kris
/
SIDH_p751
1
0
派生 0
代码 工单 0 合并请求 0 版本发布 0 百科 动态
您最多选择25个主题 主题必须以字母或数字开头,可以包含连字符 (-),并且长度不得超过35个字符
135 提交
14 分支
653 KiB
 
 
 
分支: master
分支列表 标签列表
${ item.name }
创建分支 ${ searchTerm }
从 'master'
${ noResults }
SIDH_p751/sike/sike.go

218 行
6.1 KiB
原始文件 永久链接 Blame 文件历史 

  1. // [SIKE] http://www.sike.org/files/SIDH-spec.pdf

  2. // [REF] https://github.com/Microsoft/PQCrypto-SIDH

  3. package sike

  4. 

  5. import (

  6. 	"crypto/subtle"

  7. 	"errors"

  8. 	"io"

  9. 	// TODO: Use implementation from xcrypto, once PR below merged

  10. 	// https://go-review.googlesource.com/c/crypto/+/111281/

  11. 	. "github.com/cloudflare/sidh/sidh"

  12. 	cshake "github.com/henrydcase/nobs/hash/sha3"

  13. )

  14. 

  15. // Constants used for cSHAKE customization

  16. // Those values are different than in [SIKE] - they are encoded on 16bits. This is

  17. // done in order for implementation to be compatible with [REF] and test vectors.

  18. var G = []byte{0x00, 0x00}

  19. var H = []byte{0x01, 0x00}

  20. var F = []byte{0x02, 0x00}

  21. 

  22. // Generates cShake-256 sum

  23. func cshakeSum(out, in, S []byte) {

  24. 	h := cshake.NewCShake256(nil, S)

  25. 	h.Write(in)

  26. 	h.Read(out)

  27. }

  28. 

  29. func encrypt(skA *PrivateKey, pkA, pkB *PublicKey, ptext []byte) ([]byte, error) {

  30. 	var n [40]byte // n can is max 320-bit (see 1.4 of [SIKE])

  31. 	var ptextLen = len(ptext)

  32. 

  33. 	if pkB.Variant() != KeyVariant_SIKE {

  34. 		return nil, errors.New("wrong key type")

  35. 	}

  36. 

  37. 	j, err := DeriveSecret(skA, pkB)

  38. 	if err != nil {

  39. 		return nil, err

  40. 	}

  41. 

  42. 	cshakeSum(n[:ptextLen], j, F)

  43. 	for i, _ := range ptext {

  44. 		n[i] ^= ptext[i]

  45. 	}

  46. 

  47. 	ret := make([]byte, pkA.Size()+ptextLen)

  48. 	copy(ret, pkA.Export())

  49. 	copy(ret[pkA.Size():], n[:ptextLen])

  50. 	return ret, nil

  51. }

  52. 

  53. // -----------------------------------------------------------------------------

  54. // PKE interface

  55. //

  56. 

  57. // Uses SIKE public key to encrypt plaintext. Requires cryptographically secure PRNG

  58. // Returns ciphertext in case encryption succeeds. Returns error in case PRNG fails

  59. // or wrongly formated input was provided.

  60. func Encrypt(rng io.Reader, pub *PublicKey, ptext []byte) ([]byte, error) {

  61. 	var params = pub.Params()

  62. 	var ptextLen = uint(len(ptext))

  63. 	// c1 must be security level + 64 bits (see [SIKE] 1.4 and 4.3.3)

  64. 	if ptextLen != (params.KemSize + 8) {

  65. 		return nil, errors.New("Unsupported message length")

  66. 	}

  67. 

  68. 	skA := NewPrivateKey(params.Id, KeyVariant_SIDH_A)

  69. 	err := skA.Generate(rng)

  70. 	if err != nil {

  71. 		return nil, err

  72. 	}

  73. 

  74. 	pkA := skA.GeneratePublicKey()

  75. 	return encrypt(skA, pkA, pub, ptext)

  76. }

  77. 

  78. // Uses SIKE private key to decrypt ciphertext. Returns plaintext in case

  79. // decryption succeeds or error in case unexptected input was provided.

  80. // Constant time

  81. func Decrypt(prv *PrivateKey, ctext []byte) ([]byte, error) {

  82. 	var params = prv.Params()

  83. 	var n [40]byte // n can is max 320-bit (see 1.4 of [SIKE])

  84. 	var c1_len int

  85. 	var pk_len = params.PublicKeySize

  86. 

  87. 	if prv.Variant() != KeyVariant_SIKE {

  88. 		return nil, errors.New("wrong key type")

  89. 	}

  90. 

  91. 	// ctext is a concatenation of (pubkey_A || c1=ciphertext)

  92. 	// it must be security level + 64 bits (see [SIKE] 1.4 and 4.3.3)

  93. 	c1_len = len(ctext) - pk_len

  94. 	if c1_len != (int(params.KemSize) + 8) {

  95. 		return nil, errors.New("wrong size of cipher text")

  96. 	}

  97. 

  98. 	c0 := NewPublicKey(params.Id, KeyVariant_SIDH_A)

  99. 	err := c0.Import(ctext[:pk_len])

  100. 	if err != nil {

  101. 		return nil, err

  102. 	}

  103. 	j, err := DeriveSecret(prv, c0)

  104. 	if err != nil {

  105. 		return nil, err

  106. 	}

  107. 

  108. 	cshakeSum(n[:c1_len], j, F)

  109. 	for i, _ := range n[:c1_len] {

  110. 		n[i] ^= ctext[pk_len+i]

  111. 	}

  112. 

  113. 	return n[:c1_len], nil

  114. }

  115. 

  116. // -----------------------------------------------------------------------------

  117. // KEM interface

  118. //

  119. 

  120. // Encapsulation receives the public key and generates SIKE ciphertext and shared secret.

  121. // The generated ciphertext is used for authentication.

  122. // The rng must be cryptographically secure PRNG.

  123. // Error is returned in case PRNG fails or wrongly formated input was provided.

  124. func Encapsulate(rng io.Reader, pub *PublicKey) (ctext []byte, secret []byte, err error) {

  125. 	var params = pub.Params()

  126. 	// Buffer for random, secret message

  127. 	var ptext = make([]byte, params.MsgLen)

  128. 	// r = G(ptext||pub)

  129. 	var r = make([]byte, params.A.SecretByteLen)

  130. 	// Resulting shared secret

  131. 	secret = make([]byte, params.KemSize)

  132. 

  133. 	// Generate ephemeral value

  134. 	_, err = io.ReadFull(rng, ptext)

  135. 	if err != nil {

  136. 		return nil, nil, err

  137. 	}

  138. 

  139. 	h := cshake.NewCShake256(nil, G)

  140. 	h.Write(ptext)

  141. 	h.Write(pub.Export())

  142. 	h.Read(r)

  143. 

  144. 	// cSHAKE256 implementation is byte oriented. Ensure bitlength is not bigger then to 2^e2-1

  145. 	r[len(r)-1] &= (1 << (params.A.SecretBitLen % 8)) - 1

  146. 

  147. 	// (c0 || c1) = Enc(pkA, ptext; r)

  148. 	skA := NewPrivateKey(params.Id, KeyVariant_SIDH_A)

  149. 	err = skA.Import(r)

  150. 	if err != nil {

  151. 		return nil, nil, err

  152. 	}

  153. 

  154. 	pkA := skA.GeneratePublicKey()

  155. 	ctext, err = encrypt(skA, pkA, pub, ptext)

  156. 	if err != nil {

  157. 		return nil, nil, err

  158. 	}

  159. 

  160. 	// K = H(ptext||(c0||c1))

  161. 	h = cshake.NewCShake256(nil, H)

  162. 	h.Write(ptext)

  163. 	h.Write(ctext)

  164. 	h.Read(secret)

  165. 

  166. 	return ctext, secret, nil

  167. }

  168. 

  169. // Decapsulate given the keypair and ciphertext as inputs, Decapsulate outputs a shared

  170. // secret if plaintext verifies correctly, otherwise function outputs random value.

  171. // Decapsulation may fail in case input is wrongly formated.

  172. // Constant time for properly initialized input.

  173. func Decapsulate(prv *PrivateKey, pub *PublicKey, ctext []byte) ([]byte, error) {

  174. 	var params = pub.Params()

  175. 	var r = make([]byte, params.A.SecretByteLen)

  176. 	// Resulting shared secret

  177. 	var secret = make([]byte, params.KemSize)

  178. 	var skA = NewPrivateKey(params.Id, KeyVariant_SIDH_A)

  179. 

  180. 	m, err := Decrypt(prv, ctext)

  181. 	if err != nil {

  182. 		return nil, err

  183. 	}

  184. 

  185. 	// r' = G(m'||pub)

  186. 	h := cshake.NewCShake256(nil, G)

  187. 	h.Write(m)

  188. 	h.Write(pub.Export())

  189. 	h.Read(r)

  190. 

  191. 	// cSHAKE256 implementation is byte oriented: Ensure bitlength is not bigger than 2^e2-1

  192. 	r[len(r)-1] &= (1 << (params.A.SecretBitLen % 8)) - 1

  193. 

  194. 	// Never fails

  195. 	skA.Import(r)

  196. 

  197. 	// Never fails

  198. 	pkA := skA.GeneratePublicKey()

  199. 	c0 := pkA.Export()

  200. 

  201. 	h = cshake.NewCShake256(nil, H)

  202. 	if subtle.ConstantTimeCompare(c0, ctext[:len(c0)]) == 1 {

  203. 		h.Write(m)

  204. 	} else {

  205. 		// S is chosen at random when generating a key and unknown to other party. It

  206. 		// may seem weird, but it's correct. It is important that S is unpredictable

  207. 		// to other party. Without this check, it is possible to recover a secret, by

  208. 		// providing series of invalid ciphertexts. It is also important that in case

  209. 		//

  210. 		// See more details in "On the security of supersingular isogeny cryptosystems"

  211. 		// (S. Galbraith, et al., 2016, ePrint #859).

  212. 		h.Write(prv.S)

  213. 	}

  214. 	h.Write(ctext)

  215. 	h.Read(secret)

  216. 	return secret, nil

  217. }