Update SIKEp503 to Round2

README.md

@@ -1,7 +1,7 @@
 # Supersingular Isogeny Key Encapsulation
 
 Repository keeps simple Go's implementation of 
-SIKE based on field p503 (Round1).
+SIKE based on field p503 (Round2).
 
 ## Speed
 

consts.go

@@ -37,18 +37,25 @@ var p503p1s8 = Fp{
 	0x085BDA2211E7A0AC, 0x9BF6C87B7E7DAF13, 0x45C6BDDA77A4D01B, 0x4066F541811E1E60,
 }
 
+// 1/2 * R mod p
+var half = Fp2{
+	A: Fp{
+		0x00000000000001FC, 0x0000000000000000, 0x0000000000000000, 0xB000000000000000,
+		0x3B69BB2464785D2A, 0x36824A2AF0FE9896, 0xF5899F427A94F309, 0x0033B15203C83BB8},
+}
+
 // 1*R mod p
-var P503_OneFp2 = Fp2{
+var one = Fp2{
 	A: Fp{
 		0x00000000000003F9, 0x0000000000000000, 0x0000000000000000, 0xB400000000000000,
 		0x63CB1A6EA6DED2B4, 0x51689D8D667EB37D, 0x8ACD77C71AB24142, 0x0026FBAEC60F5953},
 }
 
-// 1/2 * R mod p
-var P503_HalfFp2 = Fp2{
+// 6*R mod p
+var six = Fp2{
 	A: Fp{
-		0x00000000000001FC, 0x0000000000000000, 0x0000000000000000, 0xB000000000000000,
-		0x3B69BB2464785D2A, 0x36824A2AF0FE9896, 0xF5899F427A94F309, 0x0033B15203C83BB8},
+		0x00000000000017D8, 0x0000000000000000, 0x0000000000000000, 0xE000000000000000,
+		0x30B1E6E3A51520FA, 0xB13BC3BF6FFB3992, 0x8045412EEB3E3DED, 0x0069182E2159DBB8},
 }
 
 var Params SidhParams
@@ -59,38 +66,42 @@ func init() {
 		PublicKeySize: 378,
 		// SIDH shared secret byte size.
 		SharedSecretSize: 126,
+		InitCurve: ProjectiveCurveParameters{
+			A: six,
+			C: one,
+		},
 		A: DomainParams{
 			// The x-coordinate of PA
 			Affine_P: Fp2{
 				A: Fp{
-					0xE7EF4AA786D855AF, 0xED5758F03EB34D3B, 0x09AE172535A86AA9, 0x237B9CC07D622723,
-					0xE3A284CBA4E7932D, 0x27481D9176C5E63F, 0x6A323FF55C6E71BF, 0x002ECC31A6FB8773,
+					0x5D083011589AD893, 0xADFD8D2CB67D0637, 0x330C9AC34FFB6361, 0xF0D47489A2E805A2,
+					0x27E2789259C6B8DC, 0x63866A2C121931B9, 0x8D4C65A7137DCF44, 0x003A183AE5967B3F,
 				},
 				B: Fp{
-					0x64D02E4E90A620B8, 0xDAB8128537D4B9F1, 0x4BADF77B8A228F98, 0x0F5DBDF9D1FB7D1B,
-					0xBEC4DB288E1A0DCC, 0xE76A8665E80675DB, 0x6D6F252E12929463, 0x003188BD1463FACC,
+					0x7E3541B8C96D1519, 0xD3ADAEEC0D61A26C, 0xC0A2219CE7703DD9, 0xFF3E46658FCDBC52,
+					0xD5B38DEAE6E196FF, 0x1AAC826364956D58, 0xEC9F4875B9A5F27A, 0x001B0B475AB99843,
 				},
 			},
 			// The x-coordinate of QA
 			Affine_Q: Fp2{
 				A: Fp{
-					0xB79D41025DE85D56, 0x0B867DA9DF169686, 0x740E5368021C827D, 0x20615D72157BF25C,
-					0xFF1590013C9B9F5B, 0xC884DCADE8C16CEA, 0xEBD05E53BF724E01, 0x0032FEF8FDA5748C,
+					0x4D83695107D03BAD, 0x221F3299005E2FCF, 0x78E6AE22F30DECF2, 0x6D982DB5111253E4,
+					0x504C80A8AB4526A8, 0xEFD0C3AA210BB024, 0xCB77483501DC6FCF, 0x001052544A96BDF3,
 				},
 				B: Fp{
-					0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000,
-					0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000,
+					0x0D74FE3402BCAE47, 0xDF5B8CDA832D8AED, 0xB86BCF06E4BD837E, 0x892A2933A0FA1F63,
+					0x9F88FC67B6CCB461, 0x822926EA9DDA3AC8, 0xEAC8DDE5855425ED, 0x000618FE6DA37A80,
 				},
 			},
 			// The x-coordinate of RA = PA-QA
 			Affine_R: Fp2{
 				A: Fp{
-					0x12E2E849AA0A8006, 0x41CF47008635A1E8, 0x9CD720A70798AED7, 0x42A820B42FCF04CF,
-					0x7BF9BAD32AAE88B1, 0xF619127A54090BBE, 0x1CB10D8F56408EAA, 0x001D6B54C3C0EDEB,
+					0x6B6F4A4F786CF310, 0xB019D444BDCFDBE3, 0xA14CB06680607834, 0xCB0D5582E7E6E60A,
+					0xBA4EE8771667E241, 0xE42A114FCB12E5FF, 0x9A0C074E275BCD98, 0x001871329B28689E,
 				},
 				B: Fp{
-					0x34DB54931CBAAC36, 0x420A18CB8DD5F0C4, 0x32008C1A48C0F44D, 0x3B3BA772B1CFD44D,
-					0xA74B058FDAF13515, 0x095FC9CA7EEC17B4, 0x448E829D28F120F8, 0x00261EC3ED16A489,
+					0x685FA8378513FE76, 0x84E8FC1785E8BDF0, 0x8A380F177CB7C1B7, 0x2227464F4F812C94,
+					0x117C94A81A90C279, 0x193D73132FB9FA28, 0x99335336F192C9EB, 0x0006C2FE778A34FD,
 				},
 			},
 			// Max size of secret key for 2-torsion group, corresponds to 2^e2 - 1
@@ -113,19 +124,19 @@ func init() {
 			// The x-coordinate of PB
 			Affine_P: Fp2{
 				A: Fp{
-					0x7EDE37F4FA0BC727, 0xF7F8EC5C8598941C, 0xD15519B516B5F5C8, 0xF6D5AC9B87A36282,
-					0x7B19F105B30E952E, 0x13BD8B2025B4EBEE, 0x7B96D27F4EC579A2, 0x00140850CAB7E5DE,
+					0xDF630FC5FB2468DB, 0xC30C5541C102040E, 0x3CDC9987B76511FC, 0xF54B5A09353D0CDD,
+					0x3ADBA8E00703C42F, 0x8253F9303DDC95D0, 0x62D30778763ABFD7, 0x001CD00FB581CD55,
 				},
 				B: Fp{
-					0x7764909DAE7B7B2D, 0x578ABB16284911AB, 0x76E2BFD146A6BF4D, 0x4824044B23AA02F0,
-					0x1105048912A321F3, 0xB8A2E482CF0F10C1, 0x42FF7D0BE2152085, 0x0018E599C5223352,
+					0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000,
+					0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000,
 				},
 			},
 			// The x-coordinate of QB
 			Affine_Q: Fp2{
 				A: Fp{
-					0x4256C520FB388820, 0x744FD7C3BAAF0A13, 0x4B6A2DDDB12CBCB8, 0xE46826E27F427DF8,
-					0xFE4A663CD505A61B, 0xD6B3A1BAF025C695, 0x7C3BB62B8FCC00BD, 0x003AFDDE4A35746C,
+					0x2E3457A12B429261, 0x311F94E89627DCF8, 0x5B71C98FD1DB73F6, 0x3671DB7DCFC21541,
+					0xB6D1484C9FE0CF4F, 0x19CD110717356E35, 0xF4F9FB00AC9919DF, 0x0035BC124D38A70B,
 				},
 				B: Fp{
 					0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000,
@@ -135,12 +146,12 @@ func init() {
 			// The x-coordinate of RB = PB - QB
 			Affine_R: Fp2{
 				A: Fp{
-					0x75601CD1E6C0DFCB, 0x1A9007239B58F93E, 0xC1F1BE80C62107AC, 0x7F513B898F29FF08,
-					0xEA0BEDFF43E1F7B2, 0x2C6D94018CBAE6D0, 0x3A430D31BCD84672, 0x000D26892ECCFE83,
+					0x2E08BB99413D2952, 0xD3021467CD088D72, 0x21017AF859752245, 0x26314ED8FFD9DE5C,
+					0x4AF43C73344B6686, 0xCFA1F91149DF0993, 0xF327A95365587A89, 0x000DBF54E03D3906,
 				},
 				B: Fp{
-					0x1119D62AEA3007A1, 0xE3702AA4E04BAE1B, 0x9AB96F7D59F990E7, 0xF58440E8B43319C0,
-					0xAF8134BEE1489775, 0xE7F7774E905192AA, 0xF54AE09308E98039, 0x001EF7A041A86112,
+					0xFC1FC00CBD0A0CFB, 0x66C29FB284B491A9, 0x7FBED0B26D7F18E0, 0x9C02361066F4C67D,
+					0x2D83758DD0B19E6F, 0x0827029DB2CDC1D7, 0x58700A85FAD38A71, 0x0006FA256B614AD2,
 				},
 			},
 			// Size of secret key for 3-torsion group, corresponds to log_2(3^e3) - 1.
@@ -162,13 +173,13 @@ func init() {
 				0x02, 0x01, 0x01, 0x08, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x04, 0x02, 0x01,
 				0x01, 0x02, 0x01, 0x01},
 		},
-		OneFp2:  P503_OneFp2,
-		HalfFp2: P503_HalfFp2,
+		OneFp2:  one,
+		HalfFp2: half,
 		MsgLen:  24,
 		// SIKEp503 provides 128 bit of classical security ([SIKE], 5.1)
-		KemSize: 16,
+		KemSize: 24,
 		// ceil(503+7/8)
 		Bytelen:        63,
-		CiphertextSize: 16 + 8 + 378,
+		CiphertextSize: 24 + 378,
 	}
 }

curve.go

@@ -106,7 +106,7 @@ func RecoverCoordinateA(curve *ProjectiveCurveParameters, xp, xq, xr *Fp2) {
 }
 
 // Computes equivalence (A:C) ~ (A+2C : A-2C)
-func CalcCurveParamsEquiv3(cparams *ProjectiveCurveParameters) CurveCoefficientsEquiv {
+func ToEquiv3(cparams *ProjectiveCurveParameters) CurveCoefficientsEquiv {
 	var coef CurveCoefficientsEquiv
 	var c2 Fp2
 
@@ -118,8 +118,18 @@ func CalcCurveParamsEquiv3(cparams *ProjectiveCurveParameters) CurveCoefficients
 	return coef
 }
 
+// Recovers (A:C) curve parameters from projectively equivalent (A+2C:A-2C).
+func FromEquiv3(cparams *ProjectiveCurveParameters, coefEq *CurveCoefficientsEquiv) {
+	add(&cparams.A, &coefEq.A, &coefEq.C)
+	// cparams.A = 2*(A+2C+A-2C) = 4A
+	add(&cparams.A, &cparams.A, &cparams.A)
+	// cparams.C = (A+2C-A+2C) = 4C
+	sub(&cparams.C, &coefEq.A, &coefEq.C)
+	return
+}
+
 // Computes equivalence (A:C) ~ (A+2C : 4C)
-func CalcCurveParamsEquiv4(cparams *ProjectiveCurveParameters) CurveCoefficientsEquiv {
+func ToEquiv4(cparams *ProjectiveCurveParameters) CurveCoefficientsEquiv {
 	var coefEq CurveCoefficientsEquiv
 
 	add(&coefEq.C, &cparams.C, &cparams.C)
@@ -130,18 +140,8 @@ func CalcCurveParamsEquiv4(cparams *ProjectiveCurveParameters) CurveCoefficients
 	return coefEq
 }
 
-// Recovers (A:C) curve parameters from projectively equivalent (A+2C:A-2C).
-func RecoverCurveCoefficients3(cparams *ProjectiveCurveParameters, coefEq *CurveCoefficientsEquiv) {
-	add(&cparams.A, &coefEq.A, &coefEq.C)
-	// cparams.A = 2*(A+2C+A-2C) = 4A
-	add(&cparams.A, &cparams.A, &cparams.A)
-	// cparams.C = (A+2C-A+2C) = 4C
-	sub(&cparams.C, &coefEq.A, &coefEq.C)
-	return
-}
-
 // Recovers (A:C) curve parameters from projectively equivalent (A+2C:4C).
-func RecoverCurveCoefficients4(cparams *ProjectiveCurveParameters, coefEq *CurveCoefficientsEquiv) {
+func FromEquiv4(cparams *ProjectiveCurveParameters, coefEq *CurveCoefficientsEquiv) {
 	// cparams.C = (4C)*1/2=2C
 	mul(&cparams.C, &coefEq.C, &Params.HalfFp2)
 	// cparams.A = A+2C - 2C = A

sike.go

@@ -8,27 +8,12 @@ import (
 )
 
 const (
-	// n can is max 320-bit (see 1.4 of [SIKE])
-	MaxMsgLen           = 40
+	// n can is max 256-bit (see 1.4 of [SIKE])
+	MaxMsgLen           = 32
 	MaxSharedSecretSize = 188
 	MaxSecretByteLenA   = 47
 )
 
-var cshakeG, cshakeH, cshakeF *shake.CShake
-
-func init() {
-	// Constants used for cSHAKE customization
-	// Those values are different than in [SIKE] - they are encoded on 16bits. This is
-	// done in order for implementation to be compatible with [REF] and test vectors.
-	var G = []byte{0x00, 0x00}
-	var H = []byte{0x01, 0x00}
-	var F = []byte{0x02, 0x00}
-
-	cshakeG = shake.NewCShake256(nil, G)
-	cshakeH = shake.NewCShake256(nil, H)
-	cshakeF = shake.NewCShake256(nil, F)
-}
-
 func cpick(pick int, out, in1, in2 []byte) {
 	var which = byte((int8(pick << 7)) >> 7)
 	for i, _ := range out {
@@ -104,7 +89,7 @@ func traverseTreePublicKeyA(curve *ProjectiveCurveParameters, xR, phiP, phiQ, ph
 	var i, sIdx int
 	var phi isogeny4
 
-	cparam := CalcCurveParamsEquiv4(curve)
+	cparam := ToEquiv4(curve)
 	strat := pub.params.A.IsogenyStrategy
 	stratSz := len(strat)
 
@@ -142,7 +127,7 @@ func traverseTreeSharedKeyA(curve *ProjectiveCurveParameters, xR *ProjectivePoin
 	var i, sIdx int
 	var phi isogeny4
 
-	cparam := CalcCurveParamsEquiv4(curve)
+	cparam := ToEquiv4(curve)
 	strat := pub.params.A.IsogenyStrategy
 	stratSz := len(strat)
 
@@ -176,7 +161,7 @@ func traverseTreePublicKeyB(curve *ProjectiveCurveParameters, xR, phiP, phiQ, ph
 	var i, sIdx int
 	var phi isogeny3
 
-	cparam := CalcCurveParamsEquiv3(curve)
+	cparam := ToEquiv3(curve)
 	strat := pub.params.B.IsogenyStrategy
 	stratSz := len(strat)
 
@@ -214,7 +199,7 @@ func traverseTreeSharedKeyB(curve *ProjectiveCurveParameters, xR *ProjectivePoin
 	var i, sIdx int
 	var phi isogeny3
 
-	cparam := CalcCurveParamsEquiv3(curve)
+	cparam := ToEquiv3(curve)
 	strat := pub.params.B.IsogenyStrategy
 	stratSz := len(strat)
 
@@ -245,7 +230,6 @@ func publicKeyGenA(pub *PublicKey, prv *PrivateKey) {
 	var xPA, xQA, xRA ProjectivePoint
 	var xPB, xQB, xRB, xR ProjectivePoint
 	var invZP, invZQ, invZR Fp2
-	var tmp ProjectiveCurveParameters
 	var phi isogeny4
 
 	// Load points for A
@@ -259,13 +243,8 @@ func publicKeyGenA(pub *PublicKey, prv *PrivateKey) {
 	xPB = ProjectivePoint{X: prv.params.B.Affine_P, Z: prv.params.OneFp2}
 
 	// Find isogeny kernel
-	tmp.C = pub.params.OneFp2
-	xR = ScalarMul3Pt(&tmp, &xPA, &xQA, &xRA, prv.params.A.SecretBitLen, prv.Scalar)
-
-	// Reset params object and travers isogeny tree
-	tmp.C = pub.params.OneFp2
-	zeroize(&tmp.A)
-	traverseTreePublicKeyA(&tmp, &xR, &xPB, &xQB, &xRB, pub)
+	xR = ScalarMul3Pt(&pub.params.InitCurve, &xPA, &xQA, &xRA, prv.params.A.SecretBitLen, prv.Scalar)
+	traverseTreePublicKeyA(&pub.params.InitCurve, &xR, &xPB, &xQB, &xRB, pub)
 
 	// Secret isogeny
 	phi.GenerateCurve(&xR)
@@ -284,25 +263,20 @@ func publicKeyGenB(pub *PublicKey, prv *PrivateKey) {
 	var xPB, xQB, xRB, xR ProjectivePoint
 	var xPA, xQA, xRA ProjectivePoint
 	var invZP, invZQ, invZR Fp2
-	var tmp ProjectiveCurveParameters
 	var phi isogeny3
 
-	// Load points for B
-	xRB = ProjectivePoint{X: prv.params.B.Affine_R, Z: prv.params.OneFp2}
-	xQB = ProjectivePoint{X: prv.params.B.Affine_Q, Z: prv.params.OneFp2}
-	xPB = ProjectivePoint{X: prv.params.B.Affine_P, Z: prv.params.OneFp2}
-
 	// Load points for A
 	xPA = ProjectivePoint{X: prv.params.A.Affine_P, Z: prv.params.OneFp2}
 	xQA = ProjectivePoint{X: prv.params.A.Affine_Q, Z: prv.params.OneFp2}
 	xRA = ProjectivePoint{X: prv.params.A.Affine_R, Z: prv.params.OneFp2}
 
-	tmp.C = pub.params.OneFp2
-	xR = ScalarMul3Pt(&tmp, &xPB, &xQB, &xRB, prv.params.B.SecretBitLen, prv.Scalar)
+	// Load points for B
+	xRB = ProjectivePoint{X: prv.params.B.Affine_R, Z: prv.params.OneFp2}
+	xQB = ProjectivePoint{X: prv.params.B.Affine_Q, Z: prv.params.OneFp2}
+	xPB = ProjectivePoint{X: prv.params.B.Affine_P, Z: prv.params.OneFp2}
 
-	tmp.C = pub.params.OneFp2
-	zeroize(&tmp.A)
-	traverseTreePublicKeyB(&tmp, &xR, &xPA, &xQA, &xRA, pub)
+	xR = ScalarMul3Pt(&pub.params.InitCurve, &xPB, &xQB, &xRB, prv.params.B.SecretBitLen, prv.Scalar)
+	traverseTreePublicKeyB(&pub.params.InitCurve, &xR, &xPA, &xQA, &xRA, pub)
 
 	phi.GenerateCurve(&xR)
 	xPB = phi.EvaluatePoint(&xPA)
@@ -321,14 +295,13 @@ func publicKeyGenB(pub *PublicKey, prv *PrivateKey) {
 
 // Establishing shared keys in in 2-torsion group
 func deriveSecretA(ss []byte, prv *PrivateKey, pub *PublicKey) {
-	var cparam ProjectiveCurveParameters
 	var xP, xQ, xQmP ProjectivePoint
 	var xR ProjectivePoint
 	var phi isogeny4
 	var jInv Fp2
 
 	// Recover curve coefficients
-	cparam.C = pub.params.OneFp2
+	cparam := pub.params.InitCurve
 	RecoverCoordinateA(&cparam, &pub.affine_xP, &pub.affine_xQ, &pub.affine_xQmP)
 
 	// Find kernel of the morphism
@@ -342,7 +315,7 @@ func deriveSecretA(ss []byte, prv *PrivateKey, pub *PublicKey) {
 
 	// Calculate j-invariant on isogeneus curve
 	c := phi.GenerateCurve(&xR)
-	RecoverCurveCoefficients4(&cparam, &c)
+	FromEquiv4(&cparam, &c)
 	Jinvariant(&cparam, &jInv)
 	convFp2ToBytes(ss, &jInv)
 }
@@ -351,12 +324,11 @@ func deriveSecretA(ss []byte, prv *PrivateKey, pub *PublicKey) {
 func deriveSecretB(ss []byte, prv *PrivateKey, pub *PublicKey) {
 	var xP, xQ, xQmP ProjectivePoint
 	var xR ProjectivePoint
-	var cparam ProjectiveCurveParameters
 	var phi isogeny3
 	var jInv Fp2
 
 	// Recover curve coefficients
-	cparam.C = pub.params.OneFp2
+	cparam := pub.params.InitCurve
 	RecoverCoordinateA(&cparam, &pub.affine_xP, &pub.affine_xQ, &pub.affine_xQmP)
 
 	// Find kernel of the morphism
@@ -370,7 +342,7 @@ func deriveSecretB(ss []byte, prv *PrivateKey, pub *PublicKey) {
 
 	// Calculate j-invariant on isogeneus curve
 	c := phi.GenerateCurve(&xR)
-	RecoverCurveCoefficients3(&cparam, &c)
+	FromEquiv3(&cparam, &c)
 	Jinvariant(&cparam, &jInv)
 	convFp2ToBytes(ss, &jInv)
 }
@@ -389,14 +361,13 @@ func generateCiphertext(ctext []byte, skA *PrivateKey, pkA, pkB *PublicKey, ptex
 		return err
 	}
 
-	cshakeF.Reset()
-	cshakeF.Write(j[:Params.SharedSecretSize])
-	cshakeF.Read(n[:ptextLen])
+	f := shake.NewShake256()
+	f.Write(j[:Params.SharedSecretSize])
+	f.Read(n[:ptextLen])
 	for i, _ := range ptext {
 		n[i] ^= ptext[i]
 	}
 
-	//ret := make([]byte, pkA.Size()+ptextLen)
 	pkA.Export(ctext)
 	copy(ctext[pkA.Size():], n[:ptextLen])
 	return nil
@@ -563,7 +534,7 @@ func DeriveSecret(ss []byte, prv *PrivateKey, pub *PublicKey) error {
 func encrypt(ctext []byte, rng io.Reader, pub *PublicKey, ptext []byte) error {
 	var ptextLen = len(ptext)
 	// c1 must be security level + 64 bits (see [SIKE] 1.4 and 4.3.3)
-	if ptextLen != (pub.params.KemSize + 8) {
+	if ptextLen != pub.params.KemSize {
 		return errors.New("Unsupported message length")
 	}
 
@@ -593,7 +564,7 @@ func decrypt(n []byte, prv *PrivateKey, ctext []byte) (int, error) {
 	// ctext is a concatenation of (ciphertext = pubkey_A || c1)
 	// it must be security level + 64 bits (see [SIKE] 1.4 and 4.3.3)
 	c1_len = len(ctext) - pk_len
-	if c1_len != (int(prv.params.KemSize) + 8) {
+	if c1_len != prv.params.KemSize {
 		return 0, errors.New("wrong size of cipher text")
 	}
 
@@ -607,9 +578,9 @@ func decrypt(n []byte, prv *PrivateKey, ctext []byte) (int, error) {
 		return 0, err
 	}
 
-	cshakeF.Reset()
-	cshakeF.Write(j[:Params.SharedSecretSize])
-	cshakeF.Read(n[:c1_len])
+	s := shake.NewShake256()
+	s.Write(j[:Params.SharedSecretSize])
+	s.Read(n[:c1_len])
 	for i, _ := range n[:c1_len] {
 		n[i] ^= ctext[pk_len+i]
 	}
@@ -665,10 +636,10 @@ func (kem *KEM) Encapsulate(ciphertext, secret []byte, pub *PublicKey) error {
 	}
 
 	pub.Export(buf[:])
-	cshakeG.Reset()
-	cshakeG.Write(kem.msg)
-	cshakeG.Write(buf[:3*Params.SharedSecretSize])
-	cshakeG.Read(skA.Scalar)
+	g := shake.NewShake256()
+	g.Write(kem.msg)
+	g.Write(buf[:3*Params.SharedSecretSize])
+	g.Read(skA.Scalar)
 
 	// Ensure bitlength is not bigger then to 2^e2-1
 	skA.Scalar[len(skA.Scalar)-1] &= (1 << (pub.params.A.SecretBitLen % 8)) - 1
@@ -680,10 +651,10 @@ func (kem *KEM) Encapsulate(ciphertext, secret []byte, pub *PublicKey) error {
 	}
 
 	// K = H(msg||(c0||c1))
-	cshakeH.Reset()
-	cshakeH.Write(kem.msg)
-	cshakeH.Write(ciphertext)
-	cshakeH.Read(secret)
+	h := shake.NewShake256()
+	h.Write(kem.msg)
+	h.Write(ciphertext)
+	h.Read(secret)
 	return nil
 }
 
@@ -710,10 +681,10 @@ func (kem *KEM) Decapsulate(secret []byte, prv *PrivateKey, pub *PublicKey, ctex
 	// r' = G(m'||pub)
 	//var key = make([]byte, pub.Size()+2*Params.MsgLen)
 	pub.Export(pkBytes[:])
-	cshakeG.Reset()
-	cshakeG.Write(m[:c1_len])
-	cshakeG.Write(pkBytes[:3*pub.params.SharedSecretSize])
-	cshakeG.Read(r[:pub.params.A.SecretByteLen])
+	g := shake.NewShake256()
+	g.Write(m[:c1_len])
+	g.Write(pkBytes[:3*pub.params.SharedSecretSize])
+	g.Read(r[:pub.params.A.SecretByteLen])
 	// Ensure bitlength is not bigger than 2^e2-1
 	r[pub.params.A.SecretByteLen-1] &= (1 << (pub.params.A.SecretBitLen % 8)) - 1
 
@@ -731,9 +702,9 @@ func (kem *KEM) Decapsulate(secret []byte, prv *PrivateKey, pub *PublicKey, ctex
 	// (S. Galbraith, et al., 2016, ePrint #859).
 	mask := subtle.ConstantTimeCompare(pkBytes[:pub.params.PublicKeySize], ctext[:pub.params.PublicKeySize])
 	cpick(mask, m[:c1_len], m[:c1_len], prv.S)
-	cshakeH.Reset()
-	cshakeH.Write(m[:c1_len])
-	cshakeH.Write(ctext)
-	cshakeH.Read(secret)
+	h := shake.NewShake256()
+	h.Write(m[:c1_len])
+	h.Write(ctext)
+	h.Read(secret)
 	return nil
 }

sike_test.go

@@ -22,37 +22,14 @@ var tdata = struct {
 	PrA_sike string
 	PkA_sike string
 }{
-	name:     "P-503",
+	name:     "SIKEp503",
 	katFile:  "etc/PQCkemKAT_434.rsp",
-	PkB_sike: "68460C22466E95864CFEA7B5D9077E768FF4F9ED69AE56D7CF3F236FB06B31020EEE34B5B572CEA5DDF20B531966AA8F5F3ACC0C6D1CE04EEDC30FD1F1233E2D96FE60C6D638FC646EAF2E2246F1AEC96859CE874A1F029A78F9C978CD6B22114A0D5AB20101191FD923E80C76908B1498B9D0200065CCA09159A0C65A1E346CC6470314FE78388DAA89DD08EC67DBE63C1F606674ACC49EBF9FDBB2B898B3CE733113AA6F942DB401A76D629CE6EE6C0FDAF4CFB1A5E366DB66C17B3923A1B7FB26A3FF25B9018869C674D3DEF4AF269901D686FE4647F9D2CDB2CEB3AFA305B27C885F037ED167F595066C21E7DD467D8332B934A5102DA5F13332DFA356B82156A0BB2E7E91C6B85B7D1E381BC9E3F0FC4DB9C36016D9ECEC415D7E977E9AC29910D934BA2FE4EE49D3B387607A4E1AFABF495FB86A77194626589E802FF5167C7A25C542C1EAD25A6E0AA931D94F2F9AFD3DBDF222E651F729A90E77B20974905F1E65E041CE6C95AAB3E1F22D332E0A5DE9C5DB3D9C7A38",
-	PrB_sike: "80FC55DA74DEFE3113487B80841E678AF9ED4E0599CF07353A4AB93971C090A0" +
-		"A9402C9DC98AC6DC8F5FDE5E970AE22BA48A400EFC72851C",
-	PrB_sidh: "A885A8B889520A6DBAD9FB33365E5B77FDED629440A16A533F259A510F63A822",
-	PrA_sike: "B0AD510708F4ABCF3E0D97DC2F2FF112D9D2AAE49D97FFD1E4267F21C6E71C03",
-	PkA_sike: "A6BADBA04518A924B20046B59AC197DCDF0EA48014C9E228C4994CCA432F360E" +
-		"2D527AFB06CA7C96EE5CEE19BAD53BF9218A3961CAD7EC092BD8D9EBB22A3D51" +
-		"33008895A3F1F6A023F91E0FE06A00A622FD6335DAC107F8EC4283DC2632F080" +
-		"4E64B390DAD8A2572F1947C67FDF4F8787D140CE2C6B24E752DA9A195040EDFA" +
-		"C27333FAE97DBDEB41DA9EEB2DB067AE7DA8C58C0EF57AEFC18A3D6BD0576FF2" +
-		"F1CFCAEC50C958331BF631F3D2E769790C7B6DF282B74BBC02998AD10F291D47" +
-		"C5A762FF84253D3B3278BDF20C8D4D4AA317BE401B884E26A1F02C7308AADB68" +
-		"20EBDB0D339F5A63346F3B40CACED72F544DAF51566C6E807D0E6E1E38514342" +
-		"432661DC9564DA07548570E256688CD9E8060D8775F95D501886D958588CACA0" +
-		"9F2D2AE1913F996E76AF63E31A179A7A7D2A46EDA03B2BCCF9020A5AA15F9A28" +
-		"9340B33F3AE7F97360D45F8AE1B9DD48779A57E8C45B50A02C00349CD1C58C55" +
-		"1D68BC2A75EAFED944E8C599C288037181E997471352E24C952B",
-	PkB_sidh: "244AF1F367C2C33912750A98497CC8214BC195BD52BD76513D32ACE4B75E31F0" +
-		"281755C265F5565C74E3C04182B9C244071859C8588CC7F09547CEFF8F7705D2" +
-		"60CE87D6BFF914EE7DBE4B9AF051CA420062EEBDF043AF58184495026949B068" +
-		"98A47046BFAE8DF3B447746184AF550553BB5D266D6E1967ACA33CAC5F399F90" +
-		"360D70867F2C71EF6F94FF915C7DA8BC9549FB7656E691DAEFC93CF56876E482" +
-		"CA2F8BE2D6CDCC374C31AD8833CABE997CC92305F38497BEC4DFD1821B004FEC" +
-		"E16448F9A24F965EFE409A8939EEA671633D9FFCF961283E59B8834BDF7EDDB3" +
-		"05D6275B61DA6692325432A0BAA074FC7C1F51E76208AB193A57520D40A76334" +
-		"EE5712BDC3E1EFB6103966F2329EDFF63082C4DFCDF6BE1C5A048630B81871B8" +
-		"83B735748A8FD4E2D9530C272163AB18105B10015CA7456202FE1C9B92CEB167" +
-		"5EAE1132E582C88E47ED87B363D45F05BEA714D5E9933D7AF4071CBB5D49008F" +
-		"3E3DAD7DFF935EE509D5DE561842B678CCEB133D62E270E9AC3E",
+	PrB_sidh: "8626ED79D451140800E03B59B956F8210E556067407D13DC90FA9E8B872BFB0F",
+	PkB_sidh: "BB066F920803D8A481A09CD6398DCAE8D330AE2035245A92491228D6AC86A7E024D6318CC3FAC233A90F086EF663A74CD102D7A33BE96F726E084F3C8C630DD1CAD79289B68275962C90A29E061A8C5C266D4A9DE1D94FAA8E539A7A4FD5487905A1FAD75CBEF0B2BF298645C26D6A904EBA9B468B43B66B3CE579EF140379C4B0F06B2005B345A677590FB1A6C6B73D90D953383621EE667B9E9B3254403AF1C66D8FA8F0A9A3B06B1B6D81C661BCD0FCD09D96FF6A9AF52C4F68DB2E12DFB16319F6F24B7B206E94331F26165F501179F956AED2DC42679CAD539E32D9BF36F1764D5F3A596ADC504E0FF1F25A544FA139E0ACB516D6D5A15F0A0C4F03C0CF363086184E462035CA87BF21393DC8918E21258029A0DC7295FB7F04E363F0A63EE299AD9E638324E5A2027BF38C868AF49A591BDEA9D7C376981D015E55FBE641010C70AB08809AAE335B4B97081FB95621469F9B92F637A41BCBB7DC3D1D7242E3E5FD7CA8E3381057AAB9F948498AF438B5F8D2E157B5A318",
+	PrA_sike: "003271531CF27285B8721ED5CB46853043B346A66CBA6CF765F1B0EAA40BF602",
+	PkA_sike: "BE0CB724207D42075EC1569F43FFB8178C64E1F3EAF9D914879B3B3CAD1D12048CBB72861CA0B72C16F65FB4DA98778D9F37CF1442147AE179A8D1099D77028740BD72DFC873A8D2F293A603E5C4A13F7668E8F5C363602A490D47F4F95B269706BDC8DFDEAD77026D9842BB8B5CC4BFB99AF75ED8E4A6994DD4BD5BA606D9EF21A38E26CC35AE5C57324CFE6C16B53D61AD985B37F4B1E2F11234C52A869E184008999358EC0D2B4F2F163A09D3BA9B83D7E5647B5BE92014286D5F0BCE0CA14417226462191D3F0D8587A3ADA2C561FBA5DFE938606476882472C64C9E07D6BDB6C51D59B7978C792383C0CCC28337192A30340742C82EFCB3693FE93FBDA870554CF40F2B176C831628FF339739EC87389A2DD261EE9C6AAFF09ECEFF6C5074D7755ACA4A9D937A1F3A7C31D82E606E6CC6AC90189C17899B13EB759761EEA35AAF74D0B7F2411031AF81B9B946AE2E154FC08F3BB3E2DDE5F52DBC0E1164DCE028EFA45B1D58F4B32EF016D4F995909D3E0F3F69B8115D35",
+	PrB_sike: "4B622DE1350119C45A9F2E2EF3DC5DF50A759D138CDFBD64E82FCC97CA60CCB27BF6938C975658AEB8B4D37CFFBDE25D97E561F36C219A0E",
+	PkB_sike: "4EC46509AB1C547BDF2311B3AF82FCD25A83D154D9649C0D1A7F1E4D174BE9ED44F4B8AD2160FF43D4B94E65BE5A64DA3B8D5B63A02C3DCD376BB24122E03C3F09F4253E6F117999D0359F6BAB94F38BDB4B681EE09351483380EA4839E7808F8DF11C9A01DBC9D4C61075F3FF39B444679A8F3BEAE4BD47BE5B3A4D4B0F44F44BC8AB1B40E91852605F92860F6B4E627E8F7B00168CED2BA9D86865A5314E32E39B15E2021790CECA67A47959915E5C9717C96A055ADA061921F15306E4600751E984DA5FBC72E5F4E7B1182F60109DDD50C04A7A8D4281121AECD824730F38BE81A9D59B480DE44EB6CFC93436000C6E302B710FE3C24E6E6E0A371DF2B81CFBB37EDBD739926DBBE95A81D90DA22A7A5DF0DEE13031B7DE91504F45E20F0F15B24931A5D41EE48FA84F11D9F33B1F5BF315B355FAC0AB40C702190C190489DDA7B8715E680CE0DE4BFB50D78290C1A4C29F7C776597D9FB6C1DE65E150FAD46DF3CF38BDB22493697A2307A121B67C90B04C0809E1C8CA916",
 }
 
 /* -------------------------------------------------------------------------
@@ -274,7 +251,7 @@ func TestDerivationRoundTrip(t *testing.T) {
 }
 
 // encrypt, decrypt, check if input/output plaintext is the same
-func testPKERoundTrip(t testing.TB, id uint8) {
+func TestPKERoundTrip(t *testing.T) {
 	// Message to be encrypted
 	var msg = make([]byte, Params.MsgLen)
 	var ct = make([]byte, kemSikeP503.CiphertextSize())
@@ -521,7 +498,7 @@ func testKeygen(t *testing.T, pk, sk []byte) {
 	prvKey.GeneratePublicKey(pubKey)
 	pubKey.Export(pubKeyBytes[:])
 	if !bytes.Equal(pubKeyBytes[:], pk) {
-		t.Fatalf("KAT keygen form private failed\n")
+		t.Fatalf("KAT keygen form private failed\nExp: %X\nGot: %X\n", pubKeyBytes[:], pk)
 	}
 }
 
@@ -539,92 +516,94 @@ func TestDecapsulation(t *testing.T) {
 		0x6F, 0x18}
 
 	var pk = []byte{
-		0x07, 0xAA, 0x51, 0x45, 0x3E, 0x1F, 0x53, 0x2A, 0x0A, 0x05,
-		0x46, 0xF6, 0x54, 0x7F, 0x5D, 0x56, 0xD6, 0x76, 0xD3, 0xEA,
-		0x4B, 0x6B, 0x01, 0x9B, 0x11, 0x72, 0x6F, 0x75, 0xEA, 0x34,
-		0x3C, 0x28, 0x2C, 0x36, 0xFD, 0x77, 0xDA, 0xBE, 0xB6, 0x20,
-		0x18, 0xC1, 0x93, 0x98, 0x18, 0x86, 0x30, 0x2F, 0x2E, 0xD2,
-		0x00, 0x61, 0xFF, 0xAE, 0x78, 0xAE, 0xFB, 0x6F, 0x32, 0xAC,
-		0x06, 0xBF, 0x35, 0xF6, 0xF7, 0x5B, 0x98, 0x26, 0x95, 0xC2,
-		0xD8, 0xD6, 0x1C, 0x0E, 0x47, 0xDA, 0x76, 0xCE, 0xB5, 0xF1,
-		0x19, 0xCC, 0x01, 0xE1, 0x17, 0xA9, 0x62, 0xF7, 0x82, 0x6C,
-		0x25, 0x51, 0x25, 0xAE, 0xFE, 0xE3, 0xE2, 0xE1, 0x35, 0xAE,
-		0x2E, 0x8F, 0x38, 0xE0, 0x7C, 0x74, 0x3C, 0x1D, 0x39, 0x91,
-		0x1B, 0xC7, 0x9F, 0x8E, 0x33, 0x4E, 0x84, 0x19, 0xB8, 0xD9,
-		0xC2, 0x71, 0x35, 0x02, 0x47, 0x3E, 0x79, 0xEF, 0x47, 0xE1,
-		0xD8, 0x21, 0x96, 0x1F, 0x11, 0x59, 0x39, 0x34, 0x76, 0xEF,
-		0x3E, 0xB7, 0x4E, 0xFB, 0x7C, 0x55, 0xA1, 0x85, 0xAA, 0xAB,
-		0xAD, 0xF0, 0x09, 0xCB, 0xD1, 0xE3, 0x7C, 0x4F, 0x5D, 0x2D,
-		0xE1, 0x13, 0xF0, 0x71, 0xD9, 0xE5, 0xF6, 0xAF, 0x7F, 0xC1,
-		0x27, 0x95, 0x8D, 0x52, 0xD5, 0x96, 0x42, 0x38, 0x41, 0xF7,
-		0x24, 0x3F, 0x3A, 0xB5, 0x7E, 0x11, 0xE4, 0xF9, 0x33, 0xEE,
-		0x4D, 0xBE, 0x74, 0x48, 0xF9, 0x98, 0x04, 0x01, 0x16, 0xEB,
-		0xA9, 0x0D, 0x61, 0xC6, 0xFD, 0x4C, 0xCF, 0x98, 0x84, 0x4A,
-		0x94, 0xAC, 0x69, 0x2C, 0x02, 0x8B, 0xE3, 0xD1, 0x41, 0x0D,
-		0xF2, 0x2D, 0x46, 0x1F, 0x57, 0x1C, 0x77, 0x86, 0x18, 0xE3,
-		0x63, 0xDE, 0xF3, 0xE3, 0x02, 0x30, 0x54, 0x73, 0xAE, 0xC2,
-		0x32, 0xA2, 0xCE, 0xEB, 0xCF, 0x81, 0x46, 0x54, 0x5C, 0xF4,
-		0x5D, 0x2A, 0x03, 0x5D, 0x9C, 0xAE, 0xE0, 0x60, 0x03, 0x80,
-		0x11, 0x30, 0xA5, 0xAA, 0xD1, 0x75, 0x67, 0xE0, 0x1C, 0x2B,
-		0x6B, 0x5D, 0x83, 0xDE, 0x92, 0x9B, 0x0E, 0xD7, 0x11, 0x0F,
-		0x00, 0xC4, 0x59, 0xE4, 0x81, 0x04, 0x3B, 0xEE, 0x5C, 0x04,
-		0xD1, 0x0E, 0xD0, 0x67, 0xF5, 0xCC, 0xAA, 0x72, 0x73, 0xEA,
-		0xC4, 0x76, 0x99, 0x3B, 0x4C, 0x90, 0x2F, 0xCB, 0xD8, 0x0A,
-		0x5B, 0xEC, 0x0E, 0x0E, 0x1F, 0x59, 0xEA, 0x14, 0x8D, 0x34,
-		0x53, 0x65, 0x4C, 0x1A, 0x59, 0xA8, 0x95, 0x66, 0x60, 0xBB,
-		0xC4, 0xCC, 0x32, 0xA9, 0x8D, 0x2A, 0xAA, 0x14, 0x6F, 0x0F,
-		0x81, 0x4D, 0x32, 0x02, 0xFD, 0x33, 0x58, 0x42, 0xCF, 0xF3,
-		0x67, 0xD0, 0x9F, 0x0B, 0xB1, 0xCC, 0x18, 0xA5, 0xC4, 0x19,
-		0xB6, 0x00, 0xED, 0xFA, 0x32, 0x1A, 0x5F, 0x67, 0xC8, 0xC3,
-		0xEB, 0x0D, 0xB5, 0x9A, 0x36, 0x47, 0x82, 0x00,
+		0xCA, 0x38, 0x7A, 0x45, 0xF8, 0xA7, 0xFB, 0xE5, 0x97, 0xB0,
+		0x5B, 0xE4, 0x95, 0xDC, 0x38, 0xFA, 0xFC, 0x9B, 0xB3, 0xD1,
+		0x79, 0xF8, 0x7D, 0x54, 0x0A, 0xD9, 0xE0, 0x64, 0xE3, 0xED,
+		0x4D, 0x23, 0xD2, 0x86, 0x0D, 0x84, 0x0C, 0x44, 0x14, 0xE4,
+		0x6B, 0xB9, 0x35, 0xBA, 0x70, 0x2A, 0x90, 0x92, 0xAA, 0x90,
+		0x34, 0x81, 0x9F, 0xC7, 0x99, 0xD5, 0xB2, 0x2D, 0xD0, 0xBE,
+		0xC9, 0x3B, 0x25, 0x8F, 0x49, 0x18, 0xFE, 0xDB, 0xE3, 0x60,
+		0x04, 0x89, 0xB3, 0xC8, 0x8D, 0x2C, 0xC3, 0x35, 0x79, 0x45,
+		0x56, 0x03, 0x3C, 0xA2, 0x93, 0xDC, 0xE1, 0x1E, 0x98, 0x50,
+		0xB1, 0x65, 0xB9, 0x71, 0x8E, 0xB2, 0xBF, 0x93, 0x06, 0xDF,
+		0x55, 0xE3, 0xC9, 0xF9, 0x53, 0xB4, 0x05, 0x70, 0xF3, 0x7D,
+		0xE1, 0xE8, 0x78, 0x46, 0x93, 0x80, 0xBD, 0xBA, 0x7A, 0xE7,
+		0x66, 0x67, 0x6D, 0x99, 0xAD, 0x02, 0x5E, 0xD2, 0xFE, 0x59,
+		0x09, 0xB5, 0xF7, 0xB1, 0x60, 0x04, 0x59, 0x74, 0x21, 0x09,
+		0x66, 0x6A, 0x2C, 0x94, 0xAC, 0x78, 0x7F, 0xA5, 0x4E, 0x58,
+		0x07, 0xC4, 0xF2, 0x3F, 0x9C, 0x3E, 0xAB, 0x68, 0x83, 0xC4,
+		0x8C, 0x3C, 0xBB, 0x1B, 0x41, 0xBE, 0x26, 0x7C, 0xD0, 0xB1,
+		0xA8, 0xED, 0x3B, 0xA5, 0xD2, 0xAE, 0x4A, 0x44, 0xF8, 0xD6,
+		0x31, 0xB4, 0x06, 0x78, 0x61, 0x3C, 0xBA, 0xE8, 0x1A, 0x20,
+		0xF7, 0xE8, 0x11, 0x7D, 0x2C, 0xBC, 0xE6, 0x29, 0xD1, 0x73,
+		0xCC, 0x68, 0x5A, 0x4A, 0x6F, 0x43, 0x4C, 0x6E, 0xEC, 0xB8,
+		0x16, 0x9A, 0xE1, 0x82, 0x37, 0xC2, 0xAE, 0xD7, 0x2A, 0xD6,
+		0xCC, 0x19, 0x6C, 0x9E, 0xD1, 0xBD, 0x6C, 0x74, 0x9A, 0x4C,
+		0xA3, 0x6C, 0x4A, 0xAA, 0xB5, 0x99, 0x5F, 0xE9, 0x68, 0x0F,
+		0x73, 0x2B, 0x44, 0x7D, 0x66, 0x4E, 0x63, 0x3C, 0x32, 0xEC,
+		0x20, 0x03, 0xFF, 0xBE, 0xF3, 0x08, 0x0F, 0x11, 0xE2, 0x4B,
+		0xF1, 0xD5, 0x12, 0xE2, 0x52, 0x66, 0x19, 0xE4, 0x8B, 0xA4,
+		0x7E, 0x7F, 0x60, 0x27, 0x3B, 0x78, 0x6C, 0xC5, 0xBF, 0x58,
+		0x6F, 0xFE, 0x05, 0xFC, 0x25, 0xF4, 0x12, 0x68, 0xAB, 0xA3,
+		0x32, 0x75, 0x6A, 0x6A, 0xA6, 0x4E, 0x36, 0x42, 0x20, 0x17,
+		0x2E, 0xBE, 0x7A, 0x0F, 0x78, 0x63, 0x3E, 0x5D, 0xBC, 0xB4,
+		0xA0, 0xAC, 0xF3, 0xFE, 0x33, 0x49, 0x08, 0x62, 0xDC, 0x39,
+		0xFF, 0xFD, 0x83, 0x02, 0x10, 0x8A, 0x86, 0xD7, 0x62, 0xE5,
+		0xF2, 0x98, 0x7F, 0x8D, 0x79, 0x6A, 0xC4, 0x88, 0xD2, 0x84,
+		0xC7, 0x3B, 0xEB, 0xC1, 0x6A, 0xE0, 0x7F, 0x42, 0x92, 0x25,
+		0x0F, 0xA0, 0x35, 0xA5, 0xEF, 0x98, 0x4D, 0x41, 0xC5, 0x25,
+		0x77, 0x35, 0x36, 0xA9, 0x0B, 0xAB, 0x43, 0x0C, 0x6C, 0xF1,
+		0x31, 0x56, 0x17, 0x82, 0xD7, 0x00, 0x62, 0x1F,
 	}
 
 	var ct = []byte{
-		0xE6, 0xB7, 0xE5, 0x7B, 0xA9, 0x19, 0xD1, 0x2C, 0xB8, 0x5C,
-		0x7B, 0x66, 0x74, 0xB0, 0x71, 0xA1, 0xFF, 0x71, 0x7F, 0x4B,
-		0xB5, 0xA6, 0xAF, 0x48, 0x32, 0x52, 0xD5, 0x82, 0xEE, 0x8A,
-		0xBB, 0x08, 0x1E, 0xF6, 0xAC, 0x91, 0xA2, 0xCB, 0x6B, 0x6A,
-		0x09, 0x2B, 0xD9, 0xC6, 0x27, 0xD6, 0x3A, 0x6B, 0x8D, 0xFC,
-		0xB8, 0x90, 0x8F, 0x72, 0xB3, 0xFA, 0x7D, 0x34, 0x7A, 0xC4,
-		0x7E, 0xE3, 0x30, 0xC5, 0xA0, 0xFE, 0x3D, 0x43, 0x14, 0x4E,
-		0x3A, 0x14, 0x76, 0x3E, 0xFB, 0xDF, 0xE3, 0xA8, 0xE3, 0x5E,
-		0x38, 0xF2, 0xE0, 0x39, 0x67, 0x60, 0xFD, 0xFB, 0xB4, 0x19,
-		0xCD, 0xE1, 0x93, 0xA2, 0x06, 0xCC, 0x65, 0xCD, 0x6E, 0xC8,
-		0xB4, 0x5E, 0x41, 0x4B, 0x6C, 0xA5, 0xF4, 0xE4, 0x9D, 0x52,
-		0x8C, 0x25, 0x60, 0xDD, 0x3D, 0xA9, 0x7F, 0xF2, 0x88, 0xC1,
-		0x0C, 0xEE, 0x97, 0xE0, 0xE7, 0x3B, 0xB7, 0xD3, 0x6F, 0x28,
-		0x79, 0x2F, 0x50, 0xB2, 0x4F, 0x74, 0x3A, 0x0C, 0x88, 0x27,
-		0x98, 0x3A, 0x27, 0xD3, 0x26, 0x83, 0x59, 0x49, 0x81, 0x5B,
-		0x0D, 0xA7, 0x0C, 0x4F, 0xEF, 0xFB, 0x1E, 0xAF, 0xE9, 0xD2,
-		0x1C, 0x10, 0x25, 0xEC, 0x9E, 0xFA, 0x57, 0x36, 0xAA, 0x3F,
-		0xC1, 0xA3, 0x2C, 0xE9, 0xB5, 0xC9, 0xED, 0x72, 0x51, 0x4C,
-		0x02, 0xB4, 0x7B, 0xB3, 0xED, 0x9F, 0x45, 0x03, 0x34, 0xAC,
-		0x9A, 0x9E, 0x62, 0x5F, 0x82, 0x7A, 0x77, 0x34, 0xF9, 0x21,
-		0x94, 0xD2, 0x38, 0x3D, 0x05, 0xF0, 0x8A, 0x60, 0x1C, 0xB7,
-		0x1D, 0xF5, 0xB7, 0x53, 0x77, 0xD3, 0x9D, 0x3D, 0x70, 0x6A,
-		0xCB, 0x18, 0x20, 0x6B, 0x29, 0x17, 0x3A, 0x6D, 0xA1, 0xB2,
-		0x64, 0xDB, 0x6C, 0xE6, 0x1A, 0x95, 0xA7, 0xF4, 0x1A, 0x78,
-		0x1D, 0xA2, 0x40, 0x15, 0x41, 0x59, 0xDD, 0xEE, 0x23, 0x57,
-		0xCE, 0x36, 0x0D, 0x55, 0xBD, 0xB8, 0xFD, 0x0F, 0x35, 0xBD,
-		0x5B, 0x92, 0xD6, 0x1C, 0x84, 0x8C, 0x32, 0x64, 0xA6, 0x5C,
-		0x45, 0x18, 0x07, 0x6B, 0xF9, 0xA9, 0x43, 0x9A, 0x83, 0xCD,
-		0xB5, 0xB3, 0xD9, 0x17, 0x99, 0x2C, 0x2A, 0x8B, 0xE0, 0x8E,
-		0xAF, 0xA6, 0x4C, 0x95, 0xBB, 0x70, 0x60, 0x1A, 0x3A, 0x97,
-		0xAA, 0x2F, 0x3D, 0x22, 0x83, 0xB7, 0x4F, 0x59, 0xED, 0x3F,
-		0x4E, 0xF4, 0x19, 0xC6, 0x25, 0x0B, 0x0A, 0x5E, 0x21, 0xB9,
-		0x91, 0xB8, 0x19, 0x84, 0x48, 0x78, 0xCE, 0x27, 0xBF, 0x41,
-		0x89, 0xF6, 0x30, 0xFD, 0x6B, 0xD9, 0xB8, 0x1D, 0x72, 0x8A,
-		0x56, 0xCC, 0x2F, 0x82, 0xE4, 0x46, 0x4D, 0x75, 0xD8, 0x92,
-		0xE6, 0x9C, 0xCC, 0xD2, 0xCD, 0x35, 0xE4, 0xFC, 0x2A, 0x85,
-		0x6B, 0xA9, 0xB2, 0x27, 0xC9, 0xA1, 0xFF, 0xB3, 0x96, 0x3E,
-		0x59, 0xF6, 0x4C, 0x66, 0x56, 0x2E, 0xF5, 0x1B, 0x97, 0x32,
-		0xB0, 0x71, 0x5A, 0x9C, 0x50, 0x4B, 0x6F, 0xC4, 0xCA, 0x94,
-		0x75, 0x37, 0x46, 0x10, 0x12, 0x2F, 0x4F, 0xA3, 0x82, 0xCD,
-		0xBD, 0x7C,
-	}
-	var ss_exp = []byte{
-		0xbe, 0x07, 0x1d, 0xa6, 0x95, 0x4b, 0x03, 0x49, 0x6b, 0x2a,
-		0x8e, 0x25, 0x80, 0xab, 0x9c, 0xdd}
+		0x7B, 0x1B, 0x9E, 0xFC, 0x2B, 0x63, 0x7A, 0x71, 0x19, 0x3A,
+		0xAE, 0xC3, 0xDB, 0xEC, 0x20, 0x18, 0x27, 0x16, 0x64, 0xBF,
+		0xE5, 0x5F, 0x48, 0x75, 0xA1, 0xAE, 0xF1, 0x92, 0x40, 0x77,
+		0xB5, 0xF0, 0x85, 0x69, 0x8E, 0x02, 0x1A, 0x64, 0x94, 0x89,
+		0xA0, 0xEE, 0xDA, 0xDB, 0x07, 0xE5, 0xE5, 0xFF, 0xE7, 0x01,
+		0x5F, 0x5E, 0xC7, 0xD3, 0x3B, 0x27, 0xE1, 0x13, 0x9C, 0x01,
+		0x33, 0x44, 0x35, 0x67, 0xEA, 0x14, 0xFE, 0x74, 0x03, 0x9F,
+		0xD5, 0xE9, 0x3E, 0x58, 0x4A, 0xE3, 0xC2, 0x32, 0x22, 0x7A,
+		0x80, 0xA0, 0x18, 0x3A, 0x31, 0xAB, 0xBE, 0x63, 0xD0, 0xA2,
+		0xAB, 0x22, 0x28, 0x93, 0x17, 0x70, 0x79, 0x37, 0x4C, 0x55,
+		0xC4, 0xCB, 0x0F, 0x0D, 0x21, 0xBC, 0x35, 0x6F, 0x35, 0x04,
+		0x03, 0x5C, 0x23, 0xF6, 0x93, 0x4C, 0x98, 0x2D, 0x28, 0xB2,
+		0x4D, 0x43, 0xA4, 0x27, 0xFD, 0x38, 0x70, 0x27, 0x2F, 0x46,
+		0xA1, 0x25, 0x07, 0x86, 0x3A, 0x85, 0x50, 0x2E, 0x6B, 0x51,
+		0x58, 0x8D, 0xE5, 0x52, 0xA4, 0x44, 0x1E, 0x7D, 0x3A, 0x9B,
+		0x64, 0x89, 0xC8, 0x4F, 0x1C, 0x18, 0x98, 0xF5, 0xFE, 0x7F,
+		0xCA, 0x3A, 0x84, 0x7C, 0x53, 0xA7, 0xA1, 0xF6, 0xB1, 0xB2,
+		0xB5, 0xBC, 0xA5, 0x58, 0x31, 0xD4, 0xB2, 0x2E, 0x1D, 0xDE,
+		0x3A, 0xD5, 0xB9, 0x70, 0xA3, 0xE6, 0xE9, 0x2C, 0x39, 0xF6,
+		0xB5, 0x89, 0xDD, 0x14, 0x91, 0x31, 0x26, 0xE0, 0xAE, 0x66,
+		0x30, 0x3A, 0x59, 0x57, 0xA3, 0xFF, 0xC1, 0x1F, 0x3B, 0xB8,
+		0xA9, 0x9A, 0xB0, 0xAE, 0x2D, 0x70, 0x43, 0x38, 0x58, 0xF1,
+		0xD5, 0xFC, 0x29, 0x6A, 0x49, 0xD3, 0x2E, 0x57, 0xA7, 0x16,
+		0x7A, 0x2A, 0x06, 0x00, 0x39, 0x67, 0xCB, 0xA8, 0xB4, 0x26,
+		0xC3, 0x4B, 0xD5, 0x15, 0x83, 0x95, 0xD9, 0xCC, 0x50, 0x1A,
+		0x23, 0x00, 0xFF, 0xFE, 0x00, 0xFC, 0x99, 0x28, 0x38, 0xE8,
+		0x60, 0xF0, 0xFD, 0x12, 0xD3, 0x22, 0x26, 0x8E, 0x1F, 0xED,
+		0x11, 0x23, 0xB3, 0x56, 0x2A, 0x94, 0xE0, 0x1A, 0xE1, 0x25,
+		0x6B, 0x1C, 0x5A, 0xB0, 0x15, 0xA8, 0xA5, 0xF8, 0x76, 0xA9,
+		0x1F, 0x4E, 0xF1, 0x01, 0xC5, 0x12, 0x25, 0x8C, 0x1C, 0x10,
+		0x02, 0xAF, 0x0E, 0x5E, 0xAC, 0x67, 0x84, 0x35, 0x98, 0xDD,
+		0x99, 0x44, 0x15, 0x3B, 0x03, 0x41, 0x37, 0x10, 0x1F, 0x3A,
+		0x36, 0xFF, 0x0A, 0x47, 0xCA, 0x22, 0xA4, 0x36, 0xEB, 0x4C,
+		0x7D, 0x9B, 0x9A, 0xBD, 0x13, 0x4C, 0x5A, 0x0E, 0xCD, 0x35,
+		0xB3, 0x3A, 0xA7, 0x15, 0xFD, 0xEC, 0xEE, 0x37, 0x21, 0x25,
+		0xB4, 0xCC, 0x20, 0x07, 0x7F, 0xA7, 0x9F, 0x0F, 0x97, 0x3C,
+		0x26, 0x10, 0xE1, 0xE9, 0x3A, 0xF7, 0x53, 0x43, 0xC4, 0xCA,
+		0x97, 0x54, 0x13, 0x59, 0x24, 0x72, 0xE3, 0x1D, 0xE7, 0x00,
+		0x09, 0x61, 0x29, 0x5A, 0x53, 0x14, 0x5F, 0xAA, 0xF6, 0x6A,
+		0xFA, 0x72, 0xCA, 0x79, 0xC6, 0xA4, 0x9B, 0xEF, 0xE5, 0x69,
+		0x9E, 0x66,
+	}
+	var ss_exp = [24]byte{
+		0x0F, 0x7E, 0x5A, 0x52, 0x19, 0x9E, 0x77, 0x87, 0x2E, 0x93,
+		0x3A, 0xCB, 0x13, 0xD7, 0x96, 0xD6, 0x76, 0x27, 0xA6, 0x27,
+		0xE9, 0x1D, 0xD4, 0x2A,
+	}
 
 	var prvObj = NewPrivateKey(KeyVariant_SIKE)
 	var pubObj = NewPublicKey(KeyVariant_SIKE)
@@ -637,7 +616,7 @@ func TestDecapsulation(t *testing.T) {
 	checkErr(t, kemSikeP503.Decapsulate(res, prvObj, pubObj, ct),
 		"error: Decapsulation failed")
 
-	if !bytes.Equal(ss_exp, res) {
+	if !bytes.Equal(ss_exp[:], res) {
 		t.Error("Wrong decapsulation result")
 	}
 }
@@ -663,23 +642,22 @@ func readAndCheckLine(r *bufio.Reader) []byte {
 
 func TestKAT(t *testing.T) {
 	ssGot := make([]byte, kemSikeP503.SharedSecretSize())
-	testDecapsulation := func(t *testing.T, pk, sk, ct, ssExpected []byte) {
-		var pubKey = NewPublicKey(KeyVariant_SIKE)
-		var prvKey = NewPrivateKey(KeyVariant_SIKE)
-		if pubKey.Import(pk) != nil || prvKey.Import(sk) != nil {
-			panic("sike test: can't load KAT")
-		}
+		testDecapsulation := func(t *testing.T, pk, sk, ct, ssExpected []byte) {
+			var pubKey = NewPublicKey(KeyVariant_SIKE)
+			var prvKey = NewPrivateKey(KeyVariant_SIKE)
+			if pubKey.Import(pk) != nil || prvKey.Import(sk) != nil {
+				panic("sike test: can't load KAT")
+			}
 
-		err := kemSikeP503.Decapsulate(ssGot, prvKey, pubKey, ct)
-		if err != nil {
-			panic("sike test: can't perform degcapsulation KAT")
-		}
+			err := kemSikeP503.Decapsulate(ssGot, prvKey, pubKey, ct)
+			if err != nil {
+				panic("sike test: can't perform degcapsulation KAT")
+			}
 
-		if (err != nil) || !bytes.Equal(ssGot, ssExpected) {
-			t.Fatalf("KAT decapsulation failed\n")
+			if (err != nil) || !bytes.Equal(ssGot, ssExpected) {
+				t.Fatalf("KAT decapsulation failed\n")
+			}
 		}
-	}
-
 	f, err := os.Open(tdata.katFile)
 	if err != nil {
 		t.Fatal(err)

types.go

@@ -38,12 +38,14 @@ type SidhParams struct {
 	PublicKeySize int
 	// The shared secret size, in bytes.
 	SharedSecretSize int
+	// Defines A,C constant for starting curve Cy^2 = x^3 + Ax^2 + x
+	InitCurve ProjectiveCurveParameters
 	// 2- and 3-torsion group parameter definitions
 	A, B DomainParams
-	// Precomputed identity element in the Fp2 in Montgomery domain
-	OneFp2 Fp2
 	// Precomputed 1/2 in the Fp2 in Montgomery domain
 	HalfFp2 Fp2
+	// Precomputed identity element in the Fp2 in Montgomery domain
+	OneFp2 Fp2
 	// Length of SIKE secret message. Must be one of {24,32,40},
 	// depending on size of prime field used (see [SIKE], 1.4 and 5.1)
 	MsgLen int