Update SIKEp503 to Round2

这个提交包含在:
Henry Case 2019-06-25 18:21:00 +01:00 提交者 Krzysztof Kwiatkowski
父节点 bdf21913e9
当前提交 c3d092951d
共有 7 个文件被更改,包括 609 次插入647 次删除

查看文件

@ -1,7 +1,7 @@
# Supersingular Isogeny Key Encapsulation
Repository keeps simple Go's implementation of
SIKE based on field p503 (Round1).
SIKE based on field p503 (Round2).
## Speed

查看文件

@ -37,18 +37,25 @@ var p503p1s8 = Fp{
0x085BDA2211E7A0AC, 0x9BF6C87B7E7DAF13, 0x45C6BDDA77A4D01B, 0x4066F541811E1E60,
}
// 1/2 * R mod p
var half = Fp2{
A: Fp{
0x00000000000001FC, 0x0000000000000000, 0x0000000000000000, 0xB000000000000000,
0x3B69BB2464785D2A, 0x36824A2AF0FE9896, 0xF5899F427A94F309, 0x0033B15203C83BB8},
}
// 1*R mod p
var P503_OneFp2 = Fp2{
var one = Fp2{
A: Fp{
0x00000000000003F9, 0x0000000000000000, 0x0000000000000000, 0xB400000000000000,
0x63CB1A6EA6DED2B4, 0x51689D8D667EB37D, 0x8ACD77C71AB24142, 0x0026FBAEC60F5953},
}
// 1/2 * R mod p
var P503_HalfFp2 = Fp2{
// 6*R mod p
var six = Fp2{
A: Fp{
0x00000000000001FC, 0x0000000000000000, 0x0000000000000000, 0xB000000000000000,
0x3B69BB2464785D2A, 0x36824A2AF0FE9896, 0xF5899F427A94F309, 0x0033B15203C83BB8},
0x00000000000017D8, 0x0000000000000000, 0x0000000000000000, 0xE000000000000000,
0x30B1E6E3A51520FA, 0xB13BC3BF6FFB3992, 0x8045412EEB3E3DED, 0x0069182E2159DBB8},
}
var Params SidhParams
@ -59,38 +66,42 @@ func init() {
PublicKeySize: 378,
// SIDH shared secret byte size.
SharedSecretSize: 126,
InitCurve: ProjectiveCurveParameters{
A: six,
C: one,
},
A: DomainParams{
// The x-coordinate of PA
Affine_P: Fp2{
A: Fp{
0xE7EF4AA786D855AF, 0xED5758F03EB34D3B, 0x09AE172535A86AA9, 0x237B9CC07D622723,
0xE3A284CBA4E7932D, 0x27481D9176C5E63F, 0x6A323FF55C6E71BF, 0x002ECC31A6FB8773,
0x5D083011589AD893, 0xADFD8D2CB67D0637, 0x330C9AC34FFB6361, 0xF0D47489A2E805A2,
0x27E2789259C6B8DC, 0x63866A2C121931B9, 0x8D4C65A7137DCF44, 0x003A183AE5967B3F,
},
B: Fp{
0x64D02E4E90A620B8, 0xDAB8128537D4B9F1, 0x4BADF77B8A228F98, 0x0F5DBDF9D1FB7D1B,
0xBEC4DB288E1A0DCC, 0xE76A8665E80675DB, 0x6D6F252E12929463, 0x003188BD1463FACC,
0x7E3541B8C96D1519, 0xD3ADAEEC0D61A26C, 0xC0A2219CE7703DD9, 0xFF3E46658FCDBC52,
0xD5B38DEAE6E196FF, 0x1AAC826364956D58, 0xEC9F4875B9A5F27A, 0x001B0B475AB99843,
},
},
// The x-coordinate of QA
Affine_Q: Fp2{
A: Fp{
0xB79D41025DE85D56, 0x0B867DA9DF169686, 0x740E5368021C827D, 0x20615D72157BF25C,
0xFF1590013C9B9F5B, 0xC884DCADE8C16CEA, 0xEBD05E53BF724E01, 0x0032FEF8FDA5748C,
0x4D83695107D03BAD, 0x221F3299005E2FCF, 0x78E6AE22F30DECF2, 0x6D982DB5111253E4,
0x504C80A8AB4526A8, 0xEFD0C3AA210BB024, 0xCB77483501DC6FCF, 0x001052544A96BDF3,
},
B: Fp{
0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000,
0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000,
0x0D74FE3402BCAE47, 0xDF5B8CDA832D8AED, 0xB86BCF06E4BD837E, 0x892A2933A0FA1F63,
0x9F88FC67B6CCB461, 0x822926EA9DDA3AC8, 0xEAC8DDE5855425ED, 0x000618FE6DA37A80,
},
},
// The x-coordinate of RA = PA-QA
Affine_R: Fp2{
A: Fp{
0x12E2E849AA0A8006, 0x41CF47008635A1E8, 0x9CD720A70798AED7, 0x42A820B42FCF04CF,
0x7BF9BAD32AAE88B1, 0xF619127A54090BBE, 0x1CB10D8F56408EAA, 0x001D6B54C3C0EDEB,
0x6B6F4A4F786CF310, 0xB019D444BDCFDBE3, 0xA14CB06680607834, 0xCB0D5582E7E6E60A,
0xBA4EE8771667E241, 0xE42A114FCB12E5FF, 0x9A0C074E275BCD98, 0x001871329B28689E,
},
B: Fp{
0x34DB54931CBAAC36, 0x420A18CB8DD5F0C4, 0x32008C1A48C0F44D, 0x3B3BA772B1CFD44D,
0xA74B058FDAF13515, 0x095FC9CA7EEC17B4, 0x448E829D28F120F8, 0x00261EC3ED16A489,
0x685FA8378513FE76, 0x84E8FC1785E8BDF0, 0x8A380F177CB7C1B7, 0x2227464F4F812C94,
0x117C94A81A90C279, 0x193D73132FB9FA28, 0x99335336F192C9EB, 0x0006C2FE778A34FD,
},
},
// Max size of secret key for 2-torsion group, corresponds to 2^e2 - 1
@ -113,19 +124,19 @@ func init() {
// The x-coordinate of PB
Affine_P: Fp2{
A: Fp{
0x7EDE37F4FA0BC727, 0xF7F8EC5C8598941C, 0xD15519B516B5F5C8, 0xF6D5AC9B87A36282,
0x7B19F105B30E952E, 0x13BD8B2025B4EBEE, 0x7B96D27F4EC579A2, 0x00140850CAB7E5DE,
0xDF630FC5FB2468DB, 0xC30C5541C102040E, 0x3CDC9987B76511FC, 0xF54B5A09353D0CDD,
0x3ADBA8E00703C42F, 0x8253F9303DDC95D0, 0x62D30778763ABFD7, 0x001CD00FB581CD55,
},
B: Fp{
0x7764909DAE7B7B2D, 0x578ABB16284911AB, 0x76E2BFD146A6BF4D, 0x4824044B23AA02F0,
0x1105048912A321F3, 0xB8A2E482CF0F10C1, 0x42FF7D0BE2152085, 0x0018E599C5223352,
0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000,
0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000,
},
},
// The x-coordinate of QB
Affine_Q: Fp2{
A: Fp{
0x4256C520FB388820, 0x744FD7C3BAAF0A13, 0x4B6A2DDDB12CBCB8, 0xE46826E27F427DF8,
0xFE4A663CD505A61B, 0xD6B3A1BAF025C695, 0x7C3BB62B8FCC00BD, 0x003AFDDE4A35746C,
0x2E3457A12B429261, 0x311F94E89627DCF8, 0x5B71C98FD1DB73F6, 0x3671DB7DCFC21541,
0xB6D1484C9FE0CF4F, 0x19CD110717356E35, 0xF4F9FB00AC9919DF, 0x0035BC124D38A70B,
},
B: Fp{
0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000,
@ -135,12 +146,12 @@ func init() {
// The x-coordinate of RB = PB - QB
Affine_R: Fp2{
A: Fp{
0x75601CD1E6C0DFCB, 0x1A9007239B58F93E, 0xC1F1BE80C62107AC, 0x7F513B898F29FF08,
0xEA0BEDFF43E1F7B2, 0x2C6D94018CBAE6D0, 0x3A430D31BCD84672, 0x000D26892ECCFE83,
0x2E08BB99413D2952, 0xD3021467CD088D72, 0x21017AF859752245, 0x26314ED8FFD9DE5C,
0x4AF43C73344B6686, 0xCFA1F91149DF0993, 0xF327A95365587A89, 0x000DBF54E03D3906,
},
B: Fp{
0x1119D62AEA3007A1, 0xE3702AA4E04BAE1B, 0x9AB96F7D59F990E7, 0xF58440E8B43319C0,
0xAF8134BEE1489775, 0xE7F7774E905192AA, 0xF54AE09308E98039, 0x001EF7A041A86112,
0xFC1FC00CBD0A0CFB, 0x66C29FB284B491A9, 0x7FBED0B26D7F18E0, 0x9C02361066F4C67D,
0x2D83758DD0B19E6F, 0x0827029DB2CDC1D7, 0x58700A85FAD38A71, 0x0006FA256B614AD2,
},
},
// Size of secret key for 3-torsion group, corresponds to log_2(3^e3) - 1.
@ -162,13 +173,13 @@ func init() {
0x02, 0x01, 0x01, 0x08, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x04, 0x02, 0x01,
0x01, 0x02, 0x01, 0x01},
},
OneFp2: P503_OneFp2,
HalfFp2: P503_HalfFp2,
OneFp2: one,
HalfFp2: half,
MsgLen: 24,
// SIKEp503 provides 128 bit of classical security ([SIKE], 5.1)
KemSize: 16,
KemSize: 24,
// ceil(503+7/8)
Bytelen: 63,
CiphertextSize: 16 + 8 + 378,
CiphertextSize: 24 + 378,
}
}

查看文件

@ -106,7 +106,7 @@ func RecoverCoordinateA(curve *ProjectiveCurveParameters, xp, xq, xr *Fp2) {
}
// Computes equivalence (A:C) ~ (A+2C : A-2C)
func CalcCurveParamsEquiv3(cparams *ProjectiveCurveParameters) CurveCoefficientsEquiv {
func ToEquiv3(cparams *ProjectiveCurveParameters) CurveCoefficientsEquiv {
var coef CurveCoefficientsEquiv
var c2 Fp2
@ -118,8 +118,18 @@ func CalcCurveParamsEquiv3(cparams *ProjectiveCurveParameters) CurveCoefficients
return coef
}
// Recovers (A:C) curve parameters from projectively equivalent (A+2C:A-2C).
func FromEquiv3(cparams *ProjectiveCurveParameters, coefEq *CurveCoefficientsEquiv) {
add(&cparams.A, &coefEq.A, &coefEq.C)
// cparams.A = 2*(A+2C+A-2C) = 4A
add(&cparams.A, &cparams.A, &cparams.A)
// cparams.C = (A+2C-A+2C) = 4C
sub(&cparams.C, &coefEq.A, &coefEq.C)
return
}
// Computes equivalence (A:C) ~ (A+2C : 4C)
func CalcCurveParamsEquiv4(cparams *ProjectiveCurveParameters) CurveCoefficientsEquiv {
func ToEquiv4(cparams *ProjectiveCurveParameters) CurveCoefficientsEquiv {
var coefEq CurveCoefficientsEquiv
add(&coefEq.C, &cparams.C, &cparams.C)
@ -130,18 +140,8 @@ func CalcCurveParamsEquiv4(cparams *ProjectiveCurveParameters) CurveCoefficients
return coefEq
}
// Recovers (A:C) curve parameters from projectively equivalent (A+2C:A-2C).
func RecoverCurveCoefficients3(cparams *ProjectiveCurveParameters, coefEq *CurveCoefficientsEquiv) {
add(&cparams.A, &coefEq.A, &coefEq.C)
// cparams.A = 2*(A+2C+A-2C) = 4A
add(&cparams.A, &cparams.A, &cparams.A)
// cparams.C = (A+2C-A+2C) = 4C
sub(&cparams.C, &coefEq.A, &coefEq.C)
return
}
// Recovers (A:C) curve parameters from projectively equivalent (A+2C:4C).
func RecoverCurveCoefficients4(cparams *ProjectiveCurveParameters, coefEq *CurveCoefficientsEquiv) {
func FromEquiv4(cparams *ProjectiveCurveParameters, coefEq *CurveCoefficientsEquiv) {
// cparams.C = (4C)*1/2=2C
mul(&cparams.C, &coefEq.C, &Params.HalfFp2)
// cparams.A = A+2C - 2C = A

文件差异内容过多而无法显示 加载差异

113
sike.go
查看文件

@ -8,27 +8,12 @@ import (
)
const (
// n can is max 320-bit (see 1.4 of [SIKE])
MaxMsgLen = 40
// n can is max 256-bit (see 1.4 of [SIKE])
MaxMsgLen = 32
MaxSharedSecretSize = 188
MaxSecretByteLenA = 47
)
var cshakeG, cshakeH, cshakeF *shake.CShake
func init() {
// Constants used for cSHAKE customization
// Those values are different than in [SIKE] - they are encoded on 16bits. This is
// done in order for implementation to be compatible with [REF] and test vectors.
var G = []byte{0x00, 0x00}
var H = []byte{0x01, 0x00}
var F = []byte{0x02, 0x00}
cshakeG = shake.NewCShake256(nil, G)
cshakeH = shake.NewCShake256(nil, H)
cshakeF = shake.NewCShake256(nil, F)
}
func cpick(pick int, out, in1, in2 []byte) {
var which = byte((int8(pick << 7)) >> 7)
for i, _ := range out {
@ -104,7 +89,7 @@ func traverseTreePublicKeyA(curve *ProjectiveCurveParameters, xR, phiP, phiQ, ph
var i, sIdx int
var phi isogeny4
cparam := CalcCurveParamsEquiv4(curve)
cparam := ToEquiv4(curve)
strat := pub.params.A.IsogenyStrategy
stratSz := len(strat)
@ -142,7 +127,7 @@ func traverseTreeSharedKeyA(curve *ProjectiveCurveParameters, xR *ProjectivePoin
var i, sIdx int
var phi isogeny4
cparam := CalcCurveParamsEquiv4(curve)
cparam := ToEquiv4(curve)
strat := pub.params.A.IsogenyStrategy
stratSz := len(strat)
@ -176,7 +161,7 @@ func traverseTreePublicKeyB(curve *ProjectiveCurveParameters, xR, phiP, phiQ, ph
var i, sIdx int
var phi isogeny3
cparam := CalcCurveParamsEquiv3(curve)
cparam := ToEquiv3(curve)
strat := pub.params.B.IsogenyStrategy
stratSz := len(strat)
@ -214,7 +199,7 @@ func traverseTreeSharedKeyB(curve *ProjectiveCurveParameters, xR *ProjectivePoin
var i, sIdx int
var phi isogeny3
cparam := CalcCurveParamsEquiv3(curve)
cparam := ToEquiv3(curve)
strat := pub.params.B.IsogenyStrategy
stratSz := len(strat)
@ -245,7 +230,6 @@ func publicKeyGenA(pub *PublicKey, prv *PrivateKey) {
var xPA, xQA, xRA ProjectivePoint
var xPB, xQB, xRB, xR ProjectivePoint
var invZP, invZQ, invZR Fp2
var tmp ProjectiveCurveParameters
var phi isogeny4
// Load points for A
@ -259,13 +243,8 @@ func publicKeyGenA(pub *PublicKey, prv *PrivateKey) {
xPB = ProjectivePoint{X: prv.params.B.Affine_P, Z: prv.params.OneFp2}
// Find isogeny kernel
tmp.C = pub.params.OneFp2
xR = ScalarMul3Pt(&tmp, &xPA, &xQA, &xRA, prv.params.A.SecretBitLen, prv.Scalar)
// Reset params object and travers isogeny tree
tmp.C = pub.params.OneFp2
zeroize(&tmp.A)
traverseTreePublicKeyA(&tmp, &xR, &xPB, &xQB, &xRB, pub)
xR = ScalarMul3Pt(&pub.params.InitCurve, &xPA, &xQA, &xRA, prv.params.A.SecretBitLen, prv.Scalar)
traverseTreePublicKeyA(&pub.params.InitCurve, &xR, &xPB, &xQB, &xRB, pub)
// Secret isogeny
phi.GenerateCurve(&xR)
@ -284,25 +263,20 @@ func publicKeyGenB(pub *PublicKey, prv *PrivateKey) {
var xPB, xQB, xRB, xR ProjectivePoint
var xPA, xQA, xRA ProjectivePoint
var invZP, invZQ, invZR Fp2
var tmp ProjectiveCurveParameters
var phi isogeny3
// Load points for B
xRB = ProjectivePoint{X: prv.params.B.Affine_R, Z: prv.params.OneFp2}
xQB = ProjectivePoint{X: prv.params.B.Affine_Q, Z: prv.params.OneFp2}
xPB = ProjectivePoint{X: prv.params.B.Affine_P, Z: prv.params.OneFp2}
// Load points for A
xPA = ProjectivePoint{X: prv.params.A.Affine_P, Z: prv.params.OneFp2}
xQA = ProjectivePoint{X: prv.params.A.Affine_Q, Z: prv.params.OneFp2}
xRA = ProjectivePoint{X: prv.params.A.Affine_R, Z: prv.params.OneFp2}
tmp.C = pub.params.OneFp2
xR = ScalarMul3Pt(&tmp, &xPB, &xQB, &xRB, prv.params.B.SecretBitLen, prv.Scalar)
// Load points for B
xRB = ProjectivePoint{X: prv.params.B.Affine_R, Z: prv.params.OneFp2}
xQB = ProjectivePoint{X: prv.params.B.Affine_Q, Z: prv.params.OneFp2}
xPB = ProjectivePoint{X: prv.params.B.Affine_P, Z: prv.params.OneFp2}
tmp.C = pub.params.OneFp2
zeroize(&tmp.A)
traverseTreePublicKeyB(&tmp, &xR, &xPA, &xQA, &xRA, pub)
xR = ScalarMul3Pt(&pub.params.InitCurve, &xPB, &xQB, &xRB, prv.params.B.SecretBitLen, prv.Scalar)
traverseTreePublicKeyB(&pub.params.InitCurve, &xR, &xPA, &xQA, &xRA, pub)
phi.GenerateCurve(&xR)
xPB = phi.EvaluatePoint(&xPA)
@ -321,14 +295,13 @@ func publicKeyGenB(pub *PublicKey, prv *PrivateKey) {
// Establishing shared keys in in 2-torsion group
func deriveSecretA(ss []byte, prv *PrivateKey, pub *PublicKey) {
var cparam ProjectiveCurveParameters
var xP, xQ, xQmP ProjectivePoint
var xR ProjectivePoint
var phi isogeny4
var jInv Fp2
// Recover curve coefficients
cparam.C = pub.params.OneFp2
cparam := pub.params.InitCurve
RecoverCoordinateA(&cparam, &pub.affine_xP, &pub.affine_xQ, &pub.affine_xQmP)
// Find kernel of the morphism
@ -342,7 +315,7 @@ func deriveSecretA(ss []byte, prv *PrivateKey, pub *PublicKey) {
// Calculate j-invariant on isogeneus curve
c := phi.GenerateCurve(&xR)
RecoverCurveCoefficients4(&cparam, &c)
FromEquiv4(&cparam, &c)
Jinvariant(&cparam, &jInv)
convFp2ToBytes(ss, &jInv)
}
@ -351,12 +324,11 @@ func deriveSecretA(ss []byte, prv *PrivateKey, pub *PublicKey) {
func deriveSecretB(ss []byte, prv *PrivateKey, pub *PublicKey) {
var xP, xQ, xQmP ProjectivePoint
var xR ProjectivePoint
var cparam ProjectiveCurveParameters
var phi isogeny3
var jInv Fp2
// Recover curve coefficients
cparam.C = pub.params.OneFp2
cparam := pub.params.InitCurve
RecoverCoordinateA(&cparam, &pub.affine_xP, &pub.affine_xQ, &pub.affine_xQmP)
// Find kernel of the morphism
@ -370,7 +342,7 @@ func deriveSecretB(ss []byte, prv *PrivateKey, pub *PublicKey) {
// Calculate j-invariant on isogeneus curve
c := phi.GenerateCurve(&xR)
RecoverCurveCoefficients3(&cparam, &c)
FromEquiv3(&cparam, &c)
Jinvariant(&cparam, &jInv)
convFp2ToBytes(ss, &jInv)
}
@ -389,14 +361,13 @@ func generateCiphertext(ctext []byte, skA *PrivateKey, pkA, pkB *PublicKey, ptex
return err
}
cshakeF.Reset()
cshakeF.Write(j[:Params.SharedSecretSize])
cshakeF.Read(n[:ptextLen])
f := shake.NewShake256()
f.Write(j[:Params.SharedSecretSize])
f.Read(n[:ptextLen])
for i, _ := range ptext {
n[i] ^= ptext[i]
}
//ret := make([]byte, pkA.Size()+ptextLen)
pkA.Export(ctext)
copy(ctext[pkA.Size():], n[:ptextLen])
return nil
@ -563,7 +534,7 @@ func DeriveSecret(ss []byte, prv *PrivateKey, pub *PublicKey) error {
func encrypt(ctext []byte, rng io.Reader, pub *PublicKey, ptext []byte) error {
var ptextLen = len(ptext)
// c1 must be security level + 64 bits (see [SIKE] 1.4 and 4.3.3)
if ptextLen != (pub.params.KemSize + 8) {
if ptextLen != pub.params.KemSize {
return errors.New("Unsupported message length")
}
@ -593,7 +564,7 @@ func decrypt(n []byte, prv *PrivateKey, ctext []byte) (int, error) {
// ctext is a concatenation of (ciphertext = pubkey_A || c1)
// it must be security level + 64 bits (see [SIKE] 1.4 and 4.3.3)
c1_len = len(ctext) - pk_len
if c1_len != (int(prv.params.KemSize) + 8) {
if c1_len != prv.params.KemSize {
return 0, errors.New("wrong size of cipher text")
}
@ -607,9 +578,9 @@ func decrypt(n []byte, prv *PrivateKey, ctext []byte) (int, error) {
return 0, err
}
cshakeF.Reset()
cshakeF.Write(j[:Params.SharedSecretSize])
cshakeF.Read(n[:c1_len])
s := shake.NewShake256()
s.Write(j[:Params.SharedSecretSize])
s.Read(n[:c1_len])
for i, _ := range n[:c1_len] {
n[i] ^= ctext[pk_len+i]
}
@ -665,10 +636,10 @@ func (kem *KEM) Encapsulate(ciphertext, secret []byte, pub *PublicKey) error {
}
pub.Export(buf[:])
cshakeG.Reset()
cshakeG.Write(kem.msg)
cshakeG.Write(buf[:3*Params.SharedSecretSize])
cshakeG.Read(skA.Scalar)
g := shake.NewShake256()
g.Write(kem.msg)
g.Write(buf[:3*Params.SharedSecretSize])
g.Read(skA.Scalar)
// Ensure bitlength is not bigger then to 2^e2-1
skA.Scalar[len(skA.Scalar)-1] &= (1 << (pub.params.A.SecretBitLen % 8)) - 1
@ -680,10 +651,10 @@ func (kem *KEM) Encapsulate(ciphertext, secret []byte, pub *PublicKey) error {
}
// K = H(msg||(c0||c1))
cshakeH.Reset()
cshakeH.Write(kem.msg)
cshakeH.Write(ciphertext)
cshakeH.Read(secret)
h := shake.NewShake256()
h.Write(kem.msg)
h.Write(ciphertext)
h.Read(secret)
return nil
}
@ -710,10 +681,10 @@ func (kem *KEM) Decapsulate(secret []byte, prv *PrivateKey, pub *PublicKey, ctex
// r' = G(m'||pub)
//var key = make([]byte, pub.Size()+2*Params.MsgLen)
pub.Export(pkBytes[:])
cshakeG.Reset()
cshakeG.Write(m[:c1_len])
cshakeG.Write(pkBytes[:3*pub.params.SharedSecretSize])
cshakeG.Read(r[:pub.params.A.SecretByteLen])
g := shake.NewShake256()
g.Write(m[:c1_len])
g.Write(pkBytes[:3*pub.params.SharedSecretSize])
g.Read(r[:pub.params.A.SecretByteLen])
// Ensure bitlength is not bigger than 2^e2-1
r[pub.params.A.SecretByteLen-1] &= (1 << (pub.params.A.SecretBitLen % 8)) - 1
@ -731,9 +702,9 @@ func (kem *KEM) Decapsulate(secret []byte, prv *PrivateKey, pub *PublicKey, ctex
// (S. Galbraith, et al., 2016, ePrint #859).
mask := subtle.ConstantTimeCompare(pkBytes[:pub.params.PublicKeySize], ctext[:pub.params.PublicKeySize])
cpick(mask, m[:c1_len], m[:c1_len], prv.S)
cshakeH.Reset()
cshakeH.Write(m[:c1_len])
cshakeH.Write(ctext)
cshakeH.Read(secret)
h := shake.NewShake256()
h.Write(m[:c1_len])
h.Write(ctext)
h.Read(secret)
return nil
}

查看文件

@ -22,37 +22,14 @@ var tdata = struct {
PrA_sike string
PkA_sike string
}{
name: "P-503",
name: "SIKEp503",
katFile: "etc/PQCkemKAT_434.rsp",
PkB_sike: "68460C22466E95864CFEA7B5D9077E768FF4F9ED69AE56D7CF3F236FB06B31020EEE34B5B572CEA5DDF20B531966AA8F5F3ACC0C6D1CE04EEDC30FD1F1233E2D96FE60C6D638FC646EAF2E2246F1AEC96859CE874A1F029A78F9C978CD6B22114A0D5AB20101191FD923E80C76908B1498B9D0200065CCA09159A0C65A1E346CC6470314FE78388DAA89DD08EC67DBE63C1F606674ACC49EBF9FDBB2B898B3CE733113AA6F942DB401A76D629CE6EE6C0FDAF4CFB1A5E366DB66C17B3923A1B7FB26A3FF25B9018869C674D3DEF4AF269901D686FE4647F9D2CDB2CEB3AFA305B27C885F037ED167F595066C21E7DD467D8332B934A5102DA5F13332DFA356B82156A0BB2E7E91C6B85B7D1E381BC9E3F0FC4DB9C36016D9ECEC415D7E977E9AC29910D934BA2FE4EE49D3B387607A4E1AFABF495FB86A77194626589E802FF5167C7A25C542C1EAD25A6E0AA931D94F2F9AFD3DBDF222E651F729A90E77B20974905F1E65E041CE6C95AAB3E1F22D332E0A5DE9C5DB3D9C7A38",
PrB_sike: "80FC55DA74DEFE3113487B80841E678AF9ED4E0599CF07353A4AB93971C090A0" +
"A9402C9DC98AC6DC8F5FDE5E970AE22BA48A400EFC72851C",
PrB_sidh: "A885A8B889520A6DBAD9FB33365E5B77FDED629440A16A533F259A510F63A822",
PrA_sike: "B0AD510708F4ABCF3E0D97DC2F2FF112D9D2AAE49D97FFD1E4267F21C6E71C03",
PkA_sike: "A6BADBA04518A924B20046B59AC197DCDF0EA48014C9E228C4994CCA432F360E" +
"2D527AFB06CA7C96EE5CEE19BAD53BF9218A3961CAD7EC092BD8D9EBB22A3D51" +
"33008895A3F1F6A023F91E0FE06A00A622FD6335DAC107F8EC4283DC2632F080" +
"4E64B390DAD8A2572F1947C67FDF4F8787D140CE2C6B24E752DA9A195040EDFA" +
"C27333FAE97DBDEB41DA9EEB2DB067AE7DA8C58C0EF57AEFC18A3D6BD0576FF2" +
"F1CFCAEC50C958331BF631F3D2E769790C7B6DF282B74BBC02998AD10F291D47" +
"C5A762FF84253D3B3278BDF20C8D4D4AA317BE401B884E26A1F02C7308AADB68" +
"20EBDB0D339F5A63346F3B40CACED72F544DAF51566C6E807D0E6E1E38514342" +
"432661DC9564DA07548570E256688CD9E8060D8775F95D501886D958588CACA0" +
"9F2D2AE1913F996E76AF63E31A179A7A7D2A46EDA03B2BCCF9020A5AA15F9A28" +
"9340B33F3AE7F97360D45F8AE1B9DD48779A57E8C45B50A02C00349CD1C58C55" +
"1D68BC2A75EAFED944E8C599C288037181E997471352E24C952B",
PkB_sidh: "244AF1F367C2C33912750A98497CC8214BC195BD52BD76513D32ACE4B75E31F0" +
"281755C265F5565C74E3C04182B9C244071859C8588CC7F09547CEFF8F7705D2" +
"60CE87D6BFF914EE7DBE4B9AF051CA420062EEBDF043AF58184495026949B068" +
"98A47046BFAE8DF3B447746184AF550553BB5D266D6E1967ACA33CAC5F399F90" +
"360D70867F2C71EF6F94FF915C7DA8BC9549FB7656E691DAEFC93CF56876E482" +
"CA2F8BE2D6CDCC374C31AD8833CABE997CC92305F38497BEC4DFD1821B004FEC" +
"E16448F9A24F965EFE409A8939EEA671633D9FFCF961283E59B8834BDF7EDDB3" +
"05D6275B61DA6692325432A0BAA074FC7C1F51E76208AB193A57520D40A76334" +
"EE5712BDC3E1EFB6103966F2329EDFF63082C4DFCDF6BE1C5A048630B81871B8" +
"83B735748A8FD4E2D9530C272163AB18105B10015CA7456202FE1C9B92CEB167" +
"5EAE1132E582C88E47ED87B363D45F05BEA714D5E9933D7AF4071CBB5D49008F" +
"3E3DAD7DFF935EE509D5DE561842B678CCEB133D62E270E9AC3E",
PrB_sidh: "8626ED79D451140800E03B59B956F8210E556067407D13DC90FA9E8B872BFB0F",
PkB_sidh: "BB066F920803D8A481A09CD6398DCAE8D330AE2035245A92491228D6AC86A7E024D6318CC3FAC233A90F086EF663A74CD102D7A33BE96F726E084F3C8C630DD1CAD79289B68275962C90A29E061A8C5C266D4A9DE1D94FAA8E539A7A4FD5487905A1FAD75CBEF0B2BF298645C26D6A904EBA9B468B43B66B3CE579EF140379C4B0F06B2005B345A677590FB1A6C6B73D90D953383621EE667B9E9B3254403AF1C66D8FA8F0A9A3B06B1B6D81C661BCD0FCD09D96FF6A9AF52C4F68DB2E12DFB16319F6F24B7B206E94331F26165F501179F956AED2DC42679CAD539E32D9BF36F1764D5F3A596ADC504E0FF1F25A544FA139E0ACB516D6D5A15F0A0C4F03C0CF363086184E462035CA87BF21393DC8918E21258029A0DC7295FB7F04E363F0A63EE299AD9E638324E5A2027BF38C868AF49A591BDEA9D7C376981D015E55FBE641010C70AB08809AAE335B4B97081FB95621469F9B92F637A41BCBB7DC3D1D7242E3E5FD7CA8E3381057AAB9F948498AF438B5F8D2E157B5A318",
PrA_sike: "003271531CF27285B8721ED5CB46853043B346A66CBA6CF765F1B0EAA40BF602",
PkA_sike: "BE0CB724207D42075EC1569F43FFB8178C64E1F3EAF9D914879B3B3CAD1D12048CBB72861CA0B72C16F65FB4DA98778D9F37CF1442147AE179A8D1099D77028740BD72DFC873A8D2F293A603E5C4A13F7668E8F5C363602A490D47F4F95B269706BDC8DFDEAD77026D9842BB8B5CC4BFB99AF75ED8E4A6994DD4BD5BA606D9EF21A38E26CC35AE5C57324CFE6C16B53D61AD985B37F4B1E2F11234C52A869E184008999358EC0D2B4F2F163A09D3BA9B83D7E5647B5BE92014286D5F0BCE0CA14417226462191D3F0D8587A3ADA2C561FBA5DFE938606476882472C64C9E07D6BDB6C51D59B7978C792383C0CCC28337192A30340742C82EFCB3693FE93FBDA870554CF40F2B176C831628FF339739EC87389A2DD261EE9C6AAFF09ECEFF6C5074D7755ACA4A9D937A1F3A7C31D82E606E6CC6AC90189C17899B13EB759761EEA35AAF74D0B7F2411031AF81B9B946AE2E154FC08F3BB3E2DDE5F52DBC0E1164DCE028EFA45B1D58F4B32EF016D4F995909D3E0F3F69B8115D35",
PrB_sike: "4B622DE1350119C45A9F2E2EF3DC5DF50A759D138CDFBD64E82FCC97CA60CCB27BF6938C975658AEB8B4D37CFFBDE25D97E561F36C219A0E",
PkB_sike: "4EC46509AB1C547BDF2311B3AF82FCD25A83D154D9649C0D1A7F1E4D174BE9ED44F4B8AD2160FF43D4B94E65BE5A64DA3B8D5B63A02C3DCD376BB24122E03C3F09F4253E6F117999D0359F6BAB94F38BDB4B681EE09351483380EA4839E7808F8DF11C9A01DBC9D4C61075F3FF39B444679A8F3BEAE4BD47BE5B3A4D4B0F44F44BC8AB1B40E91852605F92860F6B4E627E8F7B00168CED2BA9D86865A5314E32E39B15E2021790CECA67A47959915E5C9717C96A055ADA061921F15306E4600751E984DA5FBC72E5F4E7B1182F60109DDD50C04A7A8D4281121AECD824730F38BE81A9D59B480DE44EB6CFC93436000C6E302B710FE3C24E6E6E0A371DF2B81CFBB37EDBD739926DBBE95A81D90DA22A7A5DF0DEE13031B7DE91504F45E20F0F15B24931A5D41EE48FA84F11D9F33B1F5BF315B355FAC0AB40C702190C190489DDA7B8715E680CE0DE4BFB50D78290C1A4C29F7C776597D9FB6C1DE65E150FAD46DF3CF38BDB22493697A2307A121B67C90B04C0809E1C8CA916",
}
/* -------------------------------------------------------------------------
@ -274,7 +251,7 @@ func TestDerivationRoundTrip(t *testing.T) {
}
// encrypt, decrypt, check if input/output plaintext is the same
func testPKERoundTrip(t testing.TB, id uint8) {
func TestPKERoundTrip(t *testing.T) {
// Message to be encrypted
var msg = make([]byte, Params.MsgLen)
var ct = make([]byte, kemSikeP503.CiphertextSize())
@ -521,7 +498,7 @@ func testKeygen(t *testing.T, pk, sk []byte) {
prvKey.GeneratePublicKey(pubKey)
pubKey.Export(pubKeyBytes[:])
if !bytes.Equal(pubKeyBytes[:], pk) {
t.Fatalf("KAT keygen form private failed\n")
t.Fatalf("KAT keygen form private failed\nExp: %X\nGot: %X\n", pubKeyBytes[:], pk)
}
}
@ -539,92 +516,94 @@ func TestDecapsulation(t *testing.T) {
0x6F, 0x18}
var pk = []byte{
0x07, 0xAA, 0x51, 0x45, 0x3E, 0x1F, 0x53, 0x2A, 0x0A, 0x05,
0x46, 0xF6, 0x54, 0x7F, 0x5D, 0x56, 0xD6, 0x76, 0xD3, 0xEA,
0x4B, 0x6B, 0x01, 0x9B, 0x11, 0x72, 0x6F, 0x75, 0xEA, 0x34,
0x3C, 0x28, 0x2C, 0x36, 0xFD, 0x77, 0xDA, 0xBE, 0xB6, 0x20,
0x18, 0xC1, 0x93, 0x98, 0x18, 0x86, 0x30, 0x2F, 0x2E, 0xD2,
0x00, 0x61, 0xFF, 0xAE, 0x78, 0xAE, 0xFB, 0x6F, 0x32, 0xAC,
0x06, 0xBF, 0x35, 0xF6, 0xF7, 0x5B, 0x98, 0x26, 0x95, 0xC2,
0xD8, 0xD6, 0x1C, 0x0E, 0x47, 0xDA, 0x76, 0xCE, 0xB5, 0xF1,
0x19, 0xCC, 0x01, 0xE1, 0x17, 0xA9, 0x62, 0xF7, 0x82, 0x6C,
0x25, 0x51, 0x25, 0xAE, 0xFE, 0xE3, 0xE2, 0xE1, 0x35, 0xAE,
0x2E, 0x8F, 0x38, 0xE0, 0x7C, 0x74, 0x3C, 0x1D, 0x39, 0x91,
0x1B, 0xC7, 0x9F, 0x8E, 0x33, 0x4E, 0x84, 0x19, 0xB8, 0xD9,
0xC2, 0x71, 0x35, 0x02, 0x47, 0x3E, 0x79, 0xEF, 0x47, 0xE1,
0xD8, 0x21, 0x96, 0x1F, 0x11, 0x59, 0x39, 0x34, 0x76, 0xEF,
0x3E, 0xB7, 0x4E, 0xFB, 0x7C, 0x55, 0xA1, 0x85, 0xAA, 0xAB,
0xAD, 0xF0, 0x09, 0xCB, 0xD1, 0xE3, 0x7C, 0x4F, 0x5D, 0x2D,
0xE1, 0x13, 0xF0, 0x71, 0xD9, 0xE5, 0xF6, 0xAF, 0x7F, 0xC1,
0x27, 0x95, 0x8D, 0x52, 0xD5, 0x96, 0x42, 0x38, 0x41, 0xF7,
0x24, 0x3F, 0x3A, 0xB5, 0x7E, 0x11, 0xE4, 0xF9, 0x33, 0xEE,
0x4D, 0xBE, 0x74, 0x48, 0xF9, 0x98, 0x04, 0x01, 0x16, 0xEB,
0xA9, 0x0D, 0x61, 0xC6, 0xFD, 0x4C, 0xCF, 0x98, 0x84, 0x4A,
0x94, 0xAC, 0x69, 0x2C, 0x02, 0x8B, 0xE3, 0xD1, 0x41, 0x0D,
0xF2, 0x2D, 0x46, 0x1F, 0x57, 0x1C, 0x77, 0x86, 0x18, 0xE3,
0x63, 0xDE, 0xF3, 0xE3, 0x02, 0x30, 0x54, 0x73, 0xAE, 0xC2,
0x32, 0xA2, 0xCE, 0xEB, 0xCF, 0x81, 0x46, 0x54, 0x5C, 0xF4,
0x5D, 0x2A, 0x03, 0x5D, 0x9C, 0xAE, 0xE0, 0x60, 0x03, 0x80,
0x11, 0x30, 0xA5, 0xAA, 0xD1, 0x75, 0x67, 0xE0, 0x1C, 0x2B,
0x6B, 0x5D, 0x83, 0xDE, 0x92, 0x9B, 0x0E, 0xD7, 0x11, 0x0F,
0x00, 0xC4, 0x59, 0xE4, 0x81, 0x04, 0x3B, 0xEE, 0x5C, 0x04,
0xD1, 0x0E, 0xD0, 0x67, 0xF5, 0xCC, 0xAA, 0x72, 0x73, 0xEA,
0xC4, 0x76, 0x99, 0x3B, 0x4C, 0x90, 0x2F, 0xCB, 0xD8, 0x0A,
0x5B, 0xEC, 0x0E, 0x0E, 0x1F, 0x59, 0xEA, 0x14, 0x8D, 0x34,
0x53, 0x65, 0x4C, 0x1A, 0x59, 0xA8, 0x95, 0x66, 0x60, 0xBB,
0xC4, 0xCC, 0x32, 0xA9, 0x8D, 0x2A, 0xAA, 0x14, 0x6F, 0x0F,
0x81, 0x4D, 0x32, 0x02, 0xFD, 0x33, 0x58, 0x42, 0xCF, 0xF3,
0x67, 0xD0, 0x9F, 0x0B, 0xB1, 0xCC, 0x18, 0xA5, 0xC4, 0x19,
0xB6, 0x00, 0xED, 0xFA, 0x32, 0x1A, 0x5F, 0x67, 0xC8, 0xC3,
0xEB, 0x0D, 0xB5, 0x9A, 0x36, 0x47, 0x82, 0x00,
0xCA, 0x38, 0x7A, 0x45, 0xF8, 0xA7, 0xFB, 0xE5, 0x97, 0xB0,
0x5B, 0xE4, 0x95, 0xDC, 0x38, 0xFA, 0xFC, 0x9B, 0xB3, 0xD1,
0x79, 0xF8, 0x7D, 0x54, 0x0A, 0xD9, 0xE0, 0x64, 0xE3, 0xED,
0x4D, 0x23, 0xD2, 0x86, 0x0D, 0x84, 0x0C, 0x44, 0x14, 0xE4,
0x6B, 0xB9, 0x35, 0xBA, 0x70, 0x2A, 0x90, 0x92, 0xAA, 0x90,
0x34, 0x81, 0x9F, 0xC7, 0x99, 0xD5, 0xB2, 0x2D, 0xD0, 0xBE,
0xC9, 0x3B, 0x25, 0x8F, 0x49, 0x18, 0xFE, 0xDB, 0xE3, 0x60,
0x04, 0x89, 0xB3, 0xC8, 0x8D, 0x2C, 0xC3, 0x35, 0x79, 0x45,
0x56, 0x03, 0x3C, 0xA2, 0x93, 0xDC, 0xE1, 0x1E, 0x98, 0x50,
0xB1, 0x65, 0xB9, 0x71, 0x8E, 0xB2, 0xBF, 0x93, 0x06, 0xDF,
0x55, 0xE3, 0xC9, 0xF9, 0x53, 0xB4, 0x05, 0x70, 0xF3, 0x7D,
0xE1, 0xE8, 0x78, 0x46, 0x93, 0x80, 0xBD, 0xBA, 0x7A, 0xE7,
0x66, 0x67, 0x6D, 0x99, 0xAD, 0x02, 0x5E, 0xD2, 0xFE, 0x59,
0x09, 0xB5, 0xF7, 0xB1, 0x60, 0x04, 0x59, 0x74, 0x21, 0x09,
0x66, 0x6A, 0x2C, 0x94, 0xAC, 0x78, 0x7F, 0xA5, 0x4E, 0x58,
0x07, 0xC4, 0xF2, 0x3F, 0x9C, 0x3E, 0xAB, 0x68, 0x83, 0xC4,
0x8C, 0x3C, 0xBB, 0x1B, 0x41, 0xBE, 0x26, 0x7C, 0xD0, 0xB1,
0xA8, 0xED, 0x3B, 0xA5, 0xD2, 0xAE, 0x4A, 0x44, 0xF8, 0xD6,
0x31, 0xB4, 0x06, 0x78, 0x61, 0x3C, 0xBA, 0xE8, 0x1A, 0x20,
0xF7, 0xE8, 0x11, 0x7D, 0x2C, 0xBC, 0xE6, 0x29, 0xD1, 0x73,
0xCC, 0x68, 0x5A, 0x4A, 0x6F, 0x43, 0x4C, 0x6E, 0xEC, 0xB8,
0x16, 0x9A, 0xE1, 0x82, 0x37, 0xC2, 0xAE, 0xD7, 0x2A, 0xD6,
0xCC, 0x19, 0x6C, 0x9E, 0xD1, 0xBD, 0x6C, 0x74, 0x9A, 0x4C,
0xA3, 0x6C, 0x4A, 0xAA, 0xB5, 0x99, 0x5F, 0xE9, 0x68, 0x0F,
0x73, 0x2B, 0x44, 0x7D, 0x66, 0x4E, 0x63, 0x3C, 0x32, 0xEC,
0x20, 0x03, 0xFF, 0xBE, 0xF3, 0x08, 0x0F, 0x11, 0xE2, 0x4B,
0xF1, 0xD5, 0x12, 0xE2, 0x52, 0x66, 0x19, 0xE4, 0x8B, 0xA4,
0x7E, 0x7F, 0x60, 0x27, 0x3B, 0x78, 0x6C, 0xC5, 0xBF, 0x58,
0x6F, 0xFE, 0x05, 0xFC, 0x25, 0xF4, 0x12, 0x68, 0xAB, 0xA3,
0x32, 0x75, 0x6A, 0x6A, 0xA6, 0x4E, 0x36, 0x42, 0x20, 0x17,
0x2E, 0xBE, 0x7A, 0x0F, 0x78, 0x63, 0x3E, 0x5D, 0xBC, 0xB4,
0xA0, 0xAC, 0xF3, 0xFE, 0x33, 0x49, 0x08, 0x62, 0xDC, 0x39,
0xFF, 0xFD, 0x83, 0x02, 0x10, 0x8A, 0x86, 0xD7, 0x62, 0xE5,
0xF2, 0x98, 0x7F, 0x8D, 0x79, 0x6A, 0xC4, 0x88, 0xD2, 0x84,
0xC7, 0x3B, 0xEB, 0xC1, 0x6A, 0xE0, 0x7F, 0x42, 0x92, 0x25,
0x0F, 0xA0, 0x35, 0xA5, 0xEF, 0x98, 0x4D, 0x41, 0xC5, 0x25,
0x77, 0x35, 0x36, 0xA9, 0x0B, 0xAB, 0x43, 0x0C, 0x6C, 0xF1,
0x31, 0x56, 0x17, 0x82, 0xD7, 0x00, 0x62, 0x1F,
}
var ct = []byte{
0xE6, 0xB7, 0xE5, 0x7B, 0xA9, 0x19, 0xD1, 0x2C, 0xB8, 0x5C,
0x7B, 0x66, 0x74, 0xB0, 0x71, 0xA1, 0xFF, 0x71, 0x7F, 0x4B,
0xB5, 0xA6, 0xAF, 0x48, 0x32, 0x52, 0xD5, 0x82, 0xEE, 0x8A,
0xBB, 0x08, 0x1E, 0xF6, 0xAC, 0x91, 0xA2, 0xCB, 0x6B, 0x6A,
0x09, 0x2B, 0xD9, 0xC6, 0x27, 0xD6, 0x3A, 0x6B, 0x8D, 0xFC,
0xB8, 0x90, 0x8F, 0x72, 0xB3, 0xFA, 0x7D, 0x34, 0x7A, 0xC4,
0x7E, 0xE3, 0x30, 0xC5, 0xA0, 0xFE, 0x3D, 0x43, 0x14, 0x4E,
0x3A, 0x14, 0x76, 0x3E, 0xFB, 0xDF, 0xE3, 0xA8, 0xE3, 0x5E,
0x38, 0xF2, 0xE0, 0x39, 0x67, 0x60, 0xFD, 0xFB, 0xB4, 0x19,
0xCD, 0xE1, 0x93, 0xA2, 0x06, 0xCC, 0x65, 0xCD, 0x6E, 0xC8,
0xB4, 0x5E, 0x41, 0x4B, 0x6C, 0xA5, 0xF4, 0xE4, 0x9D, 0x52,
0x8C, 0x25, 0x60, 0xDD, 0x3D, 0xA9, 0x7F, 0xF2, 0x88, 0xC1,
0x0C, 0xEE, 0x97, 0xE0, 0xE7, 0x3B, 0xB7, 0xD3, 0x6F, 0x28,
0x79, 0x2F, 0x50, 0xB2, 0x4F, 0x74, 0x3A, 0x0C, 0x88, 0x27,
0x98, 0x3A, 0x27, 0xD3, 0x26, 0x83, 0x59, 0x49, 0x81, 0x5B,
0x0D, 0xA7, 0x0C, 0x4F, 0xEF, 0xFB, 0x1E, 0xAF, 0xE9, 0xD2,
0x1C, 0x10, 0x25, 0xEC, 0x9E, 0xFA, 0x57, 0x36, 0xAA, 0x3F,
0xC1, 0xA3, 0x2C, 0xE9, 0xB5, 0xC9, 0xED, 0x72, 0x51, 0x4C,
0x02, 0xB4, 0x7B, 0xB3, 0xED, 0x9F, 0x45, 0x03, 0x34, 0xAC,
0x9A, 0x9E, 0x62, 0x5F, 0x82, 0x7A, 0x77, 0x34, 0xF9, 0x21,
0x94, 0xD2, 0x38, 0x3D, 0x05, 0xF0, 0x8A, 0x60, 0x1C, 0xB7,
0x1D, 0xF5, 0xB7, 0x53, 0x77, 0xD3, 0x9D, 0x3D, 0x70, 0x6A,
0xCB, 0x18, 0x20, 0x6B, 0x29, 0x17, 0x3A, 0x6D, 0xA1, 0xB2,
0x64, 0xDB, 0x6C, 0xE6, 0x1A, 0x95, 0xA7, 0xF4, 0x1A, 0x78,
0x1D, 0xA2, 0x40, 0x15, 0x41, 0x59, 0xDD, 0xEE, 0x23, 0x57,
0xCE, 0x36, 0x0D, 0x55, 0xBD, 0xB8, 0xFD, 0x0F, 0x35, 0xBD,
0x5B, 0x92, 0xD6, 0x1C, 0x84, 0x8C, 0x32, 0x64, 0xA6, 0x5C,
0x45, 0x18, 0x07, 0x6B, 0xF9, 0xA9, 0x43, 0x9A, 0x83, 0xCD,
0xB5, 0xB3, 0xD9, 0x17, 0x99, 0x2C, 0x2A, 0x8B, 0xE0, 0x8E,
0xAF, 0xA6, 0x4C, 0x95, 0xBB, 0x70, 0x60, 0x1A, 0x3A, 0x97,
0xAA, 0x2F, 0x3D, 0x22, 0x83, 0xB7, 0x4F, 0x59, 0xED, 0x3F,
0x4E, 0xF4, 0x19, 0xC6, 0x25, 0x0B, 0x0A, 0x5E, 0x21, 0xB9,
0x91, 0xB8, 0x19, 0x84, 0x48, 0x78, 0xCE, 0x27, 0xBF, 0x41,
0x89, 0xF6, 0x30, 0xFD, 0x6B, 0xD9, 0xB8, 0x1D, 0x72, 0x8A,
0x56, 0xCC, 0x2F, 0x82, 0xE4, 0x46, 0x4D, 0x75, 0xD8, 0x92,
0xE6, 0x9C, 0xCC, 0xD2, 0xCD, 0x35, 0xE4, 0xFC, 0x2A, 0x85,
0x6B, 0xA9, 0xB2, 0x27, 0xC9, 0xA1, 0xFF, 0xB3, 0x96, 0x3E,
0x59, 0xF6, 0x4C, 0x66, 0x56, 0x2E, 0xF5, 0x1B, 0x97, 0x32,
0xB0, 0x71, 0x5A, 0x9C, 0x50, 0x4B, 0x6F, 0xC4, 0xCA, 0x94,
0x75, 0x37, 0x46, 0x10, 0x12, 0x2F, 0x4F, 0xA3, 0x82, 0xCD,
0xBD, 0x7C,
0x7B, 0x1B, 0x9E, 0xFC, 0x2B, 0x63, 0x7A, 0x71, 0x19, 0x3A,
0xAE, 0xC3, 0xDB, 0xEC, 0x20, 0x18, 0x27, 0x16, 0x64, 0xBF,
0xE5, 0x5F, 0x48, 0x75, 0xA1, 0xAE, 0xF1, 0x92, 0x40, 0x77,
0xB5, 0xF0, 0x85, 0x69, 0x8E, 0x02, 0x1A, 0x64, 0x94, 0x89,
0xA0, 0xEE, 0xDA, 0xDB, 0x07, 0xE5, 0xE5, 0xFF, 0xE7, 0x01,
0x5F, 0x5E, 0xC7, 0xD3, 0x3B, 0x27, 0xE1, 0x13, 0x9C, 0x01,
0x33, 0x44, 0x35, 0x67, 0xEA, 0x14, 0xFE, 0x74, 0x03, 0x9F,
0xD5, 0xE9, 0x3E, 0x58, 0x4A, 0xE3, 0xC2, 0x32, 0x22, 0x7A,
0x80, 0xA0, 0x18, 0x3A, 0x31, 0xAB, 0xBE, 0x63, 0xD0, 0xA2,
0xAB, 0x22, 0x28, 0x93, 0x17, 0x70, 0x79, 0x37, 0x4C, 0x55,
0xC4, 0xCB, 0x0F, 0x0D, 0x21, 0xBC, 0x35, 0x6F, 0x35, 0x04,
0x03, 0x5C, 0x23, 0xF6, 0x93, 0x4C, 0x98, 0x2D, 0x28, 0xB2,
0x4D, 0x43, 0xA4, 0x27, 0xFD, 0x38, 0x70, 0x27, 0x2F, 0x46,
0xA1, 0x25, 0x07, 0x86, 0x3A, 0x85, 0x50, 0x2E, 0x6B, 0x51,
0x58, 0x8D, 0xE5, 0x52, 0xA4, 0x44, 0x1E, 0x7D, 0x3A, 0x9B,
0x64, 0x89, 0xC8, 0x4F, 0x1C, 0x18, 0x98, 0xF5, 0xFE, 0x7F,
0xCA, 0x3A, 0x84, 0x7C, 0x53, 0xA7, 0xA1, 0xF6, 0xB1, 0xB2,
0xB5, 0xBC, 0xA5, 0x58, 0x31, 0xD4, 0xB2, 0x2E, 0x1D, 0xDE,
0x3A, 0xD5, 0xB9, 0x70, 0xA3, 0xE6, 0xE9, 0x2C, 0x39, 0xF6,
0xB5, 0x89, 0xDD, 0x14, 0x91, 0x31, 0x26, 0xE0, 0xAE, 0x66,
0x30, 0x3A, 0x59, 0x57, 0xA3, 0xFF, 0xC1, 0x1F, 0x3B, 0xB8,
0xA9, 0x9A, 0xB0, 0xAE, 0x2D, 0x70, 0x43, 0x38, 0x58, 0xF1,
0xD5, 0xFC, 0x29, 0x6A, 0x49, 0xD3, 0x2E, 0x57, 0xA7, 0x16,
0x7A, 0x2A, 0x06, 0x00, 0x39, 0x67, 0xCB, 0xA8, 0xB4, 0x26,
0xC3, 0x4B, 0xD5, 0x15, 0x83, 0x95, 0xD9, 0xCC, 0x50, 0x1A,
0x23, 0x00, 0xFF, 0xFE, 0x00, 0xFC, 0x99, 0x28, 0x38, 0xE8,
0x60, 0xF0, 0xFD, 0x12, 0xD3, 0x22, 0x26, 0x8E, 0x1F, 0xED,
0x11, 0x23, 0xB3, 0x56, 0x2A, 0x94, 0xE0, 0x1A, 0xE1, 0x25,
0x6B, 0x1C, 0x5A, 0xB0, 0x15, 0xA8, 0xA5, 0xF8, 0x76, 0xA9,
0x1F, 0x4E, 0xF1, 0x01, 0xC5, 0x12, 0x25, 0x8C, 0x1C, 0x10,
0x02, 0xAF, 0x0E, 0x5E, 0xAC, 0x67, 0x84, 0x35, 0x98, 0xDD,
0x99, 0x44, 0x15, 0x3B, 0x03, 0x41, 0x37, 0x10, 0x1F, 0x3A,
0x36, 0xFF, 0x0A, 0x47, 0xCA, 0x22, 0xA4, 0x36, 0xEB, 0x4C,
0x7D, 0x9B, 0x9A, 0xBD, 0x13, 0x4C, 0x5A, 0x0E, 0xCD, 0x35,
0xB3, 0x3A, 0xA7, 0x15, 0xFD, 0xEC, 0xEE, 0x37, 0x21, 0x25,
0xB4, 0xCC, 0x20, 0x07, 0x7F, 0xA7, 0x9F, 0x0F, 0x97, 0x3C,
0x26, 0x10, 0xE1, 0xE9, 0x3A, 0xF7, 0x53, 0x43, 0xC4, 0xCA,
0x97, 0x54, 0x13, 0x59, 0x24, 0x72, 0xE3, 0x1D, 0xE7, 0x00,
0x09, 0x61, 0x29, 0x5A, 0x53, 0x14, 0x5F, 0xAA, 0xF6, 0x6A,
0xFA, 0x72, 0xCA, 0x79, 0xC6, 0xA4, 0x9B, 0xEF, 0xE5, 0x69,
0x9E, 0x66,
}
var ss_exp = [24]byte{
0x0F, 0x7E, 0x5A, 0x52, 0x19, 0x9E, 0x77, 0x87, 0x2E, 0x93,
0x3A, 0xCB, 0x13, 0xD7, 0x96, 0xD6, 0x76, 0x27, 0xA6, 0x27,
0xE9, 0x1D, 0xD4, 0x2A,
}
var ss_exp = []byte{
0xbe, 0x07, 0x1d, 0xa6, 0x95, 0x4b, 0x03, 0x49, 0x6b, 0x2a,
0x8e, 0x25, 0x80, 0xab, 0x9c, 0xdd}
var prvObj = NewPrivateKey(KeyVariant_SIKE)
var pubObj = NewPublicKey(KeyVariant_SIKE)
@ -637,7 +616,7 @@ func TestDecapsulation(t *testing.T) {
checkErr(t, kemSikeP503.Decapsulate(res, prvObj, pubObj, ct),
"error: Decapsulation failed")
if !bytes.Equal(ss_exp, res) {
if !bytes.Equal(ss_exp[:], res) {
t.Error("Wrong decapsulation result")
}
}
@ -663,23 +642,22 @@ func readAndCheckLine(r *bufio.Reader) []byte {
func TestKAT(t *testing.T) {
ssGot := make([]byte, kemSikeP503.SharedSecretSize())
testDecapsulation := func(t *testing.T, pk, sk, ct, ssExpected []byte) {
var pubKey = NewPublicKey(KeyVariant_SIKE)
var prvKey = NewPrivateKey(KeyVariant_SIKE)
if pubKey.Import(pk) != nil || prvKey.Import(sk) != nil {
panic("sike test: can't load KAT")
}
testDecapsulation := func(t *testing.T, pk, sk, ct, ssExpected []byte) {
var pubKey = NewPublicKey(KeyVariant_SIKE)
var prvKey = NewPrivateKey(KeyVariant_SIKE)
if pubKey.Import(pk) != nil || prvKey.Import(sk) != nil {
panic("sike test: can't load KAT")
}
err := kemSikeP503.Decapsulate(ssGot, prvKey, pubKey, ct)
if err != nil {
panic("sike test: can't perform degcapsulation KAT")
}
err := kemSikeP503.Decapsulate(ssGot, prvKey, pubKey, ct)
if err != nil {
panic("sike test: can't perform degcapsulation KAT")
}
if (err != nil) || !bytes.Equal(ssGot, ssExpected) {
t.Fatalf("KAT decapsulation failed\n")
if (err != nil) || !bytes.Equal(ssGot, ssExpected) {
t.Fatalf("KAT decapsulation failed\n")
}
}
}
f, err := os.Open(tdata.katFile)
if err != nil {
t.Fatal(err)

查看文件

@ -38,12 +38,14 @@ type SidhParams struct {
PublicKeySize int
// The shared secret size, in bytes.
SharedSecretSize int
// Defines A,C constant for starting curve Cy^2 = x^3 + Ax^2 + x
InitCurve ProjectiveCurveParameters
// 2- and 3-torsion group parameter definitions
A, B DomainParams
// Precomputed identity element in the Fp2 in Montgomery domain
OneFp2 Fp2
// Precomputed 1/2 in the Fp2 in Montgomery domain
HalfFp2 Fp2
// Precomputed identity element in the Fp2 in Montgomery domain
OneFp2 Fp2
// Length of SIKE secret message. Must be one of {24,32,40},
// depending on size of prime field used (see [SIKE], 1.4 and 5.1)
MsgLen int