *PrivateKey {

  72. 	prv := &PrivateKey{key: key{params: Params(id), keyVariant: v}}

  73. 	if (v & KeyVariant_SIDH_A) == KeyVariant_SIDH_A {

  74. 		prv.Scalar = make([]byte, prv.params.A.SecretByteLen)

  75. 	} else {

  76. 		prv.Scalar = make([]byte, prv.params.B.SecretByteLen)

  77. 	}

  78. 	if v == KeyVariant_SIKE {

  79. 		prv.S = make([]byte, prv.params.MsgLen)

  80. 	}

  81. 	return prv

  82. }

  83. 

  84. // NewPublicKey initializes public key.

  85. // Usage of this function guarantees that the object is correctly initialized.

  86. func NewPublicKey(id uint8, v KeyVariant) *PublicKey {

  87. 	return &PublicKey{key: key{params: Params(id), keyVariant: v}}

  88. }

  89. 

  90. // Import clears content of the public key currently stored in the structure

  91. // and imports key stored in the byte string. Returns error in case byte string

  92. // size is wrong. Doesn't perform any validation.

  93. func (pub *PublicKey) Import(input []byte) error {

  94. 	if len(input) != pub.Size() {

  95. 		return errors.New("sidh: input to short")

  96. 	}

  97. 	op := CurveOperations{Params: pub.params}

  98. 	ssSz := pub.params.SharedSecretSize

  99. 	op.Fp2FromBytes(&pub.affine_xP, input[0:ssSz])

  100. 	op.Fp2FromBytes(&pub.affine_xQ, input[ssSz:2*ssSz])

  101. 	op.Fp2FromBytes(&pub.affine_xQmP, input[2*ssSz:3*ssSz])

  102. 	return nil

  103. }

  104. 

  105. // Exports currently stored key. In case structure hasn't been filled with key data

  106. // returned byte string is filled with zeros.

  107. func (pub *PublicKey) Export() []byte {

  108. 	output := make([]byte, pub.params.PublicKeySize)

  109. 	op := CurveOperations{Params: pub.params}

  110. 	ssSz := pub.params.SharedSecretSize

  111. 	op.Fp2ToBytes(output[0:ssSz], &pub.affine_xP)

  112. 	op.Fp2ToBytes(output[ssSz:2*ssSz], &pub.affine_xQ)

  113. 	op.Fp2ToBytes(output[2*ssSz:3*ssSz], &pub.affine_xQmP)

  114. 	return output

  115. }

  116. 

  117. // Size returns size of the public key in bytes

  118. func (pub *PublicKey) Size() int {

  119. 	return pub.params.PublicKeySize

  120. }

  121. 

  122. // Exports currently stored key. In case structure hasn't been filled with key data

  123. // returned byte string is filled with zeros.

  124. func (prv *PrivateKey) Export() []byte {

  125. 	ret := make([]byte, len(prv.Scalar)+len(prv.S))

  126. 	copy(ret, prv.S)

  127. 	copy(ret[len(prv.S):], prv.Scalar)

  128. 	return ret

  129. }

  130. 

  131. // Size returns size of the private key in bytes

  132. func (prv *PrivateKey) Size() int {

  133. 	tmp := len(prv.Scalar)

  134. 	if prv.Variant() == KeyVariant_SIKE {

  135. 		tmp += int(prv.params.MsgLen)

  136. 	}

  137. 	return tmp

  138. }

  139. 

  140. // Import clears content of the private key currently stored in the structure

  141. // and imports key from octet string. In case of SIKE, the random value 'S'

  142. // must be prepended to the value of actual private key (see SIKE spec for details).

  143. // Function doesn't import public key value to PrivateKey object.

  144. func (prv *PrivateKey) Import(input []byte) error {

  145. 	if len(input) != prv.Size() {

  146. 		return errors.New("sidh: input to short")

  147. 	}

  148. 	copy(prv.S, input[:len(prv.S)])

  149. 	copy(prv.Scalar, input[len(prv.S):])

  150. 	return nil

  151. }

  152. 

  153. // Generates random private key for SIDH or SIKE. Generated value is

  154. // formed as little-endian integer from key-space <2^(e2-1)..2^e2 - 1>

  155. // for KeyVariant_A or <2^(s-1)..2^s - 1>, where s = floor(log_2(3^e3)),

  156. // for KeyVariant_B.

  157. //

  158. // Returns error in case user provided RNG fails.

  159. func (prv *PrivateKey) Generate(rand io.Reader) error {

  160. 	var err error

  161. 	var dp *DomainParams

  162. 

  163. 	if (prv.keyVariant & KeyVariant_SIDH_A) == KeyVariant_SIDH_A {

  164. 		dp = &prv.params.A

  165. 	} else {

  166. 		dp = &prv.params.B

  167. 	}

  168. 

  169. 	if prv.keyVariant == KeyVariant_SIKE && err == nil {

  170. 		_, err = io.ReadFull(rand, prv.S)

  171. 	}

  172. 

  173. 	// Private key generation takes advantage of the fact that keyspace for secret

  174. 	// key is (0, 2^x - 1), for some possitivite value of 'x' (see SIKE, 1.3.8).

  175. 	// It means that all bytes in the secret key, but the last one, can take any

  176. 	// value between <0x00,0xFF>. Similarily for the last byte, but generation

  177. 	// needs to chop off some bits, to make sure generated value is an element of

  178. 	// a key-space.

  179. 	_, err = io.ReadFull(rand, prv.Scalar)

  180. 	if err != nil {

  181. 		return err

  182. 	}

  183. 	prv.Scalar[len(prv.Scalar)-1] &= (1 << (dp.SecretBitLen % 8)) - 1

  184. 	// Make sure scalar is SecretBitLen long. SIKE spec says that key

  185. 	// space starts from 0, but I'm not confortable with having low

  186. 	// value scalars used for private keys. It is still secrure as per

  187. 	// table 5.1 in [SIKE].

  188. 	prv.Scalar[len(prv.Scalar)-1] |= 1 << ((dp.SecretBitLen % 8) - 1)

  189. 	return err

  190. }

  191. 

  192. // Generates public key.

  193. //

  194. // Constant time.

  195. func (prv *PrivateKey) GeneratePublicKey() *PublicKey {

  196. 	if (prv.keyVariant & KeyVariant_SIDH_A) == KeyVariant_SIDH_A {

  197. 		return publicKeyGenA(prv)

  198. 	}

  199. 	return publicKeyGenB(prv)

  200. }

  201. 

  202. // Computes a shared secret which is a j-invariant. Function requires that pub has

  203. // different KeyVariant than prv. Length of returned output is 2*ceil(log_2 P)/8),

  204. // where P is a prime defining finite field.

  205. //

  206. // It's important to notice that each keypair must not be used more than once

  207. // to calculate shared secret.

  208. //

  209. // Function may return error. This happens only in case provided input is invalid.

  210. // Constant time for properly initialized private and public key.

  211. func DeriveSecret(prv *PrivateKey, pub *PublicKey) ([]byte, error) {

  212. 

  213. 	if (pub == nil) || (prv == nil) {

  214. 		return nil, errors.New("sidh: invalid arguments")

  215. 	}

  216. 

  217. 	if (pub.keyVariant == prv.keyVariant) || (pub.params.Id != prv.params.Id) {

  218. 		return nil, errors.New("sidh: public and private are incompatbile")

  219. 	}

  220. 

  221. 	if (prv.keyVariant & KeyVariant_SIDH_A) == KeyVariant_SIDH_A {

  222. 		return deriveSecretA(prv, pub), nil

  223. 	} else {

  224. 		return deriveSecretB(prv, pub), nil

  225. 	}

  226. }