kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3117 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 19d5cf86de
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '19d5cf86de'
${ noResults }
boringssl/include/openssl/newhope.h

148 lines
6.4 KiB
Raw Blame History 

  1. /* Copyright (c) 2016, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #ifndef OPENSSL_HEADER_NEWHOPE_H

  16. #define OPENSSL_HEADER_NEWHOPE_H

  17. 

  18. #include <openssl/base.h>

  19. #include <openssl/sha.h>

  20. 

  21. #if defined(__cplusplus)

  22. extern "C" {

  23. #endif

  24. 

  25. 

  26. /* Post-quantum key agreement, based upon the reference

  27.  * implementation. Note: this implementation does not interoperate

  28.  * with the reference implementation!

  29.  *

  30.  * Source: https://github.com/tpoeppelmann/newhope

  31.  *

  32.  * The authors' permission to use their code is gratefully acknowledged. */

  33. 

  34. 

  35. /* NEWHOPE_POLY_new returns a new |NEWHOPE_POLY| object, or NULL on error. */

  36. OPENSSL_EXPORT NEWHOPE_POLY *NEWHOPE_POLY_new(void);

  37. 

  38. /* NEWHOPE_POLY_free frees |p|. */

  39. OPENSSL_EXPORT void NEWHOPE_POLY_free(NEWHOPE_POLY *p);

  40. 

  41. /* NEWHOPE_POLY_LENGTH is the size in bytes of the packed representation of a

  42.  * polynomial, encoded with 14 bits per coefficient. */

  43. #define NEWHOPE_POLY_LENGTH ((1024 * 14) / 8)

  44. 

  45. /* NEWHOPE_RECONCILIATION_LENGTH is the size in bytes of the packed

  46.  * representation of the reconciliation data, encoded as 2 bits per

  47.  * coefficient. */

  48. #define NEWHOPE_RECONCILIATION_LENGTH ((1024 * 2) / 8)

  49. 

  50. /* NEWHOPE_OFFERMSG_LENGTH is the length of the offering party's message to the

  51.  * accepting party. */

  52. #define NEWHOPE_OFFERMSG_LENGTH (NEWHOPE_POLY_LENGTH + 32)

  53. 

  54. /* NEWHOPE_ACCEPTMSG_LENGTH is the length of the accepting party's message to

  55.  * the offering party. */

  56. #define NEWHOPE_ACCEPTMSG_LENGTH \

  57.   (NEWHOPE_POLY_LENGTH + NEWHOPE_RECONCILIATION_LENGTH)

  58. 

  59. /* NEWHOPE_KEY_LENGTH is the size of the result of the key agreement. This

  60.  * result is not exposed to callers: instead, it is whitened with SHA-256, whose

  61.  * output happens to be the same size. */

  62. #define NEWHOPE_KEY_LENGTH 32

  63. 

  64. /* NEWHOPE_offer initializes |out_msg| and |out_sk| for a new key

  65.  * exchange. |msg| must have room for |NEWHOPE_OFFERMSG_LENGTH| bytes. Neither

  66.  * output may be cached. */

  67. OPENSSL_EXPORT void NEWHOPE_offer(uint8_t out_msg[NEWHOPE_OFFERMSG_LENGTH],

  68.                                   NEWHOPE_POLY *out_sk);

  69. 

  70. /* NEWHOPE_accept completes a key exchange given an offer message |msg|. The

  71.  * result of the key exchange is written to |out_key|, which must have space for

  72.  * |SHA256_DIGEST_LENGTH| bytes. The message to be send to the offering party is

  73.  * written to |out_msg|, which must have room for |NEWHOPE_ACCEPTMSG_LENGTH|

  74.  * bytes. Returns 1 on success and 0 on error. */

  75. OPENSSL_EXPORT int NEWHOPE_accept(uint8_t out_key[SHA256_DIGEST_LENGTH],

  76.                                   uint8_t out_msg[NEWHOPE_ACCEPTMSG_LENGTH],

  77.                                   const uint8_t msg[NEWHOPE_OFFERMSG_LENGTH],

  78.                                   size_t msg_len);

  79. 

  80. /* NEWHOPE_finish completes a key exchange for the offering party, given an

  81.  * accept message |msg| and the previously generated secret |sk|. The result of

  82.  * the key exchange is written to |out_key|, which must have space for

  83.  * |SHA256_DIGEST_LENGTH| bytes. Returns 1 on success and 0 on error. */

  84. OPENSSL_EXPORT int NEWHOPE_finish(uint8_t out_key[SHA256_DIGEST_LENGTH],

  85.                                   const NEWHOPE_POLY *sk,

  86.                                   const uint8_t msg[NEWHOPE_ACCEPTMSG_LENGTH],

  87.                                   size_t msg_len);

  88. 

  89. 

  90. /* Lower-level functions. */

  91. 

  92. /* NEWHOPE_POLY_noise sets |r| to a random polynomial where the coefficients are

  93.  * sampled from the noise distribution. */

  94. OPENSSL_EXPORT void NEWHOPE_POLY_noise(NEWHOPE_POLY* r);

  95. 

  96. /* NEWHOPE_POLY_noise_ntt sets |r| to an output of NEWHOPE_POLY_noise, and then

  97.  * applies NTT(r) in-place. */

  98. OPENSSL_EXPORT void NEWHOPE_POLY_noise_ntt(NEWHOPE_POLY* r);

  99. 

  100. /* NEWHOPE_offer_computation is the work of |NEWHOPE_offer|, less the encoding

  101.  * parts.  The inputs are the noise polynomials |s| and |e|, and random

  102.  * polynomial |a|. The output is the polynomial |pk|. */

  103. OPENSSL_EXPORT void NEWHOPE_offer_computation(

  104.     NEWHOPE_POLY *out_pk,

  105.     const NEWHOPE_POLY *s, const NEWHOPE_POLY *e, const NEWHOPE_POLY *a);

  106. 

  107. /* NEWHOPE_accept_computation is the work of |NEWHOPE_accept|, less the encoding

  108.  * parts. The inputs from the peer are |pk| and |a|. The locally-generated

  109.  * inputs are the noise polynomials |sp|, |ep|, and |epp|, and the random bytes

  110.  * |rand|. The outputs are |out_bp| and |out_reconciliation|, and the result of

  111.  * key agreement |key|. Returns 1 on success and 0 on failure. */

  112. OPENSSL_EXPORT void NEWHOPE_accept_computation(

  113.     uint8_t out_key[NEWHOPE_KEY_LENGTH], NEWHOPE_POLY *out_bp,

  114.     NEWHOPE_POLY *out_reconciliation,

  115.     const NEWHOPE_POLY *sp, const NEWHOPE_POLY *ep, const NEWHOPE_POLY *epp,

  116.     const uint8_t rand[32],

  117.     const NEWHOPE_POLY *pk, const NEWHOPE_POLY *a);

  118. 

  119. /* NEWHOPE_finish_computation is the work of |NEWHOPE_finish|, less the encoding

  120.  * parts. Given the peer's |bp| and |reconciliation|, and locally-generated

  121.  * noise |noise|, the result of the key agreement is written to out_key.

  122.  * Returns 1 on success and 0 on failure. */

  123. OPENSSL_EXPORT void NEWHOPE_finish_computation(

  124.     uint8_t out_key[NEWHOPE_KEY_LENGTH], const NEWHOPE_POLY *noise,

  125.     const NEWHOPE_POLY *bp, const NEWHOPE_POLY *reconciliation);

  126. 

  127. /* NEWHOPE_POLY_frombytes decodes |a| into |r|. */

  128. OPENSSL_EXPORT void NEWHOPE_POLY_frombytes(

  129.     NEWHOPE_POLY *r, const uint8_t a[NEWHOPE_POLY_LENGTH]);

  130. 

  131. /* NEWHOPE_POLY_tobytes packs the polynomial |p| into the compact representation

  132.  * |r|. */

  133. OPENSSL_EXPORT void NEWHOPE_POLY_tobytes(uint8_t r[NEWHOPE_POLY_LENGTH],

  134.                                          const NEWHOPE_POLY* p);

  135. 

  136. /* NEWHOPE_offer_frommsg decodes an offer message |msg| into its constituent

  137.  * polynomials |out_pk| and |a|. */

  138. OPENSSL_EXPORT void NEWHOPE_offer_frommsg(

  139.     NEWHOPE_POLY *out_pk, NEWHOPE_POLY *out_a,

  140.     const uint8_t msg[NEWHOPE_OFFERMSG_LENGTH]);

  141. 

  142. 

  143. #if defined(__cplusplus)

  144. } /* extern "C" */

  145. #endif

  146. 

  147. #endif /* OPENSSL_HEADER_NEWHOPE_H */