kris
/
go-sike
1
0
Forkuj 0
Kod Zgłoszenia 0 Oczekujące zmiany 0 Wydania 0 Wiki Aktywność
Nie możesz wybrać więcej, niż 25 tematów Tematy muszą się zaczynać od litery lub cyfry, mogą zawierać myślniki ('-') i mogą mieć do 35 znaków.
5 Commity
2 Gałęzie
501 KiB
Drzewo: bbec636c3e
Gałęzie Tagi
${ item.name }
Utwórz gałąź ${ searchTerm }
z 'bbec636c3e'
${ noResults }
go-sike/consts.go

consts.go 9.8 KiB
Czysty Zwykły widok Historia

Init
5 lat temu
Initial 0 alloc implementation
5 lat temu
Init
5 lat temu
Initial 0 alloc implementation
5 lat temu
Init
5 lat temu
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290 
  1. package sike

  2. 

  3. // I keep it bool in order to be able to apply logical NOT

  4. type KeyVariant uint

  5. 

  6. // Representation of an element of the base field F_p.

  7. //

  8. // No particular meaning is assigned to the representation -- it could represent

  9. // an element in Montgomery form, or not.  Tracking the meaning of the field

  10. // element is left to higher types.

  11. type Fp [FP_WORDS]uint64

  12. 

  13. // Represents an intermediate product of two elements of the base field F_p.

  14. type FpX2 [2 * FP_WORDS]uint64

  15. 

  16. // Represents an element of the extended field Fp^2 = Fp(x+i)

  17. type Fp2 struct {

  18. 	A Fp

  19. 	B Fp

  20. }

  21. 

  22. type DomainParams struct {

  23. 	// P, Q and R=P-Q base points

  24. 	Affine_P, Affine_Q, Affine_R Fp2

  25. 	// Size of a compuatation strategy for x-torsion group

  26. 	IsogenyStrategy []uint32

  27. 	// Max size of secret key for x-torsion group

  28. 	SecretBitLen uint

  29. 	// Max size of secret key for x-torsion group

  30. 	SecretByteLen uint

  31. }

  32. 

  33. type SidhParams struct {

  34. 	Id uint8

  35. 	// Bytelen of P

  36. 	Bytelen int

  37. 	// The public key size, in bytes.

  38. 	PublicKeySize int

  39. 	// The shared secret size, in bytes.

  40. 	SharedSecretSize int

  41. 	// 2- and 3-torsion group parameter definitions

  42. 	A, B DomainParams

  43. 	// Precomputed identity element in the Fp2 in Montgomery domain

  44. 	OneFp2 Fp2

  45. 	// Precomputed 1/2 in the Fp2 in Montgomery domain

  46. 	HalfFp2 Fp2

  47. 	// Length of SIKE secret message. Must be one of {24,32,40},

  48. 	// depending on size of prime field used (see [SIKE], 1.4 and 5.1)

  49. 	MsgLen int

  50. 	// Length of SIKE ephemeral KEM key (see [SIKE], 1.4 and 5.1)

  51. 	KemSize int

  52. 	// Size of a ciphertext returned by encapsulation in bytes

  53. 	CiphertextSize int

  54. }

  55. 

  56. // Stores curve projective parameters equivalent to A/C. Meaning of the

  57. // values depends on the context. When working with isogenies over

  58. // subgroup that are powers of:

  59. // * three then  (A:C) ~ (A+2C:A-2C)

  60. // * four then   (A:C) ~ (A+2C:  4C)

  61. // See Appendix A of SIKE for more details

  62. type CurveCoefficientsEquiv struct {

  63. 	A Fp2

  64. 	C Fp2

  65. }

  66. 

  67. // A point on the projective line P^1(F_{p^2}).

  68. //

  69. // This represents a point on the Kummer line of a Montgomery curve.  The

  70. // curve is specified by a ProjectiveCurveParameters struct.

  71. type ProjectivePoint struct {

  72. 	X Fp2

  73. 	Z Fp2

  74. }

  75. 

  76. // Base type for public and private key. Used mainly to carry domain

  77. // parameters.

  78. type key struct {

  79. 	// Domain parameters of the algorithm to be used with a key

  80. 	params *SidhParams

  81. 	// Flag indicates wether corresponds to 2-, 3-torsion group or SIKE

  82. 	keyVariant KeyVariant

  83. }

  84. 

  85. // Defines operations on private key

  86. type PrivateKey struct {

  87. 	key

  88. 	// Secret key

  89. 	Scalar []byte

  90. 	// Used only by KEM

  91. 	S []byte

  92. }

  93. 

  94. // Defines operations on public key

  95. type PublicKey struct {

  96. 	key

  97. 	affine_xP   Fp2

  98. 	affine_xQ   Fp2

  99. 	affine_xQmP Fp2

  100. }

  101. 

  102. // A point on the projective line P^1(F_{p^2}).

  103. //

  104. // This is used to work projectively with the curve coefficients.

  105. type ProjectiveCurveParameters struct {

  106. 	A Fp2

  107. 	C Fp2

  108. }

  109. 

  110. const (

  111. 	// First 2 bits identify SIDH variant third bit indicates

  112. 	// wether key is a SIKE variant (set) or SIDH (not set)

  113. 

  114. 	// 001 - SIDH: corresponds to 2-torsion group

  115. 	KeyVariant_SIDH_A KeyVariant = 1 << 0

  116. 	// 010 - SIDH: corresponds to 3-torsion group

  117. 	KeyVariant_SIDH_B = 1 << 1

  118. 	// 110 - SIKE

  119. 	KeyVariant_SIKE = 1<<2 | KeyVariant_SIDH_B

  120. 	// Number of uint64 limbs used to store field element

  121. 	FP_WORDS = 8

  122. )

  123. 

  124. // Used internally by this package

  125. // -------------------------------

  126. 

  127. var p503 = Fp{

  128. 	0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF, 0xABFFFFFFFFFFFFFF,

  129. 	0x13085BDA2211E7A0, 0x1B9BF6C87B7E7DAF, 0x6045C6BDDA77A4D0, 0x004066F541811E1E,

  130. }

  131. 

  132. // 2*503

  133. var p503x2 = Fp{

  134. 	0xFFFFFFFFFFFFFFFE, 0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF, 0x57FFFFFFFFFFFFFF,

  135. 	0x2610B7B44423CF41, 0x3737ED90F6FCFB5E, 0xC08B8D7BB4EF49A0, 0x0080CDEA83023C3C,

  136. }

  137. 

  138. // p503 + 1

  139. var p503p1 = Fp{

  140. 	0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0xAC00000000000000,

  141. 	0x13085BDA2211E7A0, 0x1B9BF6C87B7E7DAF, 0x6045C6BDDA77A4D0, 0x004066F541811E1E,

  142. }

  143. 

  144. // R^2=(2^512)^2 mod p

  145. var p503R2 = Fp{

  146. 	0x5289A0CF641D011F, 0x9B88257189FED2B9, 0xA3B365D58DC8F17A, 0x5BC57AB6EFF168EC,

  147. 	0x9E51998BD84D4423, 0xBF8999CBAC3B5695, 0x46E9127BCE14CDB6, 0x003F6CFCE8B81771,

  148. }

  149. 

  150. // p503 + 1 left-shifted by 8, assuming little endianness

  151. var p503p1s8 = Fp{

  152. 	0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000,

  153. 	0x085BDA2211E7A0AC, 0x9BF6C87B7E7DAF13, 0x45C6BDDA77A4D01B, 0x4066F541811E1E60,

  154. }

  155. 

  156. // 1*R mod p

  157. var P503_OneFp2 = Fp2{

  158. 	A: Fp{

  159. 		0x00000000000003F9, 0x0000000000000000, 0x0000000000000000, 0xB400000000000000,

  160. 		0x63CB1A6EA6DED2B4, 0x51689D8D667EB37D, 0x8ACD77C71AB24142, 0x0026FBAEC60F5953},

  161. }

  162. 

  163. // 1/2 * R mod p

  164. var P503_HalfFp2 = Fp2{

  165. 	A: Fp{

  166. 		0x00000000000001FC, 0x0000000000000000, 0x0000000000000000, 0xB000000000000000,

  167. 		0x3B69BB2464785D2A, 0x36824A2AF0FE9896, 0xF5899F427A94F309, 0x0033B15203C83BB8},

  168. }

  169. 

  170. var Params SidhParams

  171. 

  172. func init() {

  173. 	Params = SidhParams{

  174. 		// SIDH public key byte size.

  175. 		PublicKeySize: 378,

  176. 		// SIDH shared secret byte size.

  177. 		SharedSecretSize: 126,

  178. 		A: DomainParams{

  179. 			// The x-coordinate of PA

  180. 			Affine_P: Fp2{

  181. 				A: Fp{

  182. 					0xE7EF4AA786D855AF, 0xED5758F03EB34D3B, 0x09AE172535A86AA9, 0x237B9CC07D622723,

  183. 					0xE3A284CBA4E7932D, 0x27481D9176C5E63F, 0x6A323FF55C6E71BF, 0x002ECC31A6FB8773,

  184. 				},

  185. 				B: Fp{

  186. 					0x64D02E4E90A620B8, 0xDAB8128537D4B9F1, 0x4BADF77B8A228F98, 0x0F5DBDF9D1FB7D1B,

  187. 					0xBEC4DB288E1A0DCC, 0xE76A8665E80675DB, 0x6D6F252E12929463, 0x003188BD1463FACC,

  188. 				},

  189. 			},

  190. 			// The x-coordinate of QA

  191. 			Affine_Q: Fp2{

  192. 				A: Fp{

  193. 					0xB79D41025DE85D56, 0x0B867DA9DF169686, 0x740E5368021C827D, 0x20615D72157BF25C,

  194. 					0xFF1590013C9B9F5B, 0xC884DCADE8C16CEA, 0xEBD05E53BF724E01, 0x0032FEF8FDA5748C,

  195. 				},

  196. 				B: Fp{

  197. 					0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000,

  198. 					0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000,

  199. 				},

  200. 			},

  201. 			// The x-coordinate of RA = PA-QA

  202. 			Affine_R: Fp2{

  203. 				A: Fp{

  204. 					0x12E2E849AA0A8006, 0x41CF47008635A1E8, 0x9CD720A70798AED7, 0x42A820B42FCF04CF,

  205. 					0x7BF9BAD32AAE88B1, 0xF619127A54090BBE, 0x1CB10D8F56408EAA, 0x001D6B54C3C0EDEB,

  206. 				},

  207. 				B: Fp{

  208. 					0x34DB54931CBAAC36, 0x420A18CB8DD5F0C4, 0x32008C1A48C0F44D, 0x3B3BA772B1CFD44D,

  209. 					0xA74B058FDAF13515, 0x095FC9CA7EEC17B4, 0x448E829D28F120F8, 0x00261EC3ED16A489,

  210. 				},

  211. 			},

  212. 			// Max size of secret key for 2-torsion group, corresponds to 2^e2 - 1

  213. 			SecretBitLen: 250,

  214. 			// SecretBitLen in bytes.

  215. 			SecretByteLen: uint((250 + 7) / 8),

  216. 			// 2-torsion group computation strategy

  217. 			IsogenyStrategy: []uint32{

  218. 				0x3D, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x04, 0x02, 0x01,

  219. 				0x01, 0x02, 0x01, 0x01, 0x08, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x04, 0x02,

  220. 				0x01, 0x01, 0x02, 0x01, 0x01, 0x10, 0x08, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01,

  221. 				0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x08, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01,

  222. 				0x01, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x1D, 0x10, 0x08, 0x04, 0x02, 0x01,

  223. 				0x01, 0x02, 0x01, 0x01, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x08, 0x04, 0x02,

  224. 				0x01, 0x01, 0x02, 0x01, 0x01, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x0D, 0x08,

  225. 				0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01,

  226. 				0x05, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x01},

  227. 		},

  228. 		B: DomainParams{

  229. 			// The x-coordinate of PB

  230. 			Affine_P: Fp2{

  231. 				A: Fp{

  232. 					0x7EDE37F4FA0BC727, 0xF7F8EC5C8598941C, 0xD15519B516B5F5C8, 0xF6D5AC9B87A36282,

  233. 					0x7B19F105B30E952E, 0x13BD8B2025B4EBEE, 0x7B96D27F4EC579A2, 0x00140850CAB7E5DE,

  234. 				},

  235. 				B: Fp{

  236. 					0x7764909DAE7B7B2D, 0x578ABB16284911AB, 0x76E2BFD146A6BF4D, 0x4824044B23AA02F0,

  237. 					0x1105048912A321F3, 0xB8A2E482CF0F10C1, 0x42FF7D0BE2152085, 0x0018E599C5223352,

  238. 				},

  239. 			},

  240. 			// The x-coordinate of QB

  241. 			Affine_Q: Fp2{

  242. 				A: Fp{

  243. 					0x4256C520FB388820, 0x744FD7C3BAAF0A13, 0x4B6A2DDDB12CBCB8, 0xE46826E27F427DF8,

  244. 					0xFE4A663CD505A61B, 0xD6B3A1BAF025C695, 0x7C3BB62B8FCC00BD, 0x003AFDDE4A35746C,

  245. 				},

  246. 				B: Fp{

  247. 					0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000,

  248. 					0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000,

  249. 				},

  250. 			},

  251. 			// The x-coordinate of RB = PB - QB

  252. 			Affine_R: Fp2{

  253. 				A: Fp{

  254. 					0x75601CD1E6C0DFCB, 0x1A9007239B58F93E, 0xC1F1BE80C62107AC, 0x7F513B898F29FF08,

  255. 					0xEA0BEDFF43E1F7B2, 0x2C6D94018CBAE6D0, 0x3A430D31BCD84672, 0x000D26892ECCFE83,

  256. 				},

  257. 				B: Fp{

  258. 					0x1119D62AEA3007A1, 0xE3702AA4E04BAE1B, 0x9AB96F7D59F990E7, 0xF58440E8B43319C0,

  259. 					0xAF8134BEE1489775, 0xE7F7774E905192AA, 0xF54AE09308E98039, 0x001EF7A041A86112,

  260. 				},

  261. 			},

  262. 			// Size of secret key for 3-torsion group, corresponds to log_2(3^e3) - 1.

  263. 			SecretBitLen: 252,

  264. 			// SecretBitLen in bytes.

  265. 			SecretByteLen: uint((252 + 7) / 8),

  266. 			// 3-torsion group computation strategy

  267. 			IsogenyStrategy: []uint32{

  268. 				0x47, 0x26, 0x15, 0x0D, 0x08, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x04, 0x02,

  269. 				0x01, 0x01, 0x02, 0x01, 0x01, 0x05, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x02,

  270. 				0x01, 0x01, 0x01, 0x09, 0x05, 0x03, 0x02, 0x01, 0x01, 0x01, 0x01, 0x02, 0x01, 0x01,

  271. 				0x01, 0x04, 0x02, 0x01, 0x01, 0x01, 0x02, 0x01, 0x01, 0x11, 0x09, 0x05, 0x03, 0x02,

  272. 				0x01, 0x01, 0x01, 0x01, 0x02, 0x01, 0x01, 0x01, 0x04, 0x02, 0x01, 0x01, 0x01, 0x02,

  273. 				0x01, 0x01, 0x08, 0x04, 0x02, 0x01, 0x01, 0x01, 0x02, 0x01, 0x01, 0x04, 0x02, 0x01,

  274. 				0x01, 0x02, 0x01, 0x01, 0x21, 0x11, 0x09, 0x05, 0x03, 0x02, 0x01, 0x01, 0x01, 0x01,

  275. 				0x02, 0x01, 0x01, 0x01, 0x04, 0x02, 0x01, 0x01, 0x01, 0x02, 0x01, 0x01, 0x08, 0x04,

  276. 				0x02, 0x01, 0x01, 0x01, 0x02, 0x01, 0x01, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01,

  277. 				0x10, 0x08, 0x04, 0x02, 0x01, 0x01, 0x01, 0x02, 0x01, 0x01, 0x04, 0x02, 0x01, 0x01,

  278. 				0x02, 0x01, 0x01, 0x08, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x04, 0x02, 0x01,

  279. 				0x01, 0x02, 0x01, 0x01},

  280. 		},

  281. 		OneFp2:  P503_OneFp2,

  282. 		HalfFp2: P503_HalfFp2,

  283. 		MsgLen:  24,

  284. 		// SIKEp503 provides 128 bit of classical security ([SIKE], 5.1)

  285. 		KemSize: 16,

  286. 		// ceil(503+7/8)

  287. 		Bytelen:        63,

  288. 		CiphertextSize: 16 + 8 + 378,

  289. 	}

  290. }