kris
/
SIDH_p751
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
99 Commits
14 Branches
653 KiB
 
 
 
Branch: trials/prep_p503_trial3
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'trials/prep_p503_trial3'
${ noResults }
SIDH_p751/sidh/api.go

207 lines
6.2 KiB
Raw Permalink Blame History 

  1. package sidh

  2. 

  3. import (

  4. 	"errors"

  5. 	. "github.com/cloudflare/p751sidh/p751toolbox"

  6. 	"io"

  7. )

  8. 

  9. // I keep it bool in order to be able to apply logical NOT

  10. type KeyVariant uint

  11. type PrimeFieldId uint

  12. 

  13. // Id's correspond to bitlength of the prime field characteristic

  14. // Currently FP_751 is the only one supported by this implementation

  15. const (

  16. 	FP_503 PrimeFieldId = iota

  17. 	FP_751

  18. 	FP_964

  19. 	maxPrimeFieldId

  20. )

  21. 

  22. const (

  23. 	// First 2 bits identify SIDH variant third bit indicates

  24. 	// wether key is a SIKE variant (set) or SIDH (not set)

  25. 

  26. 	// 001 - SIDH: corresponds to 2-torsion group

  27. 	KeyVariant_SIDH_A KeyVariant = 1 << 0

  28. 	// 010 - SIDH: corresponds to 3-torsion group

  29. 	KeyVariant_SIDH_B = 1 << 1

  30. 	// 110 - SIKE

  31. 	KeyVariant_SIKE = 1<<2 | KeyVariant_SIDH_B

  32. )

  33. 

  34. // Base type for public and private key. Used mainly to carry domain

  35. // parameters.

  36. type key struct {

  37. 	// Domain parameters of the algorithm to be used with a key

  38. 	params *SidhParams

  39. 	// Flag indicates wether corresponds to 2-, 3-torsion group or SIKE

  40. 	keyVariant KeyVariant

  41. }

  42. 

  43. // Defines operations on public key

  44. type PublicKey struct {

  45. 	key

  46. 	affine_xP   ExtensionFieldElement

  47. 	affine_xQ   ExtensionFieldElement

  48. 	affine_xQmP ExtensionFieldElement

  49. }

  50. 

  51. // Defines operations on private key

  52. type PrivateKey struct {

  53. 	key

  54. 	// Secret key

  55. 	Scalar []byte

  56. 	// Used only by KEM

  57. 	S []byte

  58. }

  59. 

  60. // Accessor to the domain parameters

  61. func (key *key) Params() *SidhParams {

  62. 	return key.params

  63. }

  64. 

  65. // Accessor to key variant

  66. func (key *key) Variant() KeyVariant {

  67. 	return key.keyVariant

  68. }

  69. 

  70. // NewPrivateKey initializes private key.

  71. // Usage of this function guarantees that the object is correctly initialized.

  72. func NewPrivateKey(id PrimeFieldId, v KeyVariant) *PrivateKey {

  73. 	prv := &PrivateKey{key: key{params: Params(id), keyVariant: v}}

  74. 	prv.Scalar = make([]byte, prv.params.SecretKeySize)

  75. 	if v == KeyVariant_SIKE {

  76. 		prv.S = make([]byte, prv.params.MsgLen)

  77. 	}

  78. 	return prv

  79. }

  80. 

  81. // NewPublicKey initializes public key.

  82. // Usage of this function guarantees that the object is correctly initialized.

  83. func NewPublicKey(id PrimeFieldId, v KeyVariant) *PublicKey {

  84. 	return &PublicKey{key: key{params: Params(id), keyVariant: v}}

  85. }

  86. 

  87. // Import clears content of the public key currently stored in the structure

  88. // and imports key stored in the byte string. Returns error in case byte string

  89. // size is wrong. Doesn't perform any validation.

  90. func (pub *PublicKey) Import(input []byte) error {

  91. 	if len(input) != pub.Size() {

  92. 		return errors.New("sidh: input to short")

  93. 	}

  94. 	pub.affine_xP.FromBytes(input[0:pub.params.SharedSecretSize])

  95. 	pub.affine_xQ.FromBytes(input[pub.params.SharedSecretSize : 2*pub.params.SharedSecretSize])

  96. 	pub.affine_xQmP.FromBytes(input[2*pub.params.SharedSecretSize : 3*pub.params.SharedSecretSize])

  97. 	return nil

  98. }

  99. 

  100. // Exports currently stored key. In case structure hasn't been filled with key data

  101. // returned byte string is filled with zeros.

  102. func (pub *PublicKey) Export() []byte {

  103. 	output := make([]byte, pub.params.PublicKeySize)

  104. 	pub.affine_xP.ToBytes(output[0:pub.params.SharedSecretSize])

  105. 	pub.affine_xQ.ToBytes(output[pub.params.SharedSecretSize : 2*pub.params.SharedSecretSize])

  106. 	pub.affine_xQmP.ToBytes(output[2*pub.params.SharedSecretSize : 3*pub.params.SharedSecretSize])

  107. 	return output

  108. }

  109. 

  110. // Size returns size of the public key in bytes

  111. func (pub *PublicKey) Size() int {

  112. 	return pub.params.PublicKeySize

  113. }

  114. 

  115. // Exports currently stored key. In case structure hasn't been filled with key data

  116. // returned byte string is filled with zeros.

  117. func (prv *PrivateKey) Export() []byte {

  118. 	ret := make([]byte, len(prv.Scalar)+len(prv.S))

  119. 	copy(ret, prv.S)

  120. 	copy(ret[len(prv.S):], prv.Scalar)

  121. 	return ret

  122. }

  123. 

  124. // Size returns size of the private key in bytes

  125. func (prv *PrivateKey) Size() int {

  126. 	tmp := prv.params.SecretKeySize

  127. 	if prv.Variant() == KeyVariant_SIKE {

  128. 		tmp += int(prv.params.MsgLen)

  129. 	}

  130. 	return tmp

  131. }

  132. 

  133. // Import clears content of the private key currently stored in the structure

  134. // and imports key from octet string. In case of SIKE, the random value 'S'

  135. // must be prepended to the value of actual private key (see SIKE spec for details).

  136. // Function doesn't import public key value to PrivateKey object.

  137. func (prv *PrivateKey) Import(input []byte) error {

  138. 	if len(input) != prv.Size() {

  139. 		return errors.New("sidh: input to short")

  140. 	}

  141. 	if len(prv.Scalar) != prv.params.SecretKeySize {

  142. 		return errors.New("sidh: object wrongly initialized")

  143. 	}

  144. 	copy(prv.S, input[:len(prv.S)])

  145. 	copy(prv.Scalar, input[len(prv.S):])

  146. 	return nil

  147. }

  148. 

  149. // Generates random private key for SIDH or SIKE. Returns error

  150. // in case user provided RNG or memory initialization fails.

  151. func (prv *PrivateKey) Generate(rand io.Reader) error {

  152. 	var err error

  153. 

  154. 	if (prv.keyVariant & KeyVariant_SIDH_A) == KeyVariant_SIDH_A {

  155. 		err = prv.generatePrivateKeyA(rand)

  156. 	} else {

  157. 		err = prv.generatePrivateKeyB(rand)

  158. 	}

  159. 

  160. 	if prv.keyVariant == KeyVariant_SIKE && err == nil {

  161. 		_, err = io.ReadFull(rand, prv.S)

  162. 	}

  163. 

  164. 	return err

  165. }

  166. 

  167. // Generates public key corresponding to prv. KeyVariant of generated public key

  168. // is same as PrivateKey. Fails only if prv was wrongly initialized.

  169. // Constant time for properly initialzied PrivateKey

  170. func GeneratePublicKey(prv *PrivateKey) (*PublicKey, error) {

  171. 	if prv == nil {

  172. 		return nil, errors.New("sidh: invalid arguments")

  173. 	}

  174. 

  175. 	if (prv.keyVariant & KeyVariant_SIDH_A) == KeyVariant_SIDH_A {

  176. 		return publicKeyGenA(prv), nil

  177. 	} else {

  178. 		return publicKeyGenB(prv), nil

  179. 	}

  180. }

  181. 

  182. // Computes a shared secret which is a j-invariant. Function requires that pub has

  183. // different KeyVariant than prv. Length of returned output is 2*ceil(log_2 P)/8),

  184. // where P is a prime defining finite field.

  185. //

  186. // It's important to notice that each keypair must not be used more than once

  187. // to calculate shared secret.

  188. //

  189. // Function may return error. This happens only in case provided input is invalid.

  190. // Constant time for properly initialized private and public key.

  191. func DeriveSecret(prv *PrivateKey, pub *PublicKey) ([]byte, error) {

  192. 

  193. 	if (pub == nil) || (prv == nil) {

  194. 		return nil, errors.New("sidh: invalid arguments")

  195. 	}

  196. 

  197. 	if (pub.keyVariant == prv.keyVariant) || (pub.params.Id != prv.params.Id) {

  198. 		return nil, errors.New("sidh: public and private are incompatbile")

  199. 	}

  200. 

  201. 	if (prv.keyVariant & KeyVariant_SIDH_A) == KeyVariant_SIDH_A {

  202. 		return deriveSecretA(prv, pub), nil

  203. 	} else {

  204. 		return deriveSecretB(prv, pub), nil

  205. 	}

  206. }