Browse Source

WIP

master
Henry Case 5 years ago
parent
commit
8379648ba4
4 changed files with 160 additions and 162 deletions
  1. +0
    -116
      consts.go
  2. +36
    -44
      sike.go
  3. +4
    -2
      sike_test.go
  4. +120
    -0
      types.go

+ 0
- 116
consts.go View File

@@ -1,122 +1,6 @@
package sike

// I keep it bool in order to be able to apply logical NOT
type KeyVariant uint

// Representation of an element of the base field F_p.
//
// No particular meaning is assigned to the representation -- it could represent
// an element in Montgomery form, or not. Tracking the meaning of the field
// element is left to higher types.
type Fp [FP_WORDS]uint64

// Represents an intermediate product of two elements of the base field F_p.
type FpX2 [2 * FP_WORDS]uint64

// Represents an element of the extended field Fp^2 = Fp(x+i)
type Fp2 struct {
A Fp
B Fp
}

type DomainParams struct {
// P, Q and R=P-Q base points
Affine_P, Affine_Q, Affine_R Fp2
// Size of a compuatation strategy for x-torsion group
IsogenyStrategy []uint32
// Max size of secret key for x-torsion group
SecretBitLen uint
// Max size of secret key for x-torsion group
SecretByteLen uint
}

type SidhParams struct {
Id uint8
// Bytelen of P
Bytelen int
// The public key size, in bytes.
PublicKeySize int
// The shared secret size, in bytes.
SharedSecretSize int
// 2- and 3-torsion group parameter definitions
A, B DomainParams
// Precomputed identity element in the Fp2 in Montgomery domain
OneFp2 Fp2
// Precomputed 1/2 in the Fp2 in Montgomery domain
HalfFp2 Fp2
// Length of SIKE secret message. Must be one of {24,32,40},
// depending on size of prime field used (see [SIKE], 1.4 and 5.1)
MsgLen int
// Length of SIKE ephemeral KEM key (see [SIKE], 1.4 and 5.1)
KemSize int
// Size of a ciphertext returned by encapsulation in bytes
CiphertextSize int
}

// Stores curve projective parameters equivalent to A/C. Meaning of the
// values depends on the context. When working with isogenies over
// subgroup that are powers of:
// * three then (A:C) ~ (A+2C:A-2C)
// * four then (A:C) ~ (A+2C: 4C)
// See Appendix A of SIKE for more details
type CurveCoefficientsEquiv struct {
A Fp2
C Fp2
}

// A point on the projective line P^1(F_{p^2}).
//
// This represents a point on the Kummer line of a Montgomery curve. The
// curve is specified by a ProjectiveCurveParameters struct.
type ProjectivePoint struct {
X Fp2
Z Fp2
}

// Base type for public and private key. Used mainly to carry domain
// parameters.
type key struct {
// Domain parameters of the algorithm to be used with a key
params *SidhParams
// Flag indicates wether corresponds to 2-, 3-torsion group or SIKE
keyVariant KeyVariant
}

// Defines operations on private key
type PrivateKey struct {
key
// Secret key
Scalar []byte
// Used only by KEM
S []byte
}

// Defines operations on public key
type PublicKey struct {
key
affine_xP Fp2
affine_xQ Fp2
affine_xQmP Fp2
}

// A point on the projective line P^1(F_{p^2}).
//
// This is used to work projectively with the curve coefficients.
type ProjectiveCurveParameters struct {
A Fp2
C Fp2
}

const (
// First 2 bits identify SIDH variant third bit indicates
// wether key is a SIKE variant (set) or SIDH (not set)

// 001 - SIDH: corresponds to 2-torsion group
KeyVariant_SIDH_A KeyVariant = 1 << 0
// 010 - SIDH: corresponds to 3-torsion group
KeyVariant_SIDH_B = 1 << 1
// 110 - SIKE
KeyVariant_SIKE = 1<<2 | KeyVariant_SIDH_B
// Number of uint64 limbs used to store field element
FP_WORDS = 8
)


+ 36
- 44
sike.go View File

@@ -7,6 +7,13 @@ import (
"io"
)

const (
// n can is max 320-bit (see 1.4 of [SIKE])
MaxMsgLen = 40
MaxSharedSecretSize = 188
MaxSecretByteLenA = 47
)

var cshakeG, cshakeH, cshakeF *shake.CShake

func init() {
@@ -52,7 +59,7 @@ func zeroize(fp *Fp2) {
//
// The output byte slice must be at least 2*bytelen(p) bytes long.
func convFp2ToBytes(output []byte, fp2 *Fp2) {
if len(output) < 2*Params.Bytelen {
if len(output) < Params.SharedSecretSize {
panic("output byte slice too short")
}
var a Fp2
@@ -72,7 +79,7 @@ func convFp2ToBytes(output []byte, fp2 *Fp2) {
//
// It is an error to call this function if the input byte slice is less than 2*bytelen(p) bytes long.
func convBytesToFp2(fp2 *Fp2, input []byte) {
if len(input) < 2*Params.Bytelen {
if len(input) < Params.SharedSecretSize {
panic("input byte slice too short")
}

@@ -369,8 +376,8 @@ func deriveSecretB(ss []byte, prv *PrivateKey, pub *PublicKey) {
}

func generateCiphertext(ctext []byte, skA *PrivateKey, pkA, pkB *PublicKey, ptext []byte) error {
var n [40]byte // OZAPTF n can is max 320-bit (see 1.4 of [SIKE])
var j [126]byte
var n [MaxMsgLen]byte
var j [MaxSharedSecretSize]byte
var ptextLen = len(ptext)

if pkB.keyVariant != KeyVariant_SIKE {
@@ -383,7 +390,7 @@ func generateCiphertext(ctext []byte, skA *PrivateKey, pkA, pkB *PublicKey, ptex
}

cshakeF.Reset()
cshakeF.Write(j[:2*Params.Bytelen])
cshakeF.Write(j[:Params.SharedSecretSize])
cshakeF.Read(n[:ptextLen])
for i, _ := range ptext {
n[i] ^= ptext[i]
@@ -447,12 +454,9 @@ func (pub *PublicKey) Size() int {

// Exports currently stored key. In case structure hasn't been filled with key data
// returned byte string is filled with zeros.
func (prv *PrivateKey) Export() []byte {
// OZAPTF
ret := make([]byte, len(prv.Scalar)+len(prv.S))
copy(ret, prv.S)
copy(ret[len(prv.S):], prv.Scalar)
return ret
func (prv *PrivateKey) Export(out []byte) {
copy(out, prv.S)
copy(out[len(prv.S):], prv.Scalar)
}

// Size returns size of the private key in bytes
@@ -579,7 +583,7 @@ func encrypt(ctext []byte, rng io.Reader, pub *PublicKey, ptext []byte) error {
// Constant time
func decrypt(n []byte, prv *PrivateKey, ctext []byte) (int, error) {
var c1_len int
var j [2 * 63]byte // OZAPTF: 63
var j [MaxSharedSecretSize]byte
var pk_len = prv.params.PublicKeySize

if prv.keyVariant != KeyVariant_SIKE {
@@ -604,7 +608,7 @@ func decrypt(n []byte, prv *PrivateKey, ctext []byte) (int, error) {
}

cshakeF.Reset()
cshakeF.Write(j[:2*Params.Bytelen])
cshakeF.Write(j[:Params.SharedSecretSize])
cshakeF.Read(n[:c1_len])
for i, _ := range n[:c1_len] {
n[i] ^= ctext[pk_len+i]
@@ -616,8 +620,8 @@ func decrypt(n []byte, prv *PrivateKey, ctext []byte) (int, error) {
func (kem *KEM) Allocate(rng io.Reader) {
kem.allocated = true
kem.rng = rng
kem.msg = make([]byte, 24)
kem.secretBytes = make([]byte, 32)
kem.msg = make([]byte, Params.MsgLen)
kem.secretBytes = make([]byte, Params.A.SecretByteLen)
}

func (kem *KEM) Reset() {
@@ -638,30 +642,22 @@ func (kem *KEM) SharedSecretSize() int {
return Params.KemSize
}

const (
// See [SIKE], 1.4
MaxMsgLen = 40
MaxPublicKey = 378
)

// Encapsulation receives the public key and generates SIKE ciphertext and shared secret.
// The generated ciphertext is used for authentication.
// The rng must be cryptographically secure PRNG.
// Error is returned in case PRNG fails or wrongly formated input was provided.
func (kem *KEM) Encapsulate(ciphertext, secret []byte, pub *PublicKey) error {
if !kem.allocated {
panic("KEM unallocated")
}

// OZAPTF: MaxBuf: 3*SharedSecretSize
var buf [3 * 126]byte

var buf [3 * MaxSharedSecretSize]byte
var skA = PrivateKey{
key: key{
params: &Params,
keyVariant: KeyVariant_SIDH_A},
Scalar: kem.secretBytes}

if !kem.allocated {
panic("KEM unallocated")
}

// Generate ephemeral value
_, err := io.ReadFull(kem.rng, kem.msg[:])
if err != nil {
@@ -671,7 +667,7 @@ func (kem *KEM) Encapsulate(ciphertext, secret []byte, pub *PublicKey) error {
pub.Export(buf[:])
cshakeG.Reset()
cshakeG.Write(kem.msg)
cshakeG.Write(buf[:])
cshakeG.Write(buf[:3*Params.SharedSecretSize])
cshakeG.Read(skA.Scalar)

// Ensure bitlength is not bigger then to 2^e2-1
@@ -696,16 +692,15 @@ func (kem *KEM) Encapsulate(ciphertext, secret []byte, pub *PublicKey) error {
// Decapsulation may fail in case input is wrongly formated.
// Constant time for properly initialized input.
func (kem *KEM) Decapsulate(secret []byte, prv *PrivateKey, pub *PublicKey, ctext []byte) error {
// Resulting shared secret
var c0 [3 * 126]byte
var r [32]byte // OZAPTF: to change
var keyBuf [3 * 126]byte
var m [40]byte // OZAPTF: to change
var m [MaxMsgLen]byte
var r [MaxSecretByteLenA]byte
var pkBytes [3 * MaxSharedSecretSize]byte
var skA = PrivateKey{
key: key{
params: &Params,
keyVariant: KeyVariant_SIDH_A},
Scalar: kem.secretBytes}
var pkA = NewPublicKey(KeyVariant_SIDH_A)

c1_len, err := decrypt(m[:], prv, ctext)
if err != nil {
@@ -714,21 +709,18 @@ func (kem *KEM) Decapsulate(secret []byte, prv *PrivateKey, pub *PublicKey, ctex

// r' = G(m'||pub)
//var key = make([]byte, pub.Size()+2*Params.MsgLen)
pub.Export(keyBuf[:])
pub.Export(pkBytes[:])
cshakeG.Reset()
cshakeG.Write(m[:c1_len])
cshakeG.Write(keyBuf[:])
cshakeG.Read(r[:])
cshakeG.Write(pkBytes[:3*pub.params.SharedSecretSize])
cshakeG.Read(r[:pub.params.A.SecretByteLen])
// Ensure bitlength is not bigger than 2^e2-1
r[len(r)-1] &= (1 << (pub.params.A.SecretBitLen % 8)) - 1

// Never fails
skA.Import(r[:])
r[pub.params.A.SecretByteLen-1] &= (1 << (pub.params.A.SecretBitLen % 8)) - 1

// Never fails
pkA := NewPublicKey(KeyVariant_SIDH_A)
skA.Import(r[:pub.params.A.SecretByteLen])
skA.GeneratePublicKey(pkA)
pkA.Export(c0[:])
pkA.Export(pkBytes[:])

// S is chosen at random when generating a key and unknown to other party. It
// may seem weird, but it's correct. It is important that S is unpredictable
@@ -737,7 +729,7 @@ func (kem *KEM) Decapsulate(secret []byte, prv *PrivateKey, pub *PublicKey, ctex
//
// See more details in "On the security of supersingular isogeny cryptosystems"
// (S. Galbraith, et al., 2016, ePrint #859).
mask := subtle.ConstantTimeCompare(c0[:pub.params.PublicKeySize], ctext[:pub.params.PublicKeySize])
mask := subtle.ConstantTimeCompare(pkBytes[:pub.params.PublicKeySize], ctext[:pub.params.PublicKeySize])
cpick(mask, m[:c1_len], m[:c1_len], prv.S)
cshakeH.Reset()
cshakeH.Write(m[:c1_len])


+ 4
- 2
sike_test.go View File

@@ -172,6 +172,7 @@ func testPrivateKeyBelowMax(t testing.TB) {
func(v KeyVariant, dp *DomainParams) {
var blen = int(dp.SecretByteLen)
var prv = NewPrivateKey(v)
var secretBytes = make([]byte, prv.Size())

// Calculate either (2^e2 - 1) or (2^s - 1); where s=ceil(log_2(3^e3)))
maxSecertVal := big.NewInt(int64(dp.SecretBitLen))
@@ -184,7 +185,7 @@ func testPrivateKeyBelowMax(t testing.TB) {
checkErr(t, err, "Private key generation")

// Convert to big-endian, as that's what expected by (*Int)SetBytes()
secretBytes := prv.Export()
prv.Export(secretBytes)
for i := 0; i < int(blen/2); i++ {
tmp := secretBytes[i] ^ secretBytes[blen-i-1]
secretBytes[i] = tmp ^ secretBytes[i]
@@ -484,7 +485,8 @@ func TestNegativeKEMSameWrongResult(t *testing.T) {
"pre-requisite for a test failed")

// second decapsulation must be done with same, but imported private key
expSk := sk.Export()
var expSk = make([]byte, sk.Size())
sk.Export(expSk)

// creat new private key
sk = NewPrivateKey(KeyVariant_SIKE)


+ 120
- 0
types.go View File

@@ -0,0 +1,120 @@
package sike

// I keep it bool in order to be able to apply logical NOT
type KeyVariant uint

// Representation of an element of the base field F_p.
//
// No particular meaning is assigned to the representation -- it could represent
// an element in Montgomery form, or not. Tracking the meaning of the field
// element is left to higher types.
type Fp [FP_WORDS]uint64

// Represents an intermediate product of two elements of the base field F_p.
type FpX2 [2 * FP_WORDS]uint64

// Represents an element of the extended field Fp^2 = Fp(x+i)
type Fp2 struct {
A Fp
B Fp
}

type DomainParams struct {
// P, Q and R=P-Q base points
Affine_P, Affine_Q, Affine_R Fp2
// Size of a compuatation strategy for x-torsion group
IsogenyStrategy []uint32
// Max size of secret key for x-torsion group
SecretBitLen uint
// Max size of secret key for x-torsion group
SecretByteLen uint
}

type SidhParams struct {
Id uint8
// Bytelen of P
Bytelen int
// The public key size, in bytes.
PublicKeySize int
// The shared secret size, in bytes.
SharedSecretSize int
// 2- and 3-torsion group parameter definitions
A, B DomainParams
// Precomputed identity element in the Fp2 in Montgomery domain
OneFp2 Fp2
// Precomputed 1/2 in the Fp2 in Montgomery domain
HalfFp2 Fp2
// Length of SIKE secret message. Must be one of {24,32,40},
// depending on size of prime field used (see [SIKE], 1.4 and 5.1)
MsgLen int
// Length of SIKE ephemeral KEM key (see [SIKE], 1.4 and 5.1)
KemSize int
// Size of a ciphertext returned by encapsulation in bytes
CiphertextSize int
}

// Stores curve projective parameters equivalent to A/C. Meaning of the
// values depends on the context. When working with isogenies over
// subgroup that are powers of:
// * three then (A:C) ~ (A+2C:A-2C)
// * four then (A:C) ~ (A+2C: 4C)
// See Appendix A of SIKE for more details
type CurveCoefficientsEquiv struct {
A Fp2
C Fp2
}

// A point on the projective line P^1(F_{p^2}).
//
// This represents a point on the Kummer line of a Montgomery curve. The
// curve is specified by a ProjectiveCurveParameters struct.
type ProjectivePoint struct {
X Fp2
Z Fp2
}

// Base type for public and private key. Used mainly to carry domain
// parameters.
type key struct {
// Domain parameters of the algorithm to be used with a key
params *SidhParams
// Flag indicates wether corresponds to 2-, 3-torsion group or SIKE
keyVariant KeyVariant
}

// Defines operations on private key
type PrivateKey struct {
key
// Secret key
Scalar []byte
// Used only by KEM
S []byte
}

// Defines operations on public key
type PublicKey struct {
key
affine_xP Fp2
affine_xQ Fp2
affine_xQmP Fp2
}

// A point on the projective line P^1(F_{p^2}).
//
// This is used to work projectively with the curve coefficients.
type ProjectiveCurveParameters struct {
A Fp2
C Fp2
}

const (
// First 2 bits identify SIDH variant third bit indicates
// wether key is a SIKE variant (set) or SIDH (not set)

// 001 - SIDH: corresponds to 2-torsion group
KeyVariant_SIDH_A KeyVariant = 1 << 0
// 010 - SIDH: corresponds to 3-torsion group
KeyVariant_SIDH_B = 1 << 1
// 110 - SIKE
KeyVariant_SIKE = 1<<2 | KeyVariant_SIDH_B
)

Loading…
Cancel
Save