boringssl/ssl/test/runner/newhope/reconciliation.go

// Copyright (c) 2016, Google Inc.
//
// Permission to use, copy, modify, and/or distribute this software for any
// purpose with or without fee is hereby granted, provided that the above
// copyright notice and this permission notice appear in all copies.
//
// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

package newhope

// This file contains the reconciliation algorithm for NewHope. This is simply a
// monkey-see-monkey-do version of the reference code, with the exception that
// the key resulting from reconciliation is whitened with SHA2 rather than SHA3.
//
// Thanks to the authors of the reference code for allowing us to release this
// under the BoringSSL license.

import (
	"crypto/sha256"
	"io"
)

func abs(v int32) int32 {
	mask := v >> 31
	return (v ^ mask) - mask
}

func f(x int32) (v0, v1, k int32) {
	// Next 6 lines compute t = x/q;
	b := x * 2730
	t := b >> 25
	b = x - t*12289
	b = 12288 - b
	b >>= 31
	t -= b

	r := t & 1
	xit := (t >> 1)
	v0 = xit + r // v0 = round(x/(2*q))

	t -= 1
	r = t & 1
	v1 = (t >> 1) + r

	k = abs(x - (v0 * 2 * q))
	return
}

// reconciliationData is the data needed for reconciliation. There are 2 bits
// per coefficient; this is the unpacked form.
type reconciliationData [n]uint8

func helprec(rand io.Reader, v *Poly) *reconciliationData {
	var randBits [n / (4 * 8)]byte
	if _, err := io.ReadFull(rand, randBits[:]); err != nil {
		panic(err)
	}

	ret := new(reconciliationData)

	for i := uint(0); i < n/4; i++ {
		rbit := int32((randBits[i>>3] >> (i & 7)) & 1)

		a0, b0, k0 := f(8*int32(v[i]) + 4*rbit)
		a1, b1, k1 := f(8*int32(v[256+i]) + 4*rbit)
		a2, b2, k2 := f(8*int32(v[512+i]) + 4*rbit)
		a3, b3, k3 := f(8*int32(v[768+i]) + 4*rbit)

		k := (2*q - 1 - (k0 + k1 + k2 + k3)) >> 31

		v0 := ((^k) & a0) ^ (k & b0)
		v1 := ((^k) & a1) ^ (k & b1)
		v2 := ((^k) & a2) ^ (k & b2)
		v3 := ((^k) & a3) ^ (k & b3)

		ret[i] = uint8((v0 - v3) & 3)
		ret[i+256] = uint8((v1 - v3) & 3)
		ret[i+512] = uint8((v2 - v3) & 3)
		ret[i+768] = uint8((-k + 2*v3) & 3)
	}

	return ret
}

func g(x int32) int32 {
	// Next 6 lines compute t = x/(4*q);
	b := x * 2730
	t := b >> 27
	b = x - t*49156
	b = 49155 - b
	b >>= 31
	t -= b

	c := t & 1
	t = (t >> 1) + c // t = round(x/(8*q))

	t *= 8 * q

	return abs(t - x)
}

func ldDecode(xi0, xi1, xi2, xi3 int32) uint8 {
	t := g(xi0)
	t += g(xi1)
	t += g(xi2)
	t += g(xi3)

	t -= 8 * q
	t >>= 31
	return uint8(t & 1)
}

func reconcile(v *Poly, reconciliation *reconciliationData) Key {
	key := new(Key)

	for i := uint(0); i < n/4; i++ {
		t0 := 16*q + 8*int32(v[i]) - q*(2*int32(reconciliation[i])+int32(reconciliation[i+768]))
		t1 := 16*q + 8*int32(v[i+256]) - q*(2*int32(reconciliation[256+i])+int32(reconciliation[i+768]))
		t2 := 16*q + 8*int32(v[i+512]) - q*(2*int32(reconciliation[512+i])+int32(reconciliation[i+768]))
		t3 := 16*q + 8*int32(v[i+768]) - q*int32(reconciliation[i+768])

		key[i>>3] |= ldDecode(t0, t1, t2, t3) << (i & 7)
	}

	return sha256.Sum256(key[:])
}