Update SIKEp503 to Round2

This commit is contained in:
Henry Case 2019-06-25 18:21:00 +01:00 committed by Krzysztof Kwiatkowski
parent bdf21913e9
commit c3d092951d
7 changed files with 609 additions and 647 deletions

View File

@ -1,7 +1,7 @@
# Supersingular Isogeny Key Encapsulation # Supersingular Isogeny Key Encapsulation
Repository keeps simple Go's implementation of Repository keeps simple Go's implementation of
SIKE based on field p503 (Round1). SIKE based on field p503 (Round2).
## Speed ## Speed

View File

@ -37,18 +37,25 @@ var p503p1s8 = Fp{
0x085BDA2211E7A0AC, 0x9BF6C87B7E7DAF13, 0x45C6BDDA77A4D01B, 0x4066F541811E1E60, 0x085BDA2211E7A0AC, 0x9BF6C87B7E7DAF13, 0x45C6BDDA77A4D01B, 0x4066F541811E1E60,
} }
// 1/2 * R mod p
var half = Fp2{
A: Fp{
0x00000000000001FC, 0x0000000000000000, 0x0000000000000000, 0xB000000000000000,
0x3B69BB2464785D2A, 0x36824A2AF0FE9896, 0xF5899F427A94F309, 0x0033B15203C83BB8},
}
// 1*R mod p // 1*R mod p
var P503_OneFp2 = Fp2{ var one = Fp2{
A: Fp{ A: Fp{
0x00000000000003F9, 0x0000000000000000, 0x0000000000000000, 0xB400000000000000, 0x00000000000003F9, 0x0000000000000000, 0x0000000000000000, 0xB400000000000000,
0x63CB1A6EA6DED2B4, 0x51689D8D667EB37D, 0x8ACD77C71AB24142, 0x0026FBAEC60F5953}, 0x63CB1A6EA6DED2B4, 0x51689D8D667EB37D, 0x8ACD77C71AB24142, 0x0026FBAEC60F5953},
} }
// 1/2 * R mod p // 6*R mod p
var P503_HalfFp2 = Fp2{ var six = Fp2{
A: Fp{ A: Fp{
0x00000000000001FC, 0x0000000000000000, 0x0000000000000000, 0xB000000000000000, 0x00000000000017D8, 0x0000000000000000, 0x0000000000000000, 0xE000000000000000,
0x3B69BB2464785D2A, 0x36824A2AF0FE9896, 0xF5899F427A94F309, 0x0033B15203C83BB8}, 0x30B1E6E3A51520FA, 0xB13BC3BF6FFB3992, 0x8045412EEB3E3DED, 0x0069182E2159DBB8},
} }
var Params SidhParams var Params SidhParams
@ -59,38 +66,42 @@ func init() {
PublicKeySize: 378, PublicKeySize: 378,
// SIDH shared secret byte size. // SIDH shared secret byte size.
SharedSecretSize: 126, SharedSecretSize: 126,
InitCurve: ProjectiveCurveParameters{
A: six,
C: one,
},
A: DomainParams{ A: DomainParams{
// The x-coordinate of PA // The x-coordinate of PA
Affine_P: Fp2{ Affine_P: Fp2{
A: Fp{ A: Fp{
0xE7EF4AA786D855AF, 0xED5758F03EB34D3B, 0x09AE172535A86AA9, 0x237B9CC07D622723, 0x5D083011589AD893, 0xADFD8D2CB67D0637, 0x330C9AC34FFB6361, 0xF0D47489A2E805A2,
0xE3A284CBA4E7932D, 0x27481D9176C5E63F, 0x6A323FF55C6E71BF, 0x002ECC31A6FB8773, 0x27E2789259C6B8DC, 0x63866A2C121931B9, 0x8D4C65A7137DCF44, 0x003A183AE5967B3F,
}, },
B: Fp{ B: Fp{
0x64D02E4E90A620B8, 0xDAB8128537D4B9F1, 0x4BADF77B8A228F98, 0x0F5DBDF9D1FB7D1B, 0x7E3541B8C96D1519, 0xD3ADAEEC0D61A26C, 0xC0A2219CE7703DD9, 0xFF3E46658FCDBC52,
0xBEC4DB288E1A0DCC, 0xE76A8665E80675DB, 0x6D6F252E12929463, 0x003188BD1463FACC, 0xD5B38DEAE6E196FF, 0x1AAC826364956D58, 0xEC9F4875B9A5F27A, 0x001B0B475AB99843,
}, },
}, },
// The x-coordinate of QA // The x-coordinate of QA
Affine_Q: Fp2{ Affine_Q: Fp2{
A: Fp{ A: Fp{
0xB79D41025DE85D56, 0x0B867DA9DF169686, 0x740E5368021C827D, 0x20615D72157BF25C, 0x4D83695107D03BAD, 0x221F3299005E2FCF, 0x78E6AE22F30DECF2, 0x6D982DB5111253E4,
0xFF1590013C9B9F5B, 0xC884DCADE8C16CEA, 0xEBD05E53BF724E01, 0x0032FEF8FDA5748C, 0x504C80A8AB4526A8, 0xEFD0C3AA210BB024, 0xCB77483501DC6FCF, 0x001052544A96BDF3,
}, },
B: Fp{ B: Fp{
0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0D74FE3402BCAE47, 0xDF5B8CDA832D8AED, 0xB86BCF06E4BD837E, 0x892A2933A0FA1F63,
0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x9F88FC67B6CCB461, 0x822926EA9DDA3AC8, 0xEAC8DDE5855425ED, 0x000618FE6DA37A80,
}, },
}, },
// The x-coordinate of RA = PA-QA // The x-coordinate of RA = PA-QA
Affine_R: Fp2{ Affine_R: Fp2{
A: Fp{ A: Fp{
0x12E2E849AA0A8006, 0x41CF47008635A1E8, 0x9CD720A70798AED7, 0x42A820B42FCF04CF, 0x6B6F4A4F786CF310, 0xB019D444BDCFDBE3, 0xA14CB06680607834, 0xCB0D5582E7E6E60A,
0x7BF9BAD32AAE88B1, 0xF619127A54090BBE, 0x1CB10D8F56408EAA, 0x001D6B54C3C0EDEB, 0xBA4EE8771667E241, 0xE42A114FCB12E5FF, 0x9A0C074E275BCD98, 0x001871329B28689E,
}, },
B: Fp{ B: Fp{
0x34DB54931CBAAC36, 0x420A18CB8DD5F0C4, 0x32008C1A48C0F44D, 0x3B3BA772B1CFD44D, 0x685FA8378513FE76, 0x84E8FC1785E8BDF0, 0x8A380F177CB7C1B7, 0x2227464F4F812C94,
0xA74B058FDAF13515, 0x095FC9CA7EEC17B4, 0x448E829D28F120F8, 0x00261EC3ED16A489, 0x117C94A81A90C279, 0x193D73132FB9FA28, 0x99335336F192C9EB, 0x0006C2FE778A34FD,
}, },
}, },
// Max size of secret key for 2-torsion group, corresponds to 2^e2 - 1 // Max size of secret key for 2-torsion group, corresponds to 2^e2 - 1
@ -113,19 +124,19 @@ func init() {
// The x-coordinate of PB // The x-coordinate of PB
Affine_P: Fp2{ Affine_P: Fp2{
A: Fp{ A: Fp{
0x7EDE37F4FA0BC727, 0xF7F8EC5C8598941C, 0xD15519B516B5F5C8, 0xF6D5AC9B87A36282, 0xDF630FC5FB2468DB, 0xC30C5541C102040E, 0x3CDC9987B76511FC, 0xF54B5A09353D0CDD,
0x7B19F105B30E952E, 0x13BD8B2025B4EBEE, 0x7B96D27F4EC579A2, 0x00140850CAB7E5DE, 0x3ADBA8E00703C42F, 0x8253F9303DDC95D0, 0x62D30778763ABFD7, 0x001CD00FB581CD55,
}, },
B: Fp{ B: Fp{
0x7764909DAE7B7B2D, 0x578ABB16284911AB, 0x76E2BFD146A6BF4D, 0x4824044B23AA02F0, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000,
0x1105048912A321F3, 0xB8A2E482CF0F10C1, 0x42FF7D0BE2152085, 0x0018E599C5223352, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000,
}, },
}, },
// The x-coordinate of QB // The x-coordinate of QB
Affine_Q: Fp2{ Affine_Q: Fp2{
A: Fp{ A: Fp{
0x4256C520FB388820, 0x744FD7C3BAAF0A13, 0x4B6A2DDDB12CBCB8, 0xE46826E27F427DF8, 0x2E3457A12B429261, 0x311F94E89627DCF8, 0x5B71C98FD1DB73F6, 0x3671DB7DCFC21541,
0xFE4A663CD505A61B, 0xD6B3A1BAF025C695, 0x7C3BB62B8FCC00BD, 0x003AFDDE4A35746C, 0xB6D1484C9FE0CF4F, 0x19CD110717356E35, 0xF4F9FB00AC9919DF, 0x0035BC124D38A70B,
}, },
B: Fp{ B: Fp{
0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000,
@ -135,12 +146,12 @@ func init() {
// The x-coordinate of RB = PB - QB // The x-coordinate of RB = PB - QB
Affine_R: Fp2{ Affine_R: Fp2{
A: Fp{ A: Fp{
0x75601CD1E6C0DFCB, 0x1A9007239B58F93E, 0xC1F1BE80C62107AC, 0x7F513B898F29FF08, 0x2E08BB99413D2952, 0xD3021467CD088D72, 0x21017AF859752245, 0x26314ED8FFD9DE5C,
0xEA0BEDFF43E1F7B2, 0x2C6D94018CBAE6D0, 0x3A430D31BCD84672, 0x000D26892ECCFE83, 0x4AF43C73344B6686, 0xCFA1F91149DF0993, 0xF327A95365587A89, 0x000DBF54E03D3906,
}, },
B: Fp{ B: Fp{
0x1119D62AEA3007A1, 0xE3702AA4E04BAE1B, 0x9AB96F7D59F990E7, 0xF58440E8B43319C0, 0xFC1FC00CBD0A0CFB, 0x66C29FB284B491A9, 0x7FBED0B26D7F18E0, 0x9C02361066F4C67D,
0xAF8134BEE1489775, 0xE7F7774E905192AA, 0xF54AE09308E98039, 0x001EF7A041A86112, 0x2D83758DD0B19E6F, 0x0827029DB2CDC1D7, 0x58700A85FAD38A71, 0x0006FA256B614AD2,
}, },
}, },
// Size of secret key for 3-torsion group, corresponds to log_2(3^e3) - 1. // Size of secret key for 3-torsion group, corresponds to log_2(3^e3) - 1.
@ -162,13 +173,13 @@ func init() {
0x02, 0x01, 0x01, 0x08, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x04, 0x02, 0x01, 0x02, 0x01, 0x01, 0x08, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x04, 0x02, 0x01,
0x01, 0x02, 0x01, 0x01}, 0x01, 0x02, 0x01, 0x01},
}, },
OneFp2: P503_OneFp2, OneFp2: one,
HalfFp2: P503_HalfFp2, HalfFp2: half,
MsgLen: 24, MsgLen: 24,
// SIKEp503 provides 128 bit of classical security ([SIKE], 5.1) // SIKEp503 provides 128 bit of classical security ([SIKE], 5.1)
KemSize: 16, KemSize: 24,
// ceil(503+7/8) // ceil(503+7/8)
Bytelen: 63, Bytelen: 63,
CiphertextSize: 16 + 8 + 378, CiphertextSize: 24 + 378,
} }
} }

View File

@ -106,7 +106,7 @@ func RecoverCoordinateA(curve *ProjectiveCurveParameters, xp, xq, xr *Fp2) {
} }
// Computes equivalence (A:C) ~ (A+2C : A-2C) // Computes equivalence (A:C) ~ (A+2C : A-2C)
func CalcCurveParamsEquiv3(cparams *ProjectiveCurveParameters) CurveCoefficientsEquiv { func ToEquiv3(cparams *ProjectiveCurveParameters) CurveCoefficientsEquiv {
var coef CurveCoefficientsEquiv var coef CurveCoefficientsEquiv
var c2 Fp2 var c2 Fp2
@ -118,8 +118,18 @@ func CalcCurveParamsEquiv3(cparams *ProjectiveCurveParameters) CurveCoefficients
return coef return coef
} }
// Recovers (A:C) curve parameters from projectively equivalent (A+2C:A-2C).
func FromEquiv3(cparams *ProjectiveCurveParameters, coefEq *CurveCoefficientsEquiv) {
add(&cparams.A, &coefEq.A, &coefEq.C)
// cparams.A = 2*(A+2C+A-2C) = 4A
add(&cparams.A, &cparams.A, &cparams.A)
// cparams.C = (A+2C-A+2C) = 4C
sub(&cparams.C, &coefEq.A, &coefEq.C)
return
}
// Computes equivalence (A:C) ~ (A+2C : 4C) // Computes equivalence (A:C) ~ (A+2C : 4C)
func CalcCurveParamsEquiv4(cparams *ProjectiveCurveParameters) CurveCoefficientsEquiv { func ToEquiv4(cparams *ProjectiveCurveParameters) CurveCoefficientsEquiv {
var coefEq CurveCoefficientsEquiv var coefEq CurveCoefficientsEquiv
add(&coefEq.C, &cparams.C, &cparams.C) add(&coefEq.C, &cparams.C, &cparams.C)
@ -130,18 +140,8 @@ func CalcCurveParamsEquiv4(cparams *ProjectiveCurveParameters) CurveCoefficients
return coefEq return coefEq
} }
// Recovers (A:C) curve parameters from projectively equivalent (A+2C:A-2C).
func RecoverCurveCoefficients3(cparams *ProjectiveCurveParameters, coefEq *CurveCoefficientsEquiv) {
add(&cparams.A, &coefEq.A, &coefEq.C)
// cparams.A = 2*(A+2C+A-2C) = 4A
add(&cparams.A, &cparams.A, &cparams.A)
// cparams.C = (A+2C-A+2C) = 4C
sub(&cparams.C, &coefEq.A, &coefEq.C)
return
}
// Recovers (A:C) curve parameters from projectively equivalent (A+2C:4C). // Recovers (A:C) curve parameters from projectively equivalent (A+2C:4C).
func RecoverCurveCoefficients4(cparams *ProjectiveCurveParameters, coefEq *CurveCoefficientsEquiv) { func FromEquiv4(cparams *ProjectiveCurveParameters, coefEq *CurveCoefficientsEquiv) {
// cparams.C = (4C)*1/2=2C // cparams.C = (4C)*1/2=2C
mul(&cparams.C, &coefEq.C, &Params.HalfFp2) mul(&cparams.C, &coefEq.C, &Params.HalfFp2)
// cparams.A = A+2C - 2C = A // cparams.A = A+2C - 2C = A

File diff suppressed because it is too large Load Diff

113
sike.go
View File

@ -8,27 +8,12 @@ import (
) )
const ( const (
// n can is max 320-bit (see 1.4 of [SIKE]) // n can is max 256-bit (see 1.4 of [SIKE])
MaxMsgLen = 40 MaxMsgLen = 32
MaxSharedSecretSize = 188 MaxSharedSecretSize = 188
MaxSecretByteLenA = 47 MaxSecretByteLenA = 47
) )
var cshakeG, cshakeH, cshakeF *shake.CShake
func init() {
// Constants used for cSHAKE customization
// Those values are different than in [SIKE] - they are encoded on 16bits. This is
// done in order for implementation to be compatible with [REF] and test vectors.
var G = []byte{0x00, 0x00}
var H = []byte{0x01, 0x00}
var F = []byte{0x02, 0x00}
cshakeG = shake.NewCShake256(nil, G)
cshakeH = shake.NewCShake256(nil, H)
cshakeF = shake.NewCShake256(nil, F)
}
func cpick(pick int, out, in1, in2 []byte) { func cpick(pick int, out, in1, in2 []byte) {
var which = byte((int8(pick << 7)) >> 7) var which = byte((int8(pick << 7)) >> 7)
for i, _ := range out { for i, _ := range out {
@ -104,7 +89,7 @@ func traverseTreePublicKeyA(curve *ProjectiveCurveParameters, xR, phiP, phiQ, ph
var i, sIdx int var i, sIdx int
var phi isogeny4 var phi isogeny4
cparam := CalcCurveParamsEquiv4(curve) cparam := ToEquiv4(curve)
strat := pub.params.A.IsogenyStrategy strat := pub.params.A.IsogenyStrategy
stratSz := len(strat) stratSz := len(strat)
@ -142,7 +127,7 @@ func traverseTreeSharedKeyA(curve *ProjectiveCurveParameters, xR *ProjectivePoin
var i, sIdx int var i, sIdx int
var phi isogeny4 var phi isogeny4
cparam := CalcCurveParamsEquiv4(curve) cparam := ToEquiv4(curve)
strat := pub.params.A.IsogenyStrategy strat := pub.params.A.IsogenyStrategy
stratSz := len(strat) stratSz := len(strat)
@ -176,7 +161,7 @@ func traverseTreePublicKeyB(curve *ProjectiveCurveParameters, xR, phiP, phiQ, ph
var i, sIdx int var i, sIdx int
var phi isogeny3 var phi isogeny3
cparam := CalcCurveParamsEquiv3(curve) cparam := ToEquiv3(curve)
strat := pub.params.B.IsogenyStrategy strat := pub.params.B.IsogenyStrategy
stratSz := len(strat) stratSz := len(strat)
@ -214,7 +199,7 @@ func traverseTreeSharedKeyB(curve *ProjectiveCurveParameters, xR *ProjectivePoin
var i, sIdx int var i, sIdx int
var phi isogeny3 var phi isogeny3
cparam := CalcCurveParamsEquiv3(curve) cparam := ToEquiv3(curve)
strat := pub.params.B.IsogenyStrategy strat := pub.params.B.IsogenyStrategy
stratSz := len(strat) stratSz := len(strat)
@ -245,7 +230,6 @@ func publicKeyGenA(pub *PublicKey, prv *PrivateKey) {
var xPA, xQA, xRA ProjectivePoint var xPA, xQA, xRA ProjectivePoint
var xPB, xQB, xRB, xR ProjectivePoint var xPB, xQB, xRB, xR ProjectivePoint
var invZP, invZQ, invZR Fp2 var invZP, invZQ, invZR Fp2
var tmp ProjectiveCurveParameters
var phi isogeny4 var phi isogeny4
// Load points for A // Load points for A
@ -259,13 +243,8 @@ func publicKeyGenA(pub *PublicKey, prv *PrivateKey) {
xPB = ProjectivePoint{X: prv.params.B.Affine_P, Z: prv.params.OneFp2} xPB = ProjectivePoint{X: prv.params.B.Affine_P, Z: prv.params.OneFp2}
// Find isogeny kernel // Find isogeny kernel
tmp.C = pub.params.OneFp2 xR = ScalarMul3Pt(&pub.params.InitCurve, &xPA, &xQA, &xRA, prv.params.A.SecretBitLen, prv.Scalar)
xR = ScalarMul3Pt(&tmp, &xPA, &xQA, &xRA, prv.params.A.SecretBitLen, prv.Scalar) traverseTreePublicKeyA(&pub.params.InitCurve, &xR, &xPB, &xQB, &xRB, pub)
// Reset params object and travers isogeny tree
tmp.C = pub.params.OneFp2
zeroize(&tmp.A)
traverseTreePublicKeyA(&tmp, &xR, &xPB, &xQB, &xRB, pub)
// Secret isogeny // Secret isogeny
phi.GenerateCurve(&xR) phi.GenerateCurve(&xR)
@ -284,25 +263,20 @@ func publicKeyGenB(pub *PublicKey, prv *PrivateKey) {
var xPB, xQB, xRB, xR ProjectivePoint var xPB, xQB, xRB, xR ProjectivePoint
var xPA, xQA, xRA ProjectivePoint var xPA, xQA, xRA ProjectivePoint
var invZP, invZQ, invZR Fp2 var invZP, invZQ, invZR Fp2
var tmp ProjectiveCurveParameters
var phi isogeny3 var phi isogeny3
// Load points for B
xRB = ProjectivePoint{X: prv.params.B.Affine_R, Z: prv.params.OneFp2}
xQB = ProjectivePoint{X: prv.params.B.Affine_Q, Z: prv.params.OneFp2}
xPB = ProjectivePoint{X: prv.params.B.Affine_P, Z: prv.params.OneFp2}
// Load points for A // Load points for A
xPA = ProjectivePoint{X: prv.params.A.Affine_P, Z: prv.params.OneFp2} xPA = ProjectivePoint{X: prv.params.A.Affine_P, Z: prv.params.OneFp2}
xQA = ProjectivePoint{X: prv.params.A.Affine_Q, Z: prv.params.OneFp2} xQA = ProjectivePoint{X: prv.params.A.Affine_Q, Z: prv.params.OneFp2}
xRA = ProjectivePoint{X: prv.params.A.Affine_R, Z: prv.params.OneFp2} xRA = ProjectivePoint{X: prv.params.A.Affine_R, Z: prv.params.OneFp2}
tmp.C = pub.params.OneFp2 // Load points for B
xR = ScalarMul3Pt(&tmp, &xPB, &xQB, &xRB, prv.params.B.SecretBitLen, prv.Scalar) xRB = ProjectivePoint{X: prv.params.B.Affine_R, Z: prv.params.OneFp2}
xQB = ProjectivePoint{X: prv.params.B.Affine_Q, Z: prv.params.OneFp2}
xPB = ProjectivePoint{X: prv.params.B.Affine_P, Z: prv.params.OneFp2}
tmp.C = pub.params.OneFp2 xR = ScalarMul3Pt(&pub.params.InitCurve, &xPB, &xQB, &xRB, prv.params.B.SecretBitLen, prv.Scalar)
zeroize(&tmp.A) traverseTreePublicKeyB(&pub.params.InitCurve, &xR, &xPA, &xQA, &xRA, pub)
traverseTreePublicKeyB(&tmp, &xR, &xPA, &xQA, &xRA, pub)
phi.GenerateCurve(&xR) phi.GenerateCurve(&xR)
xPB = phi.EvaluatePoint(&xPA) xPB = phi.EvaluatePoint(&xPA)
@ -321,14 +295,13 @@ func publicKeyGenB(pub *PublicKey, prv *PrivateKey) {
// Establishing shared keys in in 2-torsion group // Establishing shared keys in in 2-torsion group
func deriveSecretA(ss []byte, prv *PrivateKey, pub *PublicKey) { func deriveSecretA(ss []byte, prv *PrivateKey, pub *PublicKey) {
var cparam ProjectiveCurveParameters
var xP, xQ, xQmP ProjectivePoint var xP, xQ, xQmP ProjectivePoint
var xR ProjectivePoint var xR ProjectivePoint
var phi isogeny4 var phi isogeny4
var jInv Fp2 var jInv Fp2
// Recover curve coefficients // Recover curve coefficients
cparam.C = pub.params.OneFp2 cparam := pub.params.InitCurve
RecoverCoordinateA(&cparam, &pub.affine_xP, &pub.affine_xQ, &pub.affine_xQmP) RecoverCoordinateA(&cparam, &pub.affine_xP, &pub.affine_xQ, &pub.affine_xQmP)
// Find kernel of the morphism // Find kernel of the morphism
@ -342,7 +315,7 @@ func deriveSecretA(ss []byte, prv *PrivateKey, pub *PublicKey) {
// Calculate j-invariant on isogeneus curve // Calculate j-invariant on isogeneus curve
c := phi.GenerateCurve(&xR) c := phi.GenerateCurve(&xR)
RecoverCurveCoefficients4(&cparam, &c) FromEquiv4(&cparam, &c)
Jinvariant(&cparam, &jInv) Jinvariant(&cparam, &jInv)
convFp2ToBytes(ss, &jInv) convFp2ToBytes(ss, &jInv)
} }
@ -351,12 +324,11 @@ func deriveSecretA(ss []byte, prv *PrivateKey, pub *PublicKey) {
func deriveSecretB(ss []byte, prv *PrivateKey, pub *PublicKey) { func deriveSecretB(ss []byte, prv *PrivateKey, pub *PublicKey) {
var xP, xQ, xQmP ProjectivePoint var xP, xQ, xQmP ProjectivePoint
var xR ProjectivePoint var xR ProjectivePoint
var cparam ProjectiveCurveParameters
var phi isogeny3 var phi isogeny3
var jInv Fp2 var jInv Fp2
// Recover curve coefficients // Recover curve coefficients
cparam.C = pub.params.OneFp2 cparam := pub.params.InitCurve
RecoverCoordinateA(&cparam, &pub.affine_xP, &pub.affine_xQ, &pub.affine_xQmP) RecoverCoordinateA(&cparam, &pub.affine_xP, &pub.affine_xQ, &pub.affine_xQmP)
// Find kernel of the morphism // Find kernel of the morphism
@ -370,7 +342,7 @@ func deriveSecretB(ss []byte, prv *PrivateKey, pub *PublicKey) {
// Calculate j-invariant on isogeneus curve // Calculate j-invariant on isogeneus curve
c := phi.GenerateCurve(&xR) c := phi.GenerateCurve(&xR)
RecoverCurveCoefficients3(&cparam, &c) FromEquiv3(&cparam, &c)
Jinvariant(&cparam, &jInv) Jinvariant(&cparam, &jInv)
convFp2ToBytes(ss, &jInv) convFp2ToBytes(ss, &jInv)
} }
@ -389,14 +361,13 @@ func generateCiphertext(ctext []byte, skA *PrivateKey, pkA, pkB *PublicKey, ptex
return err return err
} }
cshakeF.Reset() f := shake.NewShake256()
cshakeF.Write(j[:Params.SharedSecretSize]) f.Write(j[:Params.SharedSecretSize])
cshakeF.Read(n[:ptextLen]) f.Read(n[:ptextLen])
for i, _ := range ptext { for i, _ := range ptext {
n[i] ^= ptext[i] n[i] ^= ptext[i]
} }
//ret := make([]byte, pkA.Size()+ptextLen)
pkA.Export(ctext) pkA.Export(ctext)
copy(ctext[pkA.Size():], n[:ptextLen]) copy(ctext[pkA.Size():], n[:ptextLen])
return nil return nil
@ -563,7 +534,7 @@ func DeriveSecret(ss []byte, prv *PrivateKey, pub *PublicKey) error {
func encrypt(ctext []byte, rng io.Reader, pub *PublicKey, ptext []byte) error { func encrypt(ctext []byte, rng io.Reader, pub *PublicKey, ptext []byte) error {
var ptextLen = len(ptext) var ptextLen = len(ptext)
// c1 must be security level + 64 bits (see [SIKE] 1.4 and 4.3.3) // c1 must be security level + 64 bits (see [SIKE] 1.4 and 4.3.3)
if ptextLen != (pub.params.KemSize + 8) { if ptextLen != pub.params.KemSize {
return errors.New("Unsupported message length") return errors.New("Unsupported message length")
} }
@ -593,7 +564,7 @@ func decrypt(n []byte, prv *PrivateKey, ctext []byte) (int, error) {
// ctext is a concatenation of (ciphertext = pubkey_A || c1) // ctext is a concatenation of (ciphertext = pubkey_A || c1)
// it must be security level + 64 bits (see [SIKE] 1.4 and 4.3.3) // it must be security level + 64 bits (see [SIKE] 1.4 and 4.3.3)
c1_len = len(ctext) - pk_len c1_len = len(ctext) - pk_len
if c1_len != (int(prv.params.KemSize) + 8) { if c1_len != prv.params.KemSize {
return 0, errors.New("wrong size of cipher text") return 0, errors.New("wrong size of cipher text")
} }
@ -607,9 +578,9 @@ func decrypt(n []byte, prv *PrivateKey, ctext []byte) (int, error) {
return 0, err return 0, err
} }
cshakeF.Reset() s := shake.NewShake256()
cshakeF.Write(j[:Params.SharedSecretSize]) s.Write(j[:Params.SharedSecretSize])
cshakeF.Read(n[:c1_len]) s.Read(n[:c1_len])
for i, _ := range n[:c1_len] { for i, _ := range n[:c1_len] {
n[i] ^= ctext[pk_len+i] n[i] ^= ctext[pk_len+i]
} }
@ -665,10 +636,10 @@ func (kem *KEM) Encapsulate(ciphertext, secret []byte, pub *PublicKey) error {
} }
pub.Export(buf[:]) pub.Export(buf[:])
cshakeG.Reset() g := shake.NewShake256()
cshakeG.Write(kem.msg) g.Write(kem.msg)
cshakeG.Write(buf[:3*Params.SharedSecretSize]) g.Write(buf[:3*Params.SharedSecretSize])
cshakeG.Read(skA.Scalar) g.Read(skA.Scalar)
// Ensure bitlength is not bigger then to 2^e2-1 // Ensure bitlength is not bigger then to 2^e2-1
skA.Scalar[len(skA.Scalar)-1] &= (1 << (pub.params.A.SecretBitLen % 8)) - 1 skA.Scalar[len(skA.Scalar)-1] &= (1 << (pub.params.A.SecretBitLen % 8)) - 1
@ -680,10 +651,10 @@ func (kem *KEM) Encapsulate(ciphertext, secret []byte, pub *PublicKey) error {
} }
// K = H(msg||(c0||c1)) // K = H(msg||(c0||c1))
cshakeH.Reset() h := shake.NewShake256()
cshakeH.Write(kem.msg) h.Write(kem.msg)
cshakeH.Write(ciphertext) h.Write(ciphertext)
cshakeH.Read(secret) h.Read(secret)
return nil return nil
} }
@ -710,10 +681,10 @@ func (kem *KEM) Decapsulate(secret []byte, prv *PrivateKey, pub *PublicKey, ctex
// r' = G(m'||pub) // r' = G(m'||pub)
//var key = make([]byte, pub.Size()+2*Params.MsgLen) //var key = make([]byte, pub.Size()+2*Params.MsgLen)
pub.Export(pkBytes[:]) pub.Export(pkBytes[:])
cshakeG.Reset() g := shake.NewShake256()
cshakeG.Write(m[:c1_len]) g.Write(m[:c1_len])
cshakeG.Write(pkBytes[:3*pub.params.SharedSecretSize]) g.Write(pkBytes[:3*pub.params.SharedSecretSize])
cshakeG.Read(r[:pub.params.A.SecretByteLen]) g.Read(r[:pub.params.A.SecretByteLen])
// Ensure bitlength is not bigger than 2^e2-1 // Ensure bitlength is not bigger than 2^e2-1
r[pub.params.A.SecretByteLen-1] &= (1 << (pub.params.A.SecretBitLen % 8)) - 1 r[pub.params.A.SecretByteLen-1] &= (1 << (pub.params.A.SecretBitLen % 8)) - 1
@ -731,9 +702,9 @@ func (kem *KEM) Decapsulate(secret []byte, prv *PrivateKey, pub *PublicKey, ctex
// (S. Galbraith, et al., 2016, ePrint #859). // (S. Galbraith, et al., 2016, ePrint #859).
mask := subtle.ConstantTimeCompare(pkBytes[:pub.params.PublicKeySize], ctext[:pub.params.PublicKeySize]) mask := subtle.ConstantTimeCompare(pkBytes[:pub.params.PublicKeySize], ctext[:pub.params.PublicKeySize])
cpick(mask, m[:c1_len], m[:c1_len], prv.S) cpick(mask, m[:c1_len], m[:c1_len], prv.S)
cshakeH.Reset() h := shake.NewShake256()
cshakeH.Write(m[:c1_len]) h.Write(m[:c1_len])
cshakeH.Write(ctext) h.Write(ctext)
cshakeH.Read(secret) h.Read(secret)
return nil return nil
} }

View File

@ -22,37 +22,14 @@ var tdata = struct {
PrA_sike string PrA_sike string
PkA_sike string PkA_sike string
}{ }{
name: "P-503", name: "SIKEp503",
katFile: "etc/PQCkemKAT_434.rsp", katFile: "etc/PQCkemKAT_434.rsp",
PkB_sike: "68460C22466E95864CFEA7B5D9077E768FF4F9ED69AE56D7CF3F236FB06B31020EEE34B5B572CEA5DDF20B531966AA8F5F3ACC0C6D1CE04EEDC30FD1F1233E2D96FE60C6D638FC646EAF2E2246F1AEC96859CE874A1F029A78F9C978CD6B22114A0D5AB20101191FD923E80C76908B1498B9D0200065CCA09159A0C65A1E346CC6470314FE78388DAA89DD08EC67DBE63C1F606674ACC49EBF9FDBB2B898B3CE733113AA6F942DB401A76D629CE6EE6C0FDAF4CFB1A5E366DB66C17B3923A1B7FB26A3FF25B9018869C674D3DEF4AF269901D686FE4647F9D2CDB2CEB3AFA305B27C885F037ED167F595066C21E7DD467D8332B934A5102DA5F13332DFA356B82156A0BB2E7E91C6B85B7D1E381BC9E3F0FC4DB9C36016D9ECEC415D7E977E9AC29910D934BA2FE4EE49D3B387607A4E1AFABF495FB86A77194626589E802FF5167C7A25C542C1EAD25A6E0AA931D94F2F9AFD3DBDF222E651F729A90E77B20974905F1E65E041CE6C95AAB3E1F22D332E0A5DE9C5DB3D9C7A38", PrB_sidh: "8626ED79D451140800E03B59B956F8210E556067407D13DC90FA9E8B872BFB0F",
PrB_sike: "80FC55DA74DEFE3113487B80841E678AF9ED4E0599CF07353A4AB93971C090A0" + PkB_sidh: "BB066F920803D8A481A09CD6398DCAE8D330AE2035245A92491228D6AC86A7E024D6318CC3FAC233A90F086EF663A74CD102D7A33BE96F726E084F3C8C630DD1CAD79289B68275962C90A29E061A8C5C266D4A9DE1D94FAA8E539A7A4FD5487905A1FAD75CBEF0B2BF298645C26D6A904EBA9B468B43B66B3CE579EF140379C4B0F06B2005B345A677590FB1A6C6B73D90D953383621EE667B9E9B3254403AF1C66D8FA8F0A9A3B06B1B6D81C661BCD0FCD09D96FF6A9AF52C4F68DB2E12DFB16319F6F24B7B206E94331F26165F501179F956AED2DC42679CAD539E32D9BF36F1764D5F3A596ADC504E0FF1F25A544FA139E0ACB516D6D5A15F0A0C4F03C0CF363086184E462035CA87BF21393DC8918E21258029A0DC7295FB7F04E363F0A63EE299AD9E638324E5A2027BF38C868AF49A591BDEA9D7C376981D015E55FBE641010C70AB08809AAE335B4B97081FB95621469F9B92F637A41BCBB7DC3D1D7242E3E5FD7CA8E3381057AAB9F948498AF438B5F8D2E157B5A318",
"A9402C9DC98AC6DC8F5FDE5E970AE22BA48A400EFC72851C", PrA_sike: "003271531CF27285B8721ED5CB46853043B346A66CBA6CF765F1B0EAA40BF602",
PrB_sidh: "A885A8B889520A6DBAD9FB33365E5B77FDED629440A16A533F259A510F63A822", PkA_sike: "BE0CB724207D42075EC1569F43FFB8178C64E1F3EAF9D914879B3B3CAD1D12048CBB72861CA0B72C16F65FB4DA98778D9F37CF1442147AE179A8D1099D77028740BD72DFC873A8D2F293A603E5C4A13F7668E8F5C363602A490D47F4F95B269706BDC8DFDEAD77026D9842BB8B5CC4BFB99AF75ED8E4A6994DD4BD5BA606D9EF21A38E26CC35AE5C57324CFE6C16B53D61AD985B37F4B1E2F11234C52A869E184008999358EC0D2B4F2F163A09D3BA9B83D7E5647B5BE92014286D5F0BCE0CA14417226462191D3F0D8587A3ADA2C561FBA5DFE938606476882472C64C9E07D6BDB6C51D59B7978C792383C0CCC28337192A30340742C82EFCB3693FE93FBDA870554CF40F2B176C831628FF339739EC87389A2DD261EE9C6AAFF09ECEFF6C5074D7755ACA4A9D937A1F3A7C31D82E606E6CC6AC90189C17899B13EB759761EEA35AAF74D0B7F2411031AF81B9B946AE2E154FC08F3BB3E2DDE5F52DBC0E1164DCE028EFA45B1D58F4B32EF016D4F995909D3E0F3F69B8115D35",
PrA_sike: "B0AD510708F4ABCF3E0D97DC2F2FF112D9D2AAE49D97FFD1E4267F21C6E71C03", PrB_sike: "4B622DE1350119C45A9F2E2EF3DC5DF50A759D138CDFBD64E82FCC97CA60CCB27BF6938C975658AEB8B4D37CFFBDE25D97E561F36C219A0E",
PkA_sike: "A6BADBA04518A924B20046B59AC197DCDF0EA48014C9E228C4994CCA432F360E" + PkB_sike: "4EC46509AB1C547BDF2311B3AF82FCD25A83D154D9649C0D1A7F1E4D174BE9ED44F4B8AD2160FF43D4B94E65BE5A64DA3B8D5B63A02C3DCD376BB24122E03C3F09F4253E6F117999D0359F6BAB94F38BDB4B681EE09351483380EA4839E7808F8DF11C9A01DBC9D4C61075F3FF39B444679A8F3BEAE4BD47BE5B3A4D4B0F44F44BC8AB1B40E91852605F92860F6B4E627E8F7B00168CED2BA9D86865A5314E32E39B15E2021790CECA67A47959915E5C9717C96A055ADA061921F15306E4600751E984DA5FBC72E5F4E7B1182F60109DDD50C04A7A8D4281121AECD824730F38BE81A9D59B480DE44EB6CFC93436000C6E302B710FE3C24E6E6E0A371DF2B81CFBB37EDBD739926DBBE95A81D90DA22A7A5DF0DEE13031B7DE91504F45E20F0F15B24931A5D41EE48FA84F11D9F33B1F5BF315B355FAC0AB40C702190C190489DDA7B8715E680CE0DE4BFB50D78290C1A4C29F7C776597D9FB6C1DE65E150FAD46DF3CF38BDB22493697A2307A121B67C90B04C0809E1C8CA916",
"2D527AFB06CA7C96EE5CEE19BAD53BF9218A3961CAD7EC092BD8D9EBB22A3D51" +
"33008895A3F1F6A023F91E0FE06A00A622FD6335DAC107F8EC4283DC2632F080" +
"4E64B390DAD8A2572F1947C67FDF4F8787D140CE2C6B24E752DA9A195040EDFA" +
"C27333FAE97DBDEB41DA9EEB2DB067AE7DA8C58C0EF57AEFC18A3D6BD0576FF2" +
"F1CFCAEC50C958331BF631F3D2E769790C7B6DF282B74BBC02998AD10F291D47" +
"C5A762FF84253D3B3278BDF20C8D4D4AA317BE401B884E26A1F02C7308AADB68" +
"20EBDB0D339F5A63346F3B40CACED72F544DAF51566C6E807D0E6E1E38514342" +
"432661DC9564DA07548570E256688CD9E8060D8775F95D501886D958588CACA0" +
"9F2D2AE1913F996E76AF63E31A179A7A7D2A46EDA03B2BCCF9020A5AA15F9A28" +
"9340B33F3AE7F97360D45F8AE1B9DD48779A57E8C45B50A02C00349CD1C58C55" +
"1D68BC2A75EAFED944E8C599C288037181E997471352E24C952B",
PkB_sidh: "244AF1F367C2C33912750A98497CC8214BC195BD52BD76513D32ACE4B75E31F0" +
"281755C265F5565C74E3C04182B9C244071859C8588CC7F09547CEFF8F7705D2" +
"60CE87D6BFF914EE7DBE4B9AF051CA420062EEBDF043AF58184495026949B068" +
"98A47046BFAE8DF3B447746184AF550553BB5D266D6E1967ACA33CAC5F399F90" +
"360D70867F2C71EF6F94FF915C7DA8BC9549FB7656E691DAEFC93CF56876E482" +
"CA2F8BE2D6CDCC374C31AD8833CABE997CC92305F38497BEC4DFD1821B004FEC" +
"E16448F9A24F965EFE409A8939EEA671633D9FFCF961283E59B8834BDF7EDDB3" +
"05D6275B61DA6692325432A0BAA074FC7C1F51E76208AB193A57520D40A76334" +
"EE5712BDC3E1EFB6103966F2329EDFF63082C4DFCDF6BE1C5A048630B81871B8" +
"83B735748A8FD4E2D9530C272163AB18105B10015CA7456202FE1C9B92CEB167" +
"5EAE1132E582C88E47ED87B363D45F05BEA714D5E9933D7AF4071CBB5D49008F" +
"3E3DAD7DFF935EE509D5DE561842B678CCEB133D62E270E9AC3E",
} }
/* ------------------------------------------------------------------------- /* -------------------------------------------------------------------------
@ -274,7 +251,7 @@ func TestDerivationRoundTrip(t *testing.T) {
} }
// encrypt, decrypt, check if input/output plaintext is the same // encrypt, decrypt, check if input/output plaintext is the same
func testPKERoundTrip(t testing.TB, id uint8) { func TestPKERoundTrip(t *testing.T) {
// Message to be encrypted // Message to be encrypted
var msg = make([]byte, Params.MsgLen) var msg = make([]byte, Params.MsgLen)
var ct = make([]byte, kemSikeP503.CiphertextSize()) var ct = make([]byte, kemSikeP503.CiphertextSize())
@ -521,7 +498,7 @@ func testKeygen(t *testing.T, pk, sk []byte) {
prvKey.GeneratePublicKey(pubKey) prvKey.GeneratePublicKey(pubKey)
pubKey.Export(pubKeyBytes[:]) pubKey.Export(pubKeyBytes[:])
if !bytes.Equal(pubKeyBytes[:], pk) { if !bytes.Equal(pubKeyBytes[:], pk) {
t.Fatalf("KAT keygen form private failed\n") t.Fatalf("KAT keygen form private failed\nExp: %X\nGot: %X\n", pubKeyBytes[:], pk)
} }
} }
@ -539,92 +516,94 @@ func TestDecapsulation(t *testing.T) {
0x6F, 0x18} 0x6F, 0x18}
var pk = []byte{ var pk = []byte{
0x07, 0xAA, 0x51, 0x45, 0x3E, 0x1F, 0x53, 0x2A, 0x0A, 0x05, 0xCA, 0x38, 0x7A, 0x45, 0xF8, 0xA7, 0xFB, 0xE5, 0x97, 0xB0,
0x46, 0xF6, 0x54, 0x7F, 0x5D, 0x56, 0xD6, 0x76, 0xD3, 0xEA, 0x5B, 0xE4, 0x95, 0xDC, 0x38, 0xFA, 0xFC, 0x9B, 0xB3, 0xD1,
0x4B, 0x6B, 0x01, 0x9B, 0x11, 0x72, 0x6F, 0x75, 0xEA, 0x34, 0x79, 0xF8, 0x7D, 0x54, 0x0A, 0xD9, 0xE0, 0x64, 0xE3, 0xED,
0x3C, 0x28, 0x2C, 0x36, 0xFD, 0x77, 0xDA, 0xBE, 0xB6, 0x20, 0x4D, 0x23, 0xD2, 0x86, 0x0D, 0x84, 0x0C, 0x44, 0x14, 0xE4,
0x18, 0xC1, 0x93, 0x98, 0x18, 0x86, 0x30, 0x2F, 0x2E, 0xD2, 0x6B, 0xB9, 0x35, 0xBA, 0x70, 0x2A, 0x90, 0x92, 0xAA, 0x90,
0x00, 0x61, 0xFF, 0xAE, 0x78, 0xAE, 0xFB, 0x6F, 0x32, 0xAC, 0x34, 0x81, 0x9F, 0xC7, 0x99, 0xD5, 0xB2, 0x2D, 0xD0, 0xBE,
0x06, 0xBF, 0x35, 0xF6, 0xF7, 0x5B, 0x98, 0x26, 0x95, 0xC2, 0xC9, 0x3B, 0x25, 0x8F, 0x49, 0x18, 0xFE, 0xDB, 0xE3, 0x60,
0xD8, 0xD6, 0x1C, 0x0E, 0x47, 0xDA, 0x76, 0xCE, 0xB5, 0xF1, 0x04, 0x89, 0xB3, 0xC8, 0x8D, 0x2C, 0xC3, 0x35, 0x79, 0x45,
0x19, 0xCC, 0x01, 0xE1, 0x17, 0xA9, 0x62, 0xF7, 0x82, 0x6C, 0x56, 0x03, 0x3C, 0xA2, 0x93, 0xDC, 0xE1, 0x1E, 0x98, 0x50,
0x25, 0x51, 0x25, 0xAE, 0xFE, 0xE3, 0xE2, 0xE1, 0x35, 0xAE, 0xB1, 0x65, 0xB9, 0x71, 0x8E, 0xB2, 0xBF, 0x93, 0x06, 0xDF,
0x2E, 0x8F, 0x38, 0xE0, 0x7C, 0x74, 0x3C, 0x1D, 0x39, 0x91, 0x55, 0xE3, 0xC9, 0xF9, 0x53, 0xB4, 0x05, 0x70, 0xF3, 0x7D,
0x1B, 0xC7, 0x9F, 0x8E, 0x33, 0x4E, 0x84, 0x19, 0xB8, 0xD9, 0xE1, 0xE8, 0x78, 0x46, 0x93, 0x80, 0xBD, 0xBA, 0x7A, 0xE7,
0xC2, 0x71, 0x35, 0x02, 0x47, 0x3E, 0x79, 0xEF, 0x47, 0xE1, 0x66, 0x67, 0x6D, 0x99, 0xAD, 0x02, 0x5E, 0xD2, 0xFE, 0x59,
0xD8, 0x21, 0x96, 0x1F, 0x11, 0x59, 0x39, 0x34, 0x76, 0xEF, 0x09, 0xB5, 0xF7, 0xB1, 0x60, 0x04, 0x59, 0x74, 0x21, 0x09,
0x3E, 0xB7, 0x4E, 0xFB, 0x7C, 0x55, 0xA1, 0x85, 0xAA, 0xAB, 0x66, 0x6A, 0x2C, 0x94, 0xAC, 0x78, 0x7F, 0xA5, 0x4E, 0x58,
0xAD, 0xF0, 0x09, 0xCB, 0xD1, 0xE3, 0x7C, 0x4F, 0x5D, 0x2D, 0x07, 0xC4, 0xF2, 0x3F, 0x9C, 0x3E, 0xAB, 0x68, 0x83, 0xC4,
0xE1, 0x13, 0xF0, 0x71, 0xD9, 0xE5, 0xF6, 0xAF, 0x7F, 0xC1, 0x8C, 0x3C, 0xBB, 0x1B, 0x41, 0xBE, 0x26, 0x7C, 0xD0, 0xB1,
0x27, 0x95, 0x8D, 0x52, 0xD5, 0x96, 0x42, 0x38, 0x41, 0xF7, 0xA8, 0xED, 0x3B, 0xA5, 0xD2, 0xAE, 0x4A, 0x44, 0xF8, 0xD6,
0x24, 0x3F, 0x3A, 0xB5, 0x7E, 0x11, 0xE4, 0xF9, 0x33, 0xEE, 0x31, 0xB4, 0x06, 0x78, 0x61, 0x3C, 0xBA, 0xE8, 0x1A, 0x20,
0x4D, 0xBE, 0x74, 0x48, 0xF9, 0x98, 0x04, 0x01, 0x16, 0xEB, 0xF7, 0xE8, 0x11, 0x7D, 0x2C, 0xBC, 0xE6, 0x29, 0xD1, 0x73,
0xA9, 0x0D, 0x61, 0xC6, 0xFD, 0x4C, 0xCF, 0x98, 0x84, 0x4A, 0xCC, 0x68, 0x5A, 0x4A, 0x6F, 0x43, 0x4C, 0x6E, 0xEC, 0xB8,
0x94, 0xAC, 0x69, 0x2C, 0x02, 0x8B, 0xE3, 0xD1, 0x41, 0x0D, 0x16, 0x9A, 0xE1, 0x82, 0x37, 0xC2, 0xAE, 0xD7, 0x2A, 0xD6,
0xF2, 0x2D, 0x46, 0x1F, 0x57, 0x1C, 0x77, 0x86, 0x18, 0xE3, 0xCC, 0x19, 0x6C, 0x9E, 0xD1, 0xBD, 0x6C, 0x74, 0x9A, 0x4C,
0x63, 0xDE, 0xF3, 0xE3, 0x02, 0x30, 0x54, 0x73, 0xAE, 0xC2, 0xA3, 0x6C, 0x4A, 0xAA, 0xB5, 0x99, 0x5F, 0xE9, 0x68, 0x0F,
0x32, 0xA2, 0xCE, 0xEB, 0xCF, 0x81, 0x46, 0x54, 0x5C, 0xF4, 0x73, 0x2B, 0x44, 0x7D, 0x66, 0x4E, 0x63, 0x3C, 0x32, 0xEC,
0x5D, 0x2A, 0x03, 0x5D, 0x9C, 0xAE, 0xE0, 0x60, 0x03, 0x80, 0x20, 0x03, 0xFF, 0xBE, 0xF3, 0x08, 0x0F, 0x11, 0xE2, 0x4B,
0x11, 0x30, 0xA5, 0xAA, 0xD1, 0x75, 0x67, 0xE0, 0x1C, 0x2B, 0xF1, 0xD5, 0x12, 0xE2, 0x52, 0x66, 0x19, 0xE4, 0x8B, 0xA4,
0x6B, 0x5D, 0x83, 0xDE, 0x92, 0x9B, 0x0E, 0xD7, 0x11, 0x0F, 0x7E, 0x7F, 0x60, 0x27, 0x3B, 0x78, 0x6C, 0xC5, 0xBF, 0x58,
0x00, 0xC4, 0x59, 0xE4, 0x81, 0x04, 0x3B, 0xEE, 0x5C, 0x04, 0x6F, 0xFE, 0x05, 0xFC, 0x25, 0xF4, 0x12, 0x68, 0xAB, 0xA3,
0xD1, 0x0E, 0xD0, 0x67, 0xF5, 0xCC, 0xAA, 0x72, 0x73, 0xEA, 0x32, 0x75, 0x6A, 0x6A, 0xA6, 0x4E, 0x36, 0x42, 0x20, 0x17,
0xC4, 0x76, 0x99, 0x3B, 0x4C, 0x90, 0x2F, 0xCB, 0xD8, 0x0A, 0x2E, 0xBE, 0x7A, 0x0F, 0x78, 0x63, 0x3E, 0x5D, 0xBC, 0xB4,
0x5B, 0xEC, 0x0E, 0x0E, 0x1F, 0x59, 0xEA, 0x14, 0x8D, 0x34, 0xA0, 0xAC, 0xF3, 0xFE, 0x33, 0x49, 0x08, 0x62, 0xDC, 0x39,
0x53, 0x65, 0x4C, 0x1A, 0x59, 0xA8, 0x95, 0x66, 0x60, 0xBB, 0xFF, 0xFD, 0x83, 0x02, 0x10, 0x8A, 0x86, 0xD7, 0x62, 0xE5,
0xC4, 0xCC, 0x32, 0xA9, 0x8D, 0x2A, 0xAA, 0x14, 0x6F, 0x0F, 0xF2, 0x98, 0x7F, 0x8D, 0x79, 0x6A, 0xC4, 0x88, 0xD2, 0x84,
0x81, 0x4D, 0x32, 0x02, 0xFD, 0x33, 0x58, 0x42, 0xCF, 0xF3, 0xC7, 0x3B, 0xEB, 0xC1, 0x6A, 0xE0, 0x7F, 0x42, 0x92, 0x25,
0x67, 0xD0, 0x9F, 0x0B, 0xB1, 0xCC, 0x18, 0xA5, 0xC4, 0x19, 0x0F, 0xA0, 0x35, 0xA5, 0xEF, 0x98, 0x4D, 0x41, 0xC5, 0x25,
0xB6, 0x00, 0xED, 0xFA, 0x32, 0x1A, 0x5F, 0x67, 0xC8, 0xC3, 0x77, 0x35, 0x36, 0xA9, 0x0B, 0xAB, 0x43, 0x0C, 0x6C, 0xF1,
0xEB, 0x0D, 0xB5, 0x9A, 0x36, 0x47, 0x82, 0x00, 0x31, 0x56, 0x17, 0x82, 0xD7, 0x00, 0x62, 0x1F,
} }
var ct = []byte{ var ct = []byte{
0xE6, 0xB7, 0xE5, 0x7B, 0xA9, 0x19, 0xD1, 0x2C, 0xB8, 0x5C, 0x7B, 0x1B, 0x9E, 0xFC, 0x2B, 0x63, 0x7A, 0x71, 0x19, 0x3A,
0x7B, 0x66, 0x74, 0xB0, 0x71, 0xA1, 0xFF, 0x71, 0x7F, 0x4B, 0xAE, 0xC3, 0xDB, 0xEC, 0x20, 0x18, 0x27, 0x16, 0x64, 0xBF,
0xB5, 0xA6, 0xAF, 0x48, 0x32, 0x52, 0xD5, 0x82, 0xEE, 0x8A, 0xE5, 0x5F, 0x48, 0x75, 0xA1, 0xAE, 0xF1, 0x92, 0x40, 0x77,
0xBB, 0x08, 0x1E, 0xF6, 0xAC, 0x91, 0xA2, 0xCB, 0x6B, 0x6A, 0xB5, 0xF0, 0x85, 0x69, 0x8E, 0x02, 0x1A, 0x64, 0x94, 0x89,
0x09, 0x2B, 0xD9, 0xC6, 0x27, 0xD6, 0x3A, 0x6B, 0x8D, 0xFC, 0xA0, 0xEE, 0xDA, 0xDB, 0x07, 0xE5, 0xE5, 0xFF, 0xE7, 0x01,
0xB8, 0x90, 0x8F, 0x72, 0xB3, 0xFA, 0x7D, 0x34, 0x7A, 0xC4, 0x5F, 0x5E, 0xC7, 0xD3, 0x3B, 0x27, 0xE1, 0x13, 0x9C, 0x01,
0x7E, 0xE3, 0x30, 0xC5, 0xA0, 0xFE, 0x3D, 0x43, 0x14, 0x4E, 0x33, 0x44, 0x35, 0x67, 0xEA, 0x14, 0xFE, 0x74, 0x03, 0x9F,
0x3A, 0x14, 0x76, 0x3E, 0xFB, 0xDF, 0xE3, 0xA8, 0xE3, 0x5E, 0xD5, 0xE9, 0x3E, 0x58, 0x4A, 0xE3, 0xC2, 0x32, 0x22, 0x7A,
0x38, 0xF2, 0xE0, 0x39, 0x67, 0x60, 0xFD, 0xFB, 0xB4, 0x19, 0x80, 0xA0, 0x18, 0x3A, 0x31, 0xAB, 0xBE, 0x63, 0xD0, 0xA2,
0xCD, 0xE1, 0x93, 0xA2, 0x06, 0xCC, 0x65, 0xCD, 0x6E, 0xC8, 0xAB, 0x22, 0x28, 0x93, 0x17, 0x70, 0x79, 0x37, 0x4C, 0x55,
0xB4, 0x5E, 0x41, 0x4B, 0x6C, 0xA5, 0xF4, 0xE4, 0x9D, 0x52, 0xC4, 0xCB, 0x0F, 0x0D, 0x21, 0xBC, 0x35, 0x6F, 0x35, 0x04,
0x8C, 0x25, 0x60, 0xDD, 0x3D, 0xA9, 0x7F, 0xF2, 0x88, 0xC1, 0x03, 0x5C, 0x23, 0xF6, 0x93, 0x4C, 0x98, 0x2D, 0x28, 0xB2,
0x0C, 0xEE, 0x97, 0xE0, 0xE7, 0x3B, 0xB7, 0xD3, 0x6F, 0x28, 0x4D, 0x43, 0xA4, 0x27, 0xFD, 0x38, 0x70, 0x27, 0x2F, 0x46,
0x79, 0x2F, 0x50, 0xB2, 0x4F, 0x74, 0x3A, 0x0C, 0x88, 0x27, 0xA1, 0x25, 0x07, 0x86, 0x3A, 0x85, 0x50, 0x2E, 0x6B, 0x51,
0x98, 0x3A, 0x27, 0xD3, 0x26, 0x83, 0x59, 0x49, 0x81, 0x5B, 0x58, 0x8D, 0xE5, 0x52, 0xA4, 0x44, 0x1E, 0x7D, 0x3A, 0x9B,
0x0D, 0xA7, 0x0C, 0x4F, 0xEF, 0xFB, 0x1E, 0xAF, 0xE9, 0xD2, 0x64, 0x89, 0xC8, 0x4F, 0x1C, 0x18, 0x98, 0xF5, 0xFE, 0x7F,
0x1C, 0x10, 0x25, 0xEC, 0x9E, 0xFA, 0x57, 0x36, 0xAA, 0x3F, 0xCA, 0x3A, 0x84, 0x7C, 0x53, 0xA7, 0xA1, 0xF6, 0xB1, 0xB2,
0xC1, 0xA3, 0x2C, 0xE9, 0xB5, 0xC9, 0xED, 0x72, 0x51, 0x4C, 0xB5, 0xBC, 0xA5, 0x58, 0x31, 0xD4, 0xB2, 0x2E, 0x1D, 0xDE,
0x02, 0xB4, 0x7B, 0xB3, 0xED, 0x9F, 0x45, 0x03, 0x34, 0xAC, 0x3A, 0xD5, 0xB9, 0x70, 0xA3, 0xE6, 0xE9, 0x2C, 0x39, 0xF6,
0x9A, 0x9E, 0x62, 0x5F, 0x82, 0x7A, 0x77, 0x34, 0xF9, 0x21, 0xB5, 0x89, 0xDD, 0x14, 0x91, 0x31, 0x26, 0xE0, 0xAE, 0x66,
0x94, 0xD2, 0x38, 0x3D, 0x05, 0xF0, 0x8A, 0x60, 0x1C, 0xB7, 0x30, 0x3A, 0x59, 0x57, 0xA3, 0xFF, 0xC1, 0x1F, 0x3B, 0xB8,
0x1D, 0xF5, 0xB7, 0x53, 0x77, 0xD3, 0x9D, 0x3D, 0x70, 0x6A, 0xA9, 0x9A, 0xB0, 0xAE, 0x2D, 0x70, 0x43, 0x38, 0x58, 0xF1,
0xCB, 0x18, 0x20, 0x6B, 0x29, 0x17, 0x3A, 0x6D, 0xA1, 0xB2, 0xD5, 0xFC, 0x29, 0x6A, 0x49, 0xD3, 0x2E, 0x57, 0xA7, 0x16,
0x64, 0xDB, 0x6C, 0xE6, 0x1A, 0x95, 0xA7, 0xF4, 0x1A, 0x78, 0x7A, 0x2A, 0x06, 0x00, 0x39, 0x67, 0xCB, 0xA8, 0xB4, 0x26,
0x1D, 0xA2, 0x40, 0x15, 0x41, 0x59, 0xDD, 0xEE, 0x23, 0x57, 0xC3, 0x4B, 0xD5, 0x15, 0x83, 0x95, 0xD9, 0xCC, 0x50, 0x1A,
0xCE, 0x36, 0x0D, 0x55, 0xBD, 0xB8, 0xFD, 0x0F, 0x35, 0xBD, 0x23, 0x00, 0xFF, 0xFE, 0x00, 0xFC, 0x99, 0x28, 0x38, 0xE8,
0x5B, 0x92, 0xD6, 0x1C, 0x84, 0x8C, 0x32, 0x64, 0xA6, 0x5C, 0x60, 0xF0, 0xFD, 0x12, 0xD3, 0x22, 0x26, 0x8E, 0x1F, 0xED,
0x45, 0x18, 0x07, 0x6B, 0xF9, 0xA9, 0x43, 0x9A, 0x83, 0xCD, 0x11, 0x23, 0xB3, 0x56, 0x2A, 0x94, 0xE0, 0x1A, 0xE1, 0x25,
0xB5, 0xB3, 0xD9, 0x17, 0x99, 0x2C, 0x2A, 0x8B, 0xE0, 0x8E, 0x6B, 0x1C, 0x5A, 0xB0, 0x15, 0xA8, 0xA5, 0xF8, 0x76, 0xA9,
0xAF, 0xA6, 0x4C, 0x95, 0xBB, 0x70, 0x60, 0x1A, 0x3A, 0x97, 0x1F, 0x4E, 0xF1, 0x01, 0xC5, 0x12, 0x25, 0x8C, 0x1C, 0x10,
0xAA, 0x2F, 0x3D, 0x22, 0x83, 0xB7, 0x4F, 0x59, 0xED, 0x3F, 0x02, 0xAF, 0x0E, 0x5E, 0xAC, 0x67, 0x84, 0x35, 0x98, 0xDD,
0x4E, 0xF4, 0x19, 0xC6, 0x25, 0x0B, 0x0A, 0x5E, 0x21, 0xB9, 0x99, 0x44, 0x15, 0x3B, 0x03, 0x41, 0x37, 0x10, 0x1F, 0x3A,
0x91, 0xB8, 0x19, 0x84, 0x48, 0x78, 0xCE, 0x27, 0xBF, 0x41, 0x36, 0xFF, 0x0A, 0x47, 0xCA, 0x22, 0xA4, 0x36, 0xEB, 0x4C,
0x89, 0xF6, 0x30, 0xFD, 0x6B, 0xD9, 0xB8, 0x1D, 0x72, 0x8A, 0x7D, 0x9B, 0x9A, 0xBD, 0x13, 0x4C, 0x5A, 0x0E, 0xCD, 0x35,
0x56, 0xCC, 0x2F, 0x82, 0xE4, 0x46, 0x4D, 0x75, 0xD8, 0x92, 0xB3, 0x3A, 0xA7, 0x15, 0xFD, 0xEC, 0xEE, 0x37, 0x21, 0x25,
0xE6, 0x9C, 0xCC, 0xD2, 0xCD, 0x35, 0xE4, 0xFC, 0x2A, 0x85, 0xB4, 0xCC, 0x20, 0x07, 0x7F, 0xA7, 0x9F, 0x0F, 0x97, 0x3C,
0x6B, 0xA9, 0xB2, 0x27, 0xC9, 0xA1, 0xFF, 0xB3, 0x96, 0x3E, 0x26, 0x10, 0xE1, 0xE9, 0x3A, 0xF7, 0x53, 0x43, 0xC4, 0xCA,
0x59, 0xF6, 0x4C, 0x66, 0x56, 0x2E, 0xF5, 0x1B, 0x97, 0x32, 0x97, 0x54, 0x13, 0x59, 0x24, 0x72, 0xE3, 0x1D, 0xE7, 0x00,
0xB0, 0x71, 0x5A, 0x9C, 0x50, 0x4B, 0x6F, 0xC4, 0xCA, 0x94, 0x09, 0x61, 0x29, 0x5A, 0x53, 0x14, 0x5F, 0xAA, 0xF6, 0x6A,
0x75, 0x37, 0x46, 0x10, 0x12, 0x2F, 0x4F, 0xA3, 0x82, 0xCD, 0xFA, 0x72, 0xCA, 0x79, 0xC6, 0xA4, 0x9B, 0xEF, 0xE5, 0x69,
0xBD, 0x7C, 0x9E, 0x66,
}
var ss_exp = [24]byte{
0x0F, 0x7E, 0x5A, 0x52, 0x19, 0x9E, 0x77, 0x87, 0x2E, 0x93,
0x3A, 0xCB, 0x13, 0xD7, 0x96, 0xD6, 0x76, 0x27, 0xA6, 0x27,
0xE9, 0x1D, 0xD4, 0x2A,
} }
var ss_exp = []byte{
0xbe, 0x07, 0x1d, 0xa6, 0x95, 0x4b, 0x03, 0x49, 0x6b, 0x2a,
0x8e, 0x25, 0x80, 0xab, 0x9c, 0xdd}
var prvObj = NewPrivateKey(KeyVariant_SIKE) var prvObj = NewPrivateKey(KeyVariant_SIKE)
var pubObj = NewPublicKey(KeyVariant_SIKE) var pubObj = NewPublicKey(KeyVariant_SIKE)
@ -637,7 +616,7 @@ func TestDecapsulation(t *testing.T) {
checkErr(t, kemSikeP503.Decapsulate(res, prvObj, pubObj, ct), checkErr(t, kemSikeP503.Decapsulate(res, prvObj, pubObj, ct),
"error: Decapsulation failed") "error: Decapsulation failed")
if !bytes.Equal(ss_exp, res) { if !bytes.Equal(ss_exp[:], res) {
t.Error("Wrong decapsulation result") t.Error("Wrong decapsulation result")
} }
} }
@ -679,7 +658,6 @@ func TestKAT(t *testing.T) {
t.Fatalf("KAT decapsulation failed\n") t.Fatalf("KAT decapsulation failed\n")
} }
} }
f, err := os.Open(tdata.katFile) f, err := os.Open(tdata.katFile)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)

View File

@ -38,12 +38,14 @@ type SidhParams struct {
PublicKeySize int PublicKeySize int
// The shared secret size, in bytes. // The shared secret size, in bytes.
SharedSecretSize int SharedSecretSize int
// Defines A,C constant for starting curve Cy^2 = x^3 + Ax^2 + x
InitCurve ProjectiveCurveParameters
// 2- and 3-torsion group parameter definitions // 2- and 3-torsion group parameter definitions
A, B DomainParams A, B DomainParams
// Precomputed identity element in the Fp2 in Montgomery domain
OneFp2 Fp2
// Precomputed 1/2 in the Fp2 in Montgomery domain // Precomputed 1/2 in the Fp2 in Montgomery domain
HalfFp2 Fp2 HalfFp2 Fp2
// Precomputed identity element in the Fp2 in Montgomery domain
OneFp2 Fp2
// Length of SIKE secret message. Must be one of {24,32,40}, // Length of SIKE secret message. Must be one of {24,32,40},
// depending on size of prime field used (see [SIKE], 1.4 and 5.1) // depending on size of prime field used (see [SIKE], 1.4 and 5.1)
MsgLen int MsgLen int