kris
/
SIDH_p751
1
0
Forka 0
Codice Problemi 0 Pull Requests 0 Rilasci 0 Wiki Attività
Non puoi selezionare più di 25 argomenti Gli argomenti devono iniziare con una lettera o un numero, possono includere trattini ('-') e possono essere lunghi fino a 35 caratteri.
105 Commit
14 Rami (Branch)
653 KiB
 
 
 
Ramo (Branch): trials/prep_p503_trial5_context
Rami (Branch) Tag
${ item.name }
Crea branch ${ searchTerm }
da 'trials/prep_p503_trial5_context'
${ noResults }
SIDH_p751/sidh/sidh.go

429 righe
12 KiB
Originale Permalink Blame Cronologia 

  1. package sidh

  2. 

  3. import (

  4. 	"errors"

  5. 	"io"

  6. 

  7. 	// TODO: This is needed by ExtensionFieldElement struct, which itself

  8. 	// 		 depends on implementation of p751.

  9. //	p503 "github.com/cloudflare/p751sidh/p503toolbox"

  10. 	p751 "github.com/cloudflare/p751sidh/p751toolbox"

  11. )

  12. 

  13. // -----------------------------------------------------------------------------

  14. // Functions for traversing isogeny trees acoording to strategy. Key type 'A' is

  15. //

  16. 

  17. // Traverses isogeny tree in order to compute xR, xP, xQ and xQmP needed

  18. // for public key generation.

  19. func traverseTreePublicKeyA(curve *p751.ProjectiveCurveParameters, xR, phiP, phiQ, phiR *p751.ProjectivePoint, pub *PublicKey) {

  20. 	var points = make([]p751.ProjectivePoint, 0, 8)

  21. 	var indices = make([]int, 0, 8)

  22. 	var i, sidx int

  23. 

  24. 	cparam := curve.CalcCurveParamsEquiv4()

  25. 	phi := p751.NewIsogeny4()

  26. 	strat := pub.params.A.IsogenyStrategy

  27. 	stratSz := len(strat)

  28. 

  29. 	for j := 1; j <= stratSz; j++ {

  30. 		for i <= stratSz-j {

  31. 			points = append(points, *xR)

  32. 			indices = append(indices, i)

  33. 

  34. 			k := strat[sidx]

  35. 			sidx++

  36. 			xR.Pow2k(&cparam, xR, 2*k)

  37. 			i += int(k)

  38. 		}

  39. 

  40. 		cparam = phi.GenerateCurve(xR)

  41. 		for k := 0; k < len(points); k++ {

  42. 			points[k] = phi.EvaluatePoint(&points[k])

  43. 		}

  44. 

  45. 		*phiP = phi.EvaluatePoint(phiP)

  46. 		*phiQ = phi.EvaluatePoint(phiQ)

  47. 		*phiR = phi.EvaluatePoint(phiR)

  48. 

  49. 		// pop xR from points

  50. 		*xR, points = points[len(points)-1], points[:len(points)-1]

  51. 		i, indices = int(indices[len(indices)-1]), indices[:len(indices)-1]

  52. 	}

  53. }

  54. 

  55. 

  56. // -----------------------------------------------------------------------------

  57. // Functions for traversing isogeny trees acoording to strategy. Key type 'A' is

  58. //

  59. 

  60. // Traverses isogeny tree in order to compute xR, xP, xQ and xQmP needed

  61. // for public key generation.

  62. func traverseTreePublicKeyAX(ctx *OperationContext, pub *PublicKey/*curve *p751.ProjectiveCurveParameters, xR, phiP, phiQ, phiR *p751.ProjectivePoint, */) {

  63. 	var points = make([]p751.ProjectivePoint, 0, 8)

  64. 	var indices = make([]int, 0, 8)

  65. 	var i, sidx int

  66. 

  67. 	//cparam := curve.CalcCurveParamsEquiv4()

  68. 	phi := p751.NewIsogeny4()

  69. 	strat := pub.params.A.IsogenyStrategy

  70. 	stratSz := len(strat)

  71. 

  72. 	for j := 1; j <= stratSz; j++ {

  73. 		for i <= stratSz-j {

  74. 			points = append(points, *xR)

  75. 			indices = append(indices, i)

  76. 

  77. 			k := strat[sidx]

  78. 			sidx++

  79. 			xR.Pow2k(&cparam, xR, 2*k)

  80. 			i += int(k)

  81. 		}

  82. 

  83. 		cparam = phi.GenerateCurve(xR)

  84. 		for k := 0; k < len(points); k++ {

  85. 			points[k] = phi.EvaluatePoint(&points[k])

  86. 		}

  87. 

  88. 		*phiP = phi.EvaluatePoint(phiP)

  89. 		*phiQ = phi.EvaluatePoint(phiQ)

  90. 		*phiR = phi.EvaluatePoint(phiR)

  91. 

  92. 		// pop xR from points

  93. 		*xR, points = points[len(points)-1], points[:len(points)-1]

  94. 		i, indices = int(indices[len(indices)-1]), indices[:len(indices)-1]

  95. 	}

  96. }

  97. 

  98. 

  99. // Traverses isogeny tree in order to compute xR needed

  100. // for public key generation.

  101. func traverseTreeSharedKeyA(curve *p751.ProjectiveCurveParameters, xR *p751.ProjectivePoint, pub *PublicKey) {

  102. 	var points = make([]p751.ProjectivePoint, 0, 8)

  103. 	var indices = make([]int, 0, 8)

  104. 	var i, sidx int

  105. 

  106. 	cparam := curve.CalcCurveParamsEquiv4()

  107. 	phi := p751.NewIsogeny4()

  108. 	strat := pub.params.A.IsogenyStrategy

  109. 	stratSz := len(strat)

  110. 

  111. 	for j := 1; j <= stratSz; j++ {

  112. 		for i <= stratSz-j {

  113. 			points = append(points, *xR)

  114. 			indices = append(indices, i)

  115. 

  116. 			k := strat[sidx]

  117. 			sidx++

  118. 			xR.Pow2k(&cparam, xR, 2*k)

  119. 			i += int(k)

  120. 		}

  121. 

  122. 		cparam = phi.GenerateCurve(xR)

  123. 		for k := 0; k < len(points); k++ {

  124. 			points[k] = phi.EvaluatePoint(&points[k])

  125. 		}

  126. 

  127. 		// pop xR from points

  128. 		*xR, points = points[len(points)-1], points[:len(points)-1]

  129. 		i, indices = int(indices[len(indices)-1]), indices[:len(indices)-1]

  130. 	}

  131. }

  132. 

  133. // Traverses isogeny tree in order to compute xR, xP, xQ and xQmP needed

  134. // for public key generation.

  135. func traverseTreePublicKeyB(curve *p751.ProjectiveCurveParameters, xR, phiP, phiQ, phiR *p751.ProjectivePoint, pub *PublicKey) {

  136. 	var points = make([]p751.ProjectivePoint, 0, 8)

  137. 	var indices = make([]int, 0, 8)

  138. 	var i, sidx int

  139. 

  140. 	cparam := curve.CalcCurveParamsEquiv3()

  141. 	phi := p751.NewIsogeny3()

  142. 	strat := pub.params.B.IsogenyStrategy

  143. 	stratSz := len(strat)

  144. 

  145. 	for j := 1; j <= stratSz; j++ {

  146. 		for i <= stratSz-j {

  147. 			points = append(points, *xR)

  148. 			indices = append(indices, i)

  149. 

  150. 			k := strat[sidx]

  151. 			sidx++

  152. 			xR.Pow3k(&cparam, xR, k)

  153. 			i += int(k)

  154. 		}

  155. 

  156. 		cparam = phi.GenerateCurve(xR)

  157. 		for k := 0; k < len(points); k++ {

  158. 			points[k] = phi.EvaluatePoint(&points[k])

  159. 		}

  160. 

  161. 		*phiP = phi.EvaluatePoint(phiP)

  162. 		*phiQ = phi.EvaluatePoint(phiQ)

  163. 		*phiR = phi.EvaluatePoint(phiR)

  164. 

  165. 		// pop xR from points

  166. 		*xR, points = points[len(points)-1], points[:len(points)-1]

  167. 		i, indices = int(indices[len(indices)-1]), indices[:len(indices)-1]

  168. 	}

  169. }

  170. 

  171. // Traverses isogeny tree in order to compute xR, xP, xQ and xQmP needed

  172. // for public key generation.

  173. func traverseTreeSharedKeyB(curve *p751.ProjectiveCurveParameters, xR *p751.ProjectivePoint, pub *PublicKey) {

  174. 	var points = make([]p751.ProjectivePoint, 0, 8)

  175. 	var indices = make([]int, 0, 8)

  176. 	var i, sidx int

  177. 

  178. 	cparam := curve.CalcCurveParamsEquiv3()

  179. 	phi := p751.NewIsogeny3()

  180. 	strat := pub.params.B.IsogenyStrategy

  181. 	stratSz := len(strat)

  182. 

  183. 	for j := 1; j <= stratSz; j++ {

  184. 		for i <= stratSz-j {

  185. 			points = append(points, *xR)

  186. 			indices = append(indices, i)

  187. 

  188. 			k := strat[sidx]

  189. 			sidx++

  190. 			xR.Pow3k(&cparam, xR, k)

  191. 			i += int(k)

  192. 		}

  193. 

  194. 		cparam = phi.GenerateCurve(xR)

  195. 		for k := 0; k < len(points); k++ {

  196. 			points[k] = phi.EvaluatePoint(&points[k])

  197. 		}

  198. 

  199. 		// pop xR from points

  200. 		*xR, points = points[len(points)-1], points[:len(points)-1]

  201. 		i, indices = int(indices[len(indices)-1]), indices[:len(indices)-1]

  202. 	}

  203. }

  204. 

  205. // -----------------------------------------------------------------------------

  206. // Key generation functions

  207. //

  208. 

  209. // Generate a private key for "Alice".  Note that because this library does not

  210. // implement SIDH validation, each keypair must be used for at most one

  211. // shared secret computation.

  212. func (prv *PrivateKey) generatePrivateKeyA(rand io.Reader) error {

  213. 	_, err := io.ReadFull(rand, prv.Scalar)

  214. 	if err != nil {

  215. 		return err

  216. 	}

  217. 

  218. 	// Bit-twiddle to ensure scalar is in 2*[0,2^371):

  219. 	prv.Scalar[prv.params.SecretKeySize-1] = prv.params.A.MaskBytes[0]

  220. 	prv.Scalar[prv.params.SecretKeySize-2] &= prv.params.A.MaskBytes[1] // clear high bits, so scalar < 2^372

  221. 	prv.Scalar[0] &= prv.params.A.MaskBytes[2]                          // clear low bit, so scalar is even

  222. 

  223. 	// We actually want scalar in 2*(0,2^371), but the above procedure

  224. 	// generates 0 with probability 2^(-371), which isn't worth checking

  225. 	// for.

  226. 	return nil

  227. }

  228. 

  229. // Generate a private key for "Bob".  Note that because this library does not

  230. // implement SIDH validation, each keypair must be used for at most one

  231. // shared secret computation.

  232. func (prv *PrivateKey) generatePrivateKeyB(rand io.Reader) error {

  233. 	// Perform rejection sampling to obtain a random value in [0,3^238]:

  234. 	var ok uint8

  235. 	for i := uint(0); i < prv.params.SampleRate; i++ {

  236. 		_, err := io.ReadFull(rand, prv.Scalar)

  237. 		if err != nil {

  238. 			return err

  239. 		}

  240. 		// Mask the high bits to obtain a uniform value in [0,2^378):

  241. 		// TODO: simply run it in loop, if rand distribution is uniform you surelly get non 0

  242. 		//       if not - better die, keep looping, hang, whatever, but don't generate secure key

  243. 		prv.Scalar[prv.params.SecretKeySize-1] &= prv.params.B.MaskBytes[0]

  244. 

  245. 		// Accept if scalar < 3^238 (this happens w/ prob ~0.5828)

  246. 		// TODO this is specific to P751

  247. 		ok = checkLessThanThree238(prv.Scalar)

  248. 		if ok == 0 {

  249. 			break

  250. 		}

  251. 	}

  252. 	// ok is nonzero if all sampleRate trials failed.

  253. 	// This happens with probability 0.41719...^102 < 2^(-128), i.e., never

  254. 	if ok != 0 {

  255. 		// In case this happens user should retry. In practice it is highly

  256. 		// improbable (< 2^-128).

  257. 		return errors.New("sidh: private key generation failed")

  258. 	}

  259. 

  260. 	// Multiply by 3 to get a scalar in 3*[0,3^238):

  261. 	multiplyByThree(prv.Scalar)

  262. 	// We actually want scalar in 2*(0,2^371), but the above procedure

  263. 	// generates 0 with probability 2^(-371), which isn't worth checking

  264. 	// for.

  265. 	return nil

  266. }

  267. 

  268. // Generate a public key in the 2-torsion group

  269. func publicKeyGenA(prv *PrivateKey) (pub *PublicKey) {

  270. //	var xPA, xQA, xRA p751.ProjectivePoint

  271. //	var xPB, xQB, xRB, xR p751.ProjectivePoint

  272. //	var invZP, invZQ, invZR p751.ExtensionFieldElement

  273. //	var tmp p751.ProjectiveCurveParameters

  274. //	var phi = p751.NewIsogeny4()

  275. //

  276. 	pub = NewPublicKey(prv.params.Id, KeyVariant_SIDH_A)

  277. 	ctx := prv.params.op()

  278. 	ctx.LoadBasePoints()

  279. 	ctx.ScalarMul(prv.Scalar, prv.params.A.SecretBitLen)

  280. 	traverseTreePublicKeyA(ctx)

  281. //	ctx.CreateSecretIsogeny()

  282. //	ctx.Store(pub)

  283. 

  284. /*

  285. 	// Load points for A

  286. 	xPA.FromAffine(&prv.params.A.Affine_P)

  287. 	xPA.Z.One()

  288. 	xQA.FromAffine(&prv.params.A.Affine_Q)

  289. 	xQA.Z.One()

  290. 	xRA.FromAffine(&prv.params.A.Affine_R)

  291. 	xRA.Z.One()

  292. 

  293. 	// Load points for B

  294. 	xRB.FromAffine(&prv.params.B.Affine_R)

  295. 	xRB.Z.One()

  296. 	xQB.FromAffine(&prv.params.B.Affine_Q)

  297. 	xQB.Z.One()

  298. 	xPB.FromAffine(&prv.params.B.Affine_P)

  299. 	xPB.Z.One()

  300. 

  301. 	// Find isogeny kernel

  302. 	tmp.A.Zero()

  303. 	tmp.C.One()

  304. 	xR = p751.RightToLeftLadder(&tmp, &xPA, &xQA, &xRA, prv.params.A.SecretBitLen, prv.Scalar)

  305. 

  306. 	// Reset params object and travers isogeny tree

  307. 	tmp.A.Zero()

  308. 	tmp.C.One()

  309. 	traverseTreePublicKeyA(&tmp, &xR, &xPB, &xQB, &xRB, pub)

  310. 

  311. 	// Secret isogeny

  312. 	phi.GenerateCurve(&xR)

  313. 	xPA = phi.EvaluatePoint(&xPB)

  314. 	xQA = phi.EvaluatePoint(&xQB)

  315. 	xRA = phi.EvaluatePoint(&xRB)

  316. 	p751.ExtensionFieldBatch3Inv(&xPA.Z, &xQA.Z, &xRA.Z, &invZP, &invZQ, &invZR)

  317. 

  318. 	pub.affine_xP.Mul(&xPA.X, &invZP)

  319. 	pub.affine_xQ.Mul(&xQA.X, &invZQ)

  320. 	pub.affine_xQmP.Mul(&xRA.X, &invZR)

  321. */

  322. 	return

  323. }

  324. 

  325. // Generate a public key in the 3-torsion group

  326. func publicKeyGenB(prv *PrivateKey) (pub *PublicKey) {

  327. 	var xPB, xQB, xRB, xR p751.ProjectivePoint

  328. 	var xPA, xQA, xRA p751.ProjectivePoint

  329. 	var invZP, invZQ, invZR p751.ExtensionFieldElement

  330. 	var tmp p751.ProjectiveCurveParameters

  331. 	var phi = p751.NewIsogeny3()

  332. 	pub = NewPublicKey(prv.params.Id, prv.keyVariant)

  333. 

  334. 	// Load points for A

  335. 	xPA.FromAffine(&prv.params.A.Affine_P)

  336. 	xPA.Z.One()

  337. 	xQA.FromAffine(&prv.params.A.Affine_Q)

  338. 	xQA.Z.One()

  339. 	xRA.FromAffine(&prv.params.A.Affine_R)

  340. 	xRA.Z.One()

  341. 

  342. 	// Load points for B

  343. 	xRB.FromAffine(&prv.params.B.Affine_R)

  344. 	xRB.Z.One()

  345. 	xQB.FromAffine(&prv.params.B.Affine_Q)

  346. 	xQB.Z.One()

  347. 	xPB.FromAffine(&prv.params.B.Affine_P)

  348. 	xPB.Z.One()

  349. 

  350. 	tmp.A.Zero()

  351. 	tmp.C.One()

  352. 	xR = p751.RightToLeftLadder(&tmp, &xPB, &xQB, &xRB, prv.params.B.SecretBitLen, prv.Scalar)

  353. 

  354. 	tmp.A.Zero()

  355. 	tmp.C.One()

  356. 	traverseTreePublicKeyB(&tmp, &xR, &xPA, &xQA, &xRA, pub)

  357. 

  358. 	phi.GenerateCurve(&xR)

  359. 	xPB = phi.EvaluatePoint(&xPA)

  360. 	xQB = phi.EvaluatePoint(&xQA)

  361. 	xRB = phi.EvaluatePoint(&xRA)

  362. 	p751.ExtensionFieldBatch3Inv(&xPB.Z, &xQB.Z, &xRB.Z, &invZP, &invZQ, &invZR)

  363. 

  364. 	pub.affine_xP.Mul(&xPB.X, &invZP)

  365. 	pub.affine_xQ.Mul(&xQB.X, &invZQ)

  366. 	pub.affine_xQmP.Mul(&xRB.X, &invZR)

  367. 	return

  368. }

  369. 

  370. // -----------------------------------------------------------------------------

  371. // Key agreement functions

  372. //

  373. 

  374. // Establishing shared keys in in 2-torsion group

  375. func deriveSecretA(prv *PrivateKey, pub *PublicKey) []byte {

  376. 	var sharedSecret = make([]byte, pub.params.SharedSecretSize)

  377. 	var cparam p751.ProjectiveCurveParameters

  378. 	var xP, xQ, xQmP p751.ProjectivePoint

  379. 	var xR p751.ProjectivePoint

  380. 	var phi = p751.NewIsogeny4()

  381. 

  382. 	// Recover curve coefficients

  383. 	cparam.RecoverCoordinateA(&pub.affine_xP, &pub.affine_xQ, &pub.affine_xQmP)

  384. 	cparam.C.One()

  385. 

  386. 	// Find kernel of the morphism

  387. 	xP.FromAffine(&pub.affine_xP)

  388. 	xQ.FromAffine(&pub.affine_xQ)

  389. 	xQmP.FromAffine(&pub.affine_xQmP)

  390. 	xR = p751.RightToLeftLadder(&cparam, &xP, &xQ, &xQmP, pub.params.A.SecretBitLen, prv.Scalar)

  391. 

  392. 	// Traverse isogeny tree

  393. 	traverseTreeSharedKeyA(&cparam, &xR, pub)

  394. 

  395. 	// Calculate j-invariant on isogeneus curve

  396. 	c := phi.GenerateCurve(&xR)

  397. 	cparam.RecoverCurveCoefficients4(&c)

  398. 	cparam.Jinvariant(sharedSecret)

  399. 	return sharedSecret

  400. }

  401. 

  402. // Establishing shared keys in in 3-torsion group

  403. func deriveSecretB(prv *PrivateKey, pub *PublicKey) []byte {

  404. 	var sharedSecret = make([]byte, pub.params.SharedSecretSize)

  405. 	var xP, xQ, xQmP p751.ProjectivePoint

  406. 	var xR p751.ProjectivePoint

  407. 	var cparam p751.ProjectiveCurveParameters

  408. 	var phi = p751.NewIsogeny3()

  409. 

  410. 	// Recover curve coefficients

  411. 	cparam.RecoverCoordinateA(&pub.affine_xP, &pub.affine_xQ, &pub.affine_xQmP)

  412. 	cparam.C.One()

  413. 

  414. 	// Find kernel of the morphism

  415. 	xP.FromAffine(&pub.affine_xP)

  416. 	xQ.FromAffine(&pub.affine_xQ)

  417. 	xQmP.FromAffine(&pub.affine_xQmP)

  418. 	xR = p751.RightToLeftLadder(&cparam, &xP, &xQ, &xQmP, pub.params.B.SecretBitLen, prv.Scalar)

  419. 

  420. 	// Traverse isogeny tree

  421. 	traverseTreeSharedKeyB(&cparam, &xR, pub)

  422. 

  423. 	// Calculate j-invariant on isogeneus curve

  424. 	c := phi.GenerateCurve(&xR)

  425. 	cparam.RecoverCurveCoefficients3(&c)

  426. 	cparam.Jinvariant(sharedSecret)

  427. 	return sharedSecret

  428. }