package sike import ( "bufio" "bytes" "crypto/rand" "encoding/hex" "io" "math/big" "os" "strings" "testing" ) var tdata = struct { name string katFile string PrB_sidh string PkB_sidh string PkB_sike string PrB_sike string PrA_sike string PkA_sike string }{ name: "SIKEp503", katFile: "etc/PQCkemKAT_434.rsp", PrB_sidh: "8626ED79D451140800E03B59B956F8210E556067407D13DC90FA9E8B872BFB0F", PkB_sidh: "05279D27FF7E3A38ABB05DCFE23B5831C030D832D3EAE35FE06A6538597532D22A0F4012FB2263E160495F8291B58D9DF8A8947C7CF3E6735520BB2D094912408829851AC4B85AA922069F2AAA0A4827DFA4730E9CF05485CBEE411C3D5169DD4953746B6A2E6574957EF920596B1612BE62A883740B5A0C157117AE1C3A07E4CE8CCCE7E9E88FE7C20A507FF019AE0893F34303E173D291F6CB7ECB4C3901FF34A48DE40771F5BAD72DA2B4C1CFD0A61F33E39327A8DA60F5640D4C2E71EF9C7297A4E9BC50493E3BA65D3664610A6D61035CB6600378D017D1E1810ACD113252D60F5915749C2B5CFB4452C40C86F1F40C63297DCCA900686F2D2266F9444539D9BA13B1F52FB2FC3BD4F3EDAA6EB707AAFCA5261EA271ED961B2ED195D5E3B0299179251866CE0EAA31C5C90B7999A8D63BA2DE84A8AFA19F11F2DC0CACA39B982CE053F71D269931D9EE26BCE592A8EA818553BC8F8D244F62FB4F5E5386E3EFF5CD231401C9EC2BA57FF42DC3B3791357A53E1E31394008", PrA_sike: "003271531CF27285B8721ED5CB46853043B346A66CBA6CF765F1B0EAA40BF602", PkA_sike: "A4B4F6EBE68ADD27A491753D258165D65460C876920851C89D5B7D8063E7D9A0523F20DDE236B818FA3E6C07A66C9DB9F019DCAA340D4DE6FDCFFE2B189903EF8FC41A8502E7A4E6AF99D8A712CB4A17D96AF139B8810C7E8ED4F7B7DE2EDC7E53F964399FD4C4CC54F843F7A07A3CA0D5732E4EBC7499DE5414E5BF70148B7D4C318A2172F18BF0E6BEEAEBBDFAA0854CAFC2740C812A7B44040C2774FABBF300EDFC0935DBC5ABF30E73F2F3397020FB7552DFF3022F77FD0EDA5827D168E61D488C1F2CE9FA6F47A14956B4CD64CACEEEDED4AFE28B2578D595B121019E95FA3D8F1B6CF3B515FF93C18A2A50212404862E228DB176CD1BC3B1254C97503E69BA6024C442ADD4F8912124F6D06FA8F95ACBCD235D2608AE204FC0C2B65B4EA569919A7BB4C9372867F2B6346560B0324F9D337634948579E414283CDE779793C1D65BFD8FEBBE1E7C85E82D0290C4435ED77818A47C9573F5F74B46251176A46E02E65C967C06B3994F27578235CC7508FE00D5DE2AD7A514", PrB_sike: "4B622DE1350119C45A9F2E2EF3DC5DF50A759D138CDFBD64E82FCC97CA60CCB27BF6938C975658AEB8B4D37CFFBDE25D97E561F36C219A0E", PkB_sike: "4EC46509AB1C547BDF2311B3AF82FCD25A83D154D9649C0D1A7F1E4D174BE9ED44F4B8AD2160FF43D4B94E65BE5A64DA3B8D5B63A02C3DCD376BB24122E03C3F09F4253E6F117999D0359F6BAB94F38BDB4B681EE09351483380EA4839E7808F8DF11C9A01DBC9D4C61075F3FF39B444679A8F3BEAE4BD47BE5B3A4D4B0F44F44BC8AB1B40E91852605F92860F6B4E627E8F7B00168CED2BA9D86865A5314E32E39B15E2021790CECA67A47959915E5C9717C96A055ADA061921F15306E4600751E984DA5FBC72E5F4E7B1182F60109DDD50C04A7A8D4281121AECD824730F38BE81A9D59B480DE44EB6CFC93436000C6E302B710FE3C24E6E6E0A371DF2B81CFBB37EDBD739926DBBE95A81D90DA22A7A5DF0DEE13031B7DE91504F45E20F0F15B24931A5D41EE48FA84F11D9F33B1F5BF315B355FAC0AB40C702190C190489DDA7B8715E680CE0DE4BFB50D78290C1A4C29F7C776597D9FB6C1DE65E150FAD46DF3CF38BDB22493697A2307A121B67C90B04C0809E1C8CA916", } /* ------------------------------------------------------------------------- Helpers -------------------------------------------------------------------------*/ // Fail if err !=nil. Display msg as an error message func checkErr(t testing.TB, err error, msg string) { t.Helper() if err != nil { t.Error(msg) } } // Utility used for running same test with all registered prime fields type MultiIdTestingFunc func(testing.TB) // Converts string to private key func convToPrv(s string, v KeyVariant) *PrivateKey { key := NewPrivateKey(v) hex, e := hex.DecodeString(s) if e != nil { panic("non-hex number provided") } e = key.Import(hex) if e != nil { panic("Can't import private key") } return key } // Converts string to public key func convToPub(s string, v KeyVariant) *PublicKey { key := NewPublicKey(v) hex, e := hex.DecodeString(s) if e != nil { panic("non-hex number provided") } e = key.Import(hex) if e != nil { panic("Can't import public key") } return key } /* ------------------------------------------------------------------------- Unit tests -------------------------------------------------------------------------*/ func TestKeygen(t *testing.T) { var keyExp, keyGot [63 * 2 * 3]byte alicePrivate := convToPrv(tdata.PrA_sike, KeyVariant_SIDH_A) bobPrivate := convToPrv(tdata.PrB_sidh, KeyVariant_SIDH_B) expPubA := convToPub(tdata.PkA_sike, KeyVariant_SIDH_A) expPubB := convToPub(tdata.PkB_sidh, KeyVariant_SIDH_B) pubA := NewPublicKey(KeyVariant_SIDH_A) alicePrivate.GeneratePublicKey(pubA) pubB := NewPublicKey(KeyVariant_SIDH_B) bobPrivate.GeneratePublicKey(pubB) pubA.Export(keyExp[:]) expPubA.Export(keyGot[:]) if !bytes.Equal(keyExp[:], keyGot[:]) { t.Fatalf("unexpected value of public key A [\nGot: %X\nExp: %X]\n", keyGot, keyExp) } for i, _ := range keyExp { keyExp[i] = 0 keyGot[i] = 0 } pubB.Export(keyExp[:]) expPubB.Export(keyGot[:]) if !bytes.Equal(keyExp[:], keyGot[:]) { t.Fatalf("unexpected value of public key B [\nGot: %X\nExp: %X]\n", keyGot, keyExp) } } func TestImportExport(t *testing.T) { var err error var aBytes, bBytes [126 * 3]byte a := NewPublicKey(KeyVariant_SIDH_A) b := NewPublicKey(KeyVariant_SIDH_B) // Import keys aHex, err := hex.DecodeString(tdata.PkA_sike) checkErr(t, err, "invalid hex-number provided") err = a.Import(aHex) checkErr(t, err, "import failed") bHex, err := hex.DecodeString(tdata.PkB_sike) checkErr(t, err, "invalid hex-number provided") err = b.Import(bHex) checkErr(t, err, "import failed") a.Export(aBytes[:]) b.Export(bBytes[:]) // Export and check if same if !bytes.Equal(bBytes[:], bHex) || !bytes.Equal(aBytes[:], aHex) { t.Fatalf("export/import failed") } if (len(bBytes) != b.Size()) || (len(aBytes) != a.Size()) { t.Fatalf("wrong size of exported keys") } } func testPrivateKeyBelowMax(t testing.TB) { for variant, keySz := range map[KeyVariant]*DomainParams{ KeyVariant_SIDH_A: &Params.A, KeyVariant_SIDH_B: &Params.B} { func(v KeyVariant, dp *DomainParams) { var blen = int(dp.SecretByteLen) var prv = NewPrivateKey(v) var secretBytes = make([]byte, prv.Size()) // Calculate either (2^e2 - 1) or (2^s - 1); where s=ceil(log_2(3^e3))) maxSecertVal := big.NewInt(int64(dp.SecretBitLen)) maxSecertVal.Exp(big.NewInt(int64(2)), maxSecertVal, nil) maxSecertVal.Sub(maxSecertVal, big.NewInt(1)) // Do same test 1000 times for i := 0; i < 1000; i++ { err := prv.Generate(rand.Reader) checkErr(t, err, "Private key generation") // Convert to big-endian, as that's what expected by (*Int)SetBytes() prv.Export(secretBytes) for i := 0; i < int(blen/2); i++ { tmp := secretBytes[i] ^ secretBytes[blen-i-1] secretBytes[i] = tmp ^ secretBytes[i] secretBytes[blen-i-1] = tmp ^ secretBytes[blen-i-1] } prvBig := new(big.Int).SetBytes(secretBytes) // Check if generated key is bigger then acceptable if prvBig.Cmp(maxSecertVal) == 1 { t.Error("Generated private key is wrong") } } }(variant, keySz) } } func testKeyAgreement(t *testing.T, pkA, prA, pkB, prB string) { var e error var s1, s2 [126 * 3]byte // KeyPairs alicePublic := convToPub(pkA, KeyVariant_SIDH_A) bobPublic := convToPub(pkB, KeyVariant_SIDH_B) alicePrivate := convToPrv(prA, KeyVariant_SIDH_A) bobPrivate := convToPrv(prB, KeyVariant_SIDH_B) // Do actual test e = DeriveSecret(s1[:], bobPrivate, alicePublic) checkErr(t, e, "derivation s1") e = DeriveSecret(s2[:], alicePrivate, bobPublic) checkErr(t, e, "derivation s1") if !bytes.Equal(s1[:], s2[:]) { t.Fatalf("two shared keys: %d, %d do not match", s1, s2) } // Negative case dec, e := hex.DecodeString(tdata.PkA_sike) if e != nil { t.FailNow() } dec[0] = ^dec[0] e = alicePublic.Import(dec) if e != nil { t.FailNow() } e = DeriveSecret(s1[:], bobPrivate, alicePublic) checkErr(t, e, "derivation of s1 failed") e = DeriveSecret(s2[:], alicePrivate, bobPublic) checkErr(t, e, "derivation of s2 failed") if bytes.Equal(s1[:], s2[:]) { t.Fatalf("The two shared keys: %d, %d match", s1, s2) } } func TestDerivationRoundTrip(t *testing.T) { var err error var s1, s2 [126 * 3]byte pubA := NewPublicKey(KeyVariant_SIDH_A) prvA := NewPrivateKey(KeyVariant_SIDH_A) pubB := NewPublicKey(KeyVariant_SIDH_B) prvB := NewPrivateKey(KeyVariant_SIDH_B) // Generate private keys err = prvA.Generate(rand.Reader) checkErr(t, err, "key generation failed") err = prvB.Generate(rand.Reader) checkErr(t, err, "key generation failed") // Generate public keys prvA.GeneratePublicKey(pubA) prvB.GeneratePublicKey(pubB) // Derive shared secret err = DeriveSecret(s1[:], prvB, pubA) checkErr(t, err, "") err = DeriveSecret(s2[:], prvA, pubB) checkErr(t, err, "") if !bytes.Equal(s1[:], s2[:]) { t.Fatalf("Two shared keys: \n%X, \n%X do not match", s1, s2) } } // encrypt, decrypt, check if input/output plaintext is the same func TestPKERoundTrip(t *testing.T) { // Message to be encrypted var msg = make([]byte, Params.MsgLen) var ct = make([]byte, kemSikeP503.CiphertextSize()) for i, _ := range msg { msg[i] = byte(i) } // Import keys pkB := NewPublicKey(KeyVariant_SIKE) skB := NewPrivateKey(KeyVariant_SIKE) pk_hex, err := hex.DecodeString(tdata.PkB_sike) if err != nil { t.Fatal(err) } sk_hex, err := hex.DecodeString(tdata.PrB_sike) if err != nil { t.Fatal(err) } if pkB.Import(pk_hex) != nil || skB.Import(sk_hex) != nil { t.Error("Import") } err = encrypt(ct, rand.Reader, pkB, msg[:]) if err != nil { t.Fatal(err) } var pt [40]byte pt_len, err := decrypt(pt[:], skB, ct) if err != nil { t.Fatal(err) } if !bytes.Equal(pt[:pt_len], msg[:]) { t.Errorf("Decryption failed \n got : %X\n exp : %X", pt[:pt_len], msg) } } // Generate key and check if can encrypt func TestPKEKeyGeneration(t *testing.T) { // Message to be encrypted var msg = make([]byte, Params.MsgLen) var ct = make([]byte, kemSikeP503.CiphertextSize()) var err error for i, _ := range msg { msg[i] = byte(i) } sk := NewPrivateKey(KeyVariant_SIKE) err = sk.Generate(rand.Reader) checkErr(t, err, "PEK key generation") pk := NewPublicKey(KeyVariant_SIKE) sk.GeneratePublicKey(pk) // Try to encrypt err = encrypt(ct, rand.Reader, pk, msg[:]) checkErr(t, err, "PEK encryption") var pt [40]byte pt_len, err := decrypt(pt[:], sk, ct) checkErr(t, err, "PEK key decryption") if !bytes.Equal(pt[:pt_len], msg[:]) { t.Fatalf("Decryption failed \n got : %X\n exp : %X", pt, msg) } } func TestNegativePKE(t *testing.T) { var msg [40]byte var err error var ct = make([]byte, kemSikeP503.CiphertextSize()) // Generate key pk := NewPublicKey(KeyVariant_SIKE) sk := NewPrivateKey(KeyVariant_SIKE) err = sk.Generate(rand.Reader) checkErr(t, err, "key generation") sk.GeneratePublicKey(pk) // bytelen(msg) - 1 err = encrypt(ct, rand.Reader, pk, msg[:Params.KemSize+8-1]) if err == nil { t.Fatal("Error hasn't been returned") } for _, v := range ct { if v != 0 { t.Fatal("Returned ciphertext must be not changed") } } // KemSize - 1 var pt [40]byte pt_len, err := decrypt(pt[:], sk, msg[:Params.KemSize+8-1]) if err == nil { t.Fatal("Error hasn't been returned") } if pt_len != 0 { t.Fatal("Ciphertext must be nil") } } func testKEMRoundTrip(t *testing.T, pkB, skB []byte) { ct := make([]byte, kemSikeP503.CiphertextSize()) ss_e := make([]byte, kemSikeP503.SharedSecretSize()) ss_d := make([]byte, kemSikeP503.SharedSecretSize()) // Import keys pk := NewPublicKey(KeyVariant_SIKE) sk := NewPrivateKey(KeyVariant_SIKE) if pk.Import(pkB) != nil || sk.Import(skB) != nil { t.Error("Import failed") } checkErr(t, kemSikeP503.Encapsulate(ct, ss_e, pk), "error: Encapsulation during round-trip") checkErr(t, kemSikeP503.Decapsulate(ss_d, sk, pk, ct), "error: Decapsulation during round-trip") if !bytes.Equal(ss_e, ss_d) { t.Errorf("Shared secrets from decapsulation and encapsulation differ\nEncaps: %X\nDecaps: %X\n", ss_e, ss_d) } } func TestKEMRoundTrip(t *testing.T) { pk, err := hex.DecodeString(tdata.PkB_sike) checkErr(t, err, "public key B not a number") sk, err := hex.DecodeString(tdata.PrB_sike) checkErr(t, err, "private key B not a number") testKEMRoundTrip(t, pk, sk) } func TestKEMKeyGeneration(t *testing.T) { ct := make([]byte, kemSikeP503.CiphertextSize()) ss_e := make([]byte, kemSikeP503.SharedSecretSize()) ss_d := make([]byte, kemSikeP503.SharedSecretSize()) // Generate key pk := NewPublicKey(KeyVariant_SIKE) sk := NewPrivateKey(KeyVariant_SIKE) checkErr(t, sk.Generate(rand.Reader), "error: key generation") sk.GeneratePublicKey(pk) // calculated shared secret checkErr(t, kemSikeP503.Encapsulate(ct, ss_e, pk), "encapsulation failed") checkErr(t, kemSikeP503.Decapsulate(ss_d, sk, pk, ct), "decapsulation failed") if !bytes.Equal(ss_e, ss_d) { t.Fatalf("KEM failed \n encapsulated: %X\n decapsulated: %X", ss_d, ss_e) } } func TestNegativeKEM(t *testing.T) { ct := make([]byte, kemSikeP503.CiphertextSize()) ss_e := make([]byte, kemSikeP503.SharedSecretSize()) ss_d := make([]byte, kemSikeP503.SharedSecretSize()) pk := NewPublicKey(KeyVariant_SIKE) sk := NewPrivateKey(KeyVariant_SIKE) checkErr(t, sk.Generate(rand.Reader), "error: key generation") sk.GeneratePublicKey(pk) checkErr(t, kemSikeP503.Encapsulate(ct, ss_e, pk), "pre-requisite for a test failed") ct[0] = ct[0] - 1 checkErr(t, kemSikeP503.Decapsulate(ss_d, sk, pk, ct), "decapsulation returns error when invalid ciphertext provided") if bytes.Equal(ss_e[:], ss_d) { // no idea how this could ever happen, but it would be very bad t.Error("critical error") } // Try encapsulating with SIDH key pkSidh := NewPublicKey(KeyVariant_SIDH_B) prSidh := NewPrivateKey(KeyVariant_SIDH_B) err := kemSikeP503.Encapsulate(ct, ss_e, pkSidh) if err == nil { t.Error("encapsulation accepts SIDH public key") } // Try decapsulating with SIDH key err = kemSikeP503.Decapsulate(ss_e, prSidh, pk, ct) if err == nil { t.Error("decapsulation accepts SIDH private key key") } } // In case invalid ciphertext is provided, SIKE's decapsulation must // return same (but unpredictable) result for a given key. func TestNegativeKEMSameWrongResult(t *testing.T) { ct := make([]byte, kemSikeP503.CiphertextSize()) ss_e := make([]byte, kemSikeP503.SharedSecretSize()) ss_d1 := make([]byte, kemSikeP503.SharedSecretSize()) ss_d2 := make([]byte, kemSikeP503.SharedSecretSize()) sk := NewPrivateKey(KeyVariant_SIKE) pk := NewPublicKey(KeyVariant_SIKE) // generate keys checkErr(t, sk.Generate(rand.Reader), "error: key generation") sk.GeneratePublicKey(pk) checkErr(t, kemSikeP503.Encapsulate(ct, ss_e, pk), "pre-requisite for a test failed") // make ciphertext wrong ct[0] = ct[0] - 1 checkErr(t, kemSikeP503.Decapsulate(ss_d1, sk, pk, ct), "pre-requisite for a test failed") // second decapsulation must be done with same, but imported private key var expSk = make([]byte, sk.Size()) sk.Export(expSk) // creat new private key sk = NewPrivateKey(KeyVariant_SIKE) checkErr(t, sk.Import(expSk), "import failed") // try decapsulating again. ss2 must be same as ss1 and different than // original plaintext checkErr(t, kemSikeP503.Decapsulate(ss_d2, sk, pk, ct), "pre-requisite for a test failed") if !bytes.Equal(ss_d1, ss_d2) { t.Error("decapsulation is insecure") } if bytes.Equal(ss_e, ss_d1) || bytes.Equal(ss_e, ss_d2) { // this test requires that decapsulation returns wrong result t.Errorf("test implementation error") } } func testKeygen(t *testing.T, pk, sk []byte) { var pubKeyBytes [126 * 3]byte // Import provided private key var prvKey = NewPrivateKey(KeyVariant_SIKE) if prvKey.Import(sk) != nil { panic("sike test: can't load KAT") } // Generate public key pubKey := NewPublicKey(KeyVariant_SIKE) prvKey.GeneratePublicKey(pubKey) pubKey.Export(pubKeyBytes[:]) if !bytes.Equal(pubKeyBytes[:], pk) { t.Fatalf("KAT keygen form private failed\nExp: %X\nGot: %X\n", pubKeyBytes[:], pk) } } func TestKeyAgreement(t *testing.T) { testKeyAgreement(t, tdata.PkA_sike, tdata.PrA_sike, tdata.PkB_sidh, tdata.PrB_sidh) } // Same values as in sike_test.cc func TestDecapsulation(t *testing.T) { var sk = [56]byte{ 0xDB, 0xAF, 0x2C, 0x89, 0xCA, 0x5A, 0xD4, 0x9D, 0x4F, 0x13, 0x40, 0xDF, 0x2D, 0xB1, 0x5F, 0x4C, 0x91, 0xA7, 0x1F, 0x0B, 0x29, 0x15, 0x01, 0x59, 0xBC, 0x5F, 0x0B, 0x4A, 0x03, 0x27, 0x6F, 0x18} var pk = []byte{ 0xCA, 0x38, 0x7A, 0x45, 0xF8, 0xA7, 0xFB, 0xE5, 0x97, 0xB0, 0x5B, 0xE4, 0x95, 0xDC, 0x38, 0xFA, 0xFC, 0x9B, 0xB3, 0xD1, 0x79, 0xF8, 0x7D, 0x54, 0x0A, 0xD9, 0xE0, 0x64, 0xE3, 0xED, 0x4D, 0x23, 0xD2, 0x86, 0x0D, 0x84, 0x0C, 0x44, 0x14, 0xE4, 0x6B, 0xB9, 0x35, 0xBA, 0x70, 0x2A, 0x90, 0x92, 0xAA, 0x90, 0x34, 0x81, 0x9F, 0xC7, 0x99, 0xD5, 0xB2, 0x2D, 0xD0, 0xBE, 0xC9, 0x3B, 0x25, 0x8F, 0x49, 0x18, 0xFE, 0xDB, 0xE3, 0x60, 0x04, 0x89, 0xB3, 0xC8, 0x8D, 0x2C, 0xC3, 0x35, 0x79, 0x45, 0x56, 0x03, 0x3C, 0xA2, 0x93, 0xDC, 0xE1, 0x1E, 0x98, 0x50, 0xB1, 0x65, 0xB9, 0x71, 0x8E, 0xB2, 0xBF, 0x93, 0x06, 0xDF, 0x55, 0xE3, 0xC9, 0xF9, 0x53, 0xB4, 0x05, 0x70, 0xF3, 0x7D, 0xE1, 0xE8, 0x78, 0x46, 0x93, 0x80, 0xBD, 0xBA, 0x7A, 0xE7, 0x66, 0x67, 0x6D, 0x99, 0xAD, 0x02, 0x5E, 0xD2, 0xFE, 0x59, 0x09, 0xB5, 0xF7, 0xB1, 0x60, 0x04, 0x59, 0x74, 0x21, 0x09, 0x66, 0x6A, 0x2C, 0x94, 0xAC, 0x78, 0x7F, 0xA5, 0x4E, 0x58, 0x07, 0xC4, 0xF2, 0x3F, 0x9C, 0x3E, 0xAB, 0x68, 0x83, 0xC4, 0x8C, 0x3C, 0xBB, 0x1B, 0x41, 0xBE, 0x26, 0x7C, 0xD0, 0xB1, 0xA8, 0xED, 0x3B, 0xA5, 0xD2, 0xAE, 0x4A, 0x44, 0xF8, 0xD6, 0x31, 0xB4, 0x06, 0x78, 0x61, 0x3C, 0xBA, 0xE8, 0x1A, 0x20, 0xF7, 0xE8, 0x11, 0x7D, 0x2C, 0xBC, 0xE6, 0x29, 0xD1, 0x73, 0xCC, 0x68, 0x5A, 0x4A, 0x6F, 0x43, 0x4C, 0x6E, 0xEC, 0xB8, 0x16, 0x9A, 0xE1, 0x82, 0x37, 0xC2, 0xAE, 0xD7, 0x2A, 0xD6, 0xCC, 0x19, 0x6C, 0x9E, 0xD1, 0xBD, 0x6C, 0x74, 0x9A, 0x4C, 0xA3, 0x6C, 0x4A, 0xAA, 0xB5, 0x99, 0x5F, 0xE9, 0x68, 0x0F, 0x73, 0x2B, 0x44, 0x7D, 0x66, 0x4E, 0x63, 0x3C, 0x32, 0xEC, 0x20, 0x03, 0xFF, 0xBE, 0xF3, 0x08, 0x0F, 0x11, 0xE2, 0x4B, 0xF1, 0xD5, 0x12, 0xE2, 0x52, 0x66, 0x19, 0xE4, 0x8B, 0xA4, 0x7E, 0x7F, 0x60, 0x27, 0x3B, 0x78, 0x6C, 0xC5, 0xBF, 0x58, 0x6F, 0xFE, 0x05, 0xFC, 0x25, 0xF4, 0x12, 0x68, 0xAB, 0xA3, 0x32, 0x75, 0x6A, 0x6A, 0xA6, 0x4E, 0x36, 0x42, 0x20, 0x17, 0x2E, 0xBE, 0x7A, 0x0F, 0x78, 0x63, 0x3E, 0x5D, 0xBC, 0xB4, 0xA0, 0xAC, 0xF3, 0xFE, 0x33, 0x49, 0x08, 0x62, 0xDC, 0x39, 0xFF, 0xFD, 0x83, 0x02, 0x10, 0x8A, 0x86, 0xD7, 0x62, 0xE5, 0xF2, 0x98, 0x7F, 0x8D, 0x79, 0x6A, 0xC4, 0x88, 0xD2, 0x84, 0xC7, 0x3B, 0xEB, 0xC1, 0x6A, 0xE0, 0x7F, 0x42, 0x92, 0x25, 0x0F, 0xA0, 0x35, 0xA5, 0xEF, 0x98, 0x4D, 0x41, 0xC5, 0x25, 0x77, 0x35, 0x36, 0xA9, 0x0B, 0xAB, 0x43, 0x0C, 0x6C, 0xF1, 0x31, 0x56, 0x17, 0x82, 0xD7, 0x00, 0x62, 0x1F, } var ct = []byte{ 0x7B, 0x1B, 0x9E, 0xFC, 0x2B, 0x63, 0x7A, 0x71, 0x19, 0x3A, 0xAE, 0xC3, 0xDB, 0xEC, 0x20, 0x18, 0x27, 0x16, 0x64, 0xBF, 0xE5, 0x5F, 0x48, 0x75, 0xA1, 0xAE, 0xF1, 0x92, 0x40, 0x77, 0xB5, 0xF0, 0x85, 0x69, 0x8E, 0x02, 0x1A, 0x64, 0x94, 0x89, 0xA0, 0xEE, 0xDA, 0xDB, 0x07, 0xE5, 0xE5, 0xFF, 0xE7, 0x01, 0x5F, 0x5E, 0xC7, 0xD3, 0x3B, 0x27, 0xE1, 0x13, 0x9C, 0x01, 0x33, 0x44, 0x35, 0x67, 0xEA, 0x14, 0xFE, 0x74, 0x03, 0x9F, 0xD5, 0xE9, 0x3E, 0x58, 0x4A, 0xE3, 0xC2, 0x32, 0x22, 0x7A, 0x80, 0xA0, 0x18, 0x3A, 0x31, 0xAB, 0xBE, 0x63, 0xD0, 0xA2, 0xAB, 0x22, 0x28, 0x93, 0x17, 0x70, 0x79, 0x37, 0x4C, 0x55, 0xC4, 0xCB, 0x0F, 0x0D, 0x21, 0xBC, 0x35, 0x6F, 0x35, 0x04, 0x03, 0x5C, 0x23, 0xF6, 0x93, 0x4C, 0x98, 0x2D, 0x28, 0xB2, 0x4D, 0x43, 0xA4, 0x27, 0xFD, 0x38, 0x70, 0x27, 0x2F, 0x46, 0xA1, 0x25, 0x07, 0x86, 0x3A, 0x85, 0x50, 0x2E, 0x6B, 0x51, 0x58, 0x8D, 0xE5, 0x52, 0xA4, 0x44, 0x1E, 0x7D, 0x3A, 0x9B, 0x64, 0x89, 0xC8, 0x4F, 0x1C, 0x18, 0x98, 0xF5, 0xFE, 0x7F, 0xCA, 0x3A, 0x84, 0x7C, 0x53, 0xA7, 0xA1, 0xF6, 0xB1, 0xB2, 0xB5, 0xBC, 0xA5, 0x58, 0x31, 0xD4, 0xB2, 0x2E, 0x1D, 0xDE, 0x3A, 0xD5, 0xB9, 0x70, 0xA3, 0xE6, 0xE9, 0x2C, 0x39, 0xF6, 0xB5, 0x89, 0xDD, 0x14, 0x91, 0x31, 0x26, 0xE0, 0xAE, 0x66, 0x30, 0x3A, 0x59, 0x57, 0xA3, 0xFF, 0xC1, 0x1F, 0x3B, 0xB8, 0xA9, 0x9A, 0xB0, 0xAE, 0x2D, 0x70, 0x43, 0x38, 0x58, 0xF1, 0xD5, 0xFC, 0x29, 0x6A, 0x49, 0xD3, 0x2E, 0x57, 0xA7, 0x16, 0x7A, 0x2A, 0x06, 0x00, 0x39, 0x67, 0xCB, 0xA8, 0xB4, 0x26, 0xC3, 0x4B, 0xD5, 0x15, 0x83, 0x95, 0xD9, 0xCC, 0x50, 0x1A, 0x23, 0x00, 0xFF, 0xFE, 0x00, 0xFC, 0x99, 0x28, 0x38, 0xE8, 0x60, 0xF0, 0xFD, 0x12, 0xD3, 0x22, 0x26, 0x8E, 0x1F, 0xED, 0x11, 0x23, 0xB3, 0x56, 0x2A, 0x94, 0xE0, 0x1A, 0xE1, 0x25, 0x6B, 0x1C, 0x5A, 0xB0, 0x15, 0xA8, 0xA5, 0xF8, 0x76, 0xA9, 0x1F, 0x4E, 0xF1, 0x01, 0xC5, 0x12, 0x25, 0x8C, 0x1C, 0x10, 0x02, 0xAF, 0x0E, 0x5E, 0xAC, 0x67, 0x84, 0x35, 0x98, 0xDD, 0x99, 0x44, 0x15, 0x3B, 0x03, 0x41, 0x37, 0x10, 0x1F, 0x3A, 0x36, 0xFF, 0x0A, 0x47, 0xCA, 0x22, 0xA4, 0x36, 0xEB, 0x4C, 0x7D, 0x9B, 0x9A, 0xBD, 0x13, 0x4C, 0x5A, 0x0E, 0xCD, 0x35, 0xB3, 0x3A, 0xA7, 0x15, 0xFD, 0xEC, 0xEE, 0x37, 0x21, 0x25, 0xB4, 0xCC, 0x20, 0x07, 0x7F, 0xA7, 0x9F, 0x0F, 0x97, 0x3C, 0x26, 0x10, 0xE1, 0xE9, 0x3A, 0xF7, 0x53, 0x43, 0xC4, 0xCA, 0x97, 0x54, 0x13, 0x59, 0x24, 0x72, 0xE3, 0x1D, 0xE7, 0x00, 0x09, 0x61, 0x29, 0x5A, 0x53, 0x14, 0x5F, 0xAA, 0xF6, 0x6A, 0xFA, 0x72, 0xCA, 0x79, 0xC6, 0xA4, 0x9B, 0xEF, 0xE5, 0x69, 0x9E, 0x66, } var ss_exp = [24]byte{ 0x0F, 0x7E, 0x5A, 0x52, 0x19, 0x9E, 0x77, 0x87, 0x2E, 0x93, 0x3A, 0xCB, 0x13, 0xD7, 0x96, 0xD6, 0x76, 0x27, 0xA6, 0x27, 0xE9, 0x1D, 0xD4, 0x2A, } var prvObj = NewPrivateKey(KeyVariant_SIKE) var pubObj = NewPublicKey(KeyVariant_SIKE) if pubObj.Import(pk) != nil || prvObj.Import(sk[:]) != nil { t.Error("Can't import one of the keys") } res := make([]byte, kemSikeP503.SharedSecretSize()) checkErr(t, kemSikeP503.Decapsulate(res, prvObj, pubObj, ct), "error: Decapsulation failed") if !bytes.Equal(ss_exp[:], res) { t.Error("Wrong decapsulation result") } } func readAndCheckLine(r *bufio.Reader) []byte { // Read next line from buffer line, isPrefix, err := r.ReadLine() if err != nil || isPrefix { panic("Wrong format of input file") } // Function expects that line is in format "KEY = HEX_VALUE". Get // value, which should be a hex string hexst := strings.Split(string(line), "=")[1] hexst = strings.TrimSpace(hexst) // Convert value to byte string ret, err := hex.DecodeString(hexst) if err != nil { panic("Wrong format of input file") } return ret } func TestKAT(t *testing.T) { ssGot := make([]byte, kemSikeP503.SharedSecretSize()) testDecapsulation := func(t *testing.T, pk, sk, ct, ssExpected []byte) { var pubKey = NewPublicKey(KeyVariant_SIKE) var prvKey = NewPrivateKey(KeyVariant_SIKE) if pubKey.Import(pk) != nil || prvKey.Import(sk) != nil { panic("sike test: can't load KAT") } err := kemSikeP503.Decapsulate(ssGot, prvKey, pubKey, ct) if err != nil { panic("sike test: can't perform degcapsulation KAT") } if (err != nil) || !bytes.Equal(ssGot, ssExpected) { t.Fatalf("KAT decapsulation failed\n") } } f, err := os.Open(tdata.katFile) if err != nil { t.Fatal(err) } r := bufio.NewReader(f) for { line, isPrefix, err := r.ReadLine() if err != nil || isPrefix { if err == io.EOF { break } else { t.Fatal(err) } } if len(strings.TrimSpace(string(line))) == 0 || line[0] == '#' { continue } // count _ = strings.Split(string(line), "=")[1] // seed _ = readAndCheckLine(r) // pk pk := readAndCheckLine(r) // sk (secret key in test vector is concatenation of // MSG + SECRET_BOB_KEY + PUBLIC_BOB_KEY. We use only MSG+SECRET_BOB_KEY sk := readAndCheckLine(r) sk = sk[:Params.MsgLen+int(Params.B.SecretByteLen)] // ct ct := readAndCheckLine(r) // ss ss := readAndCheckLine(r) testKeygen(t, pk, sk) testDecapsulation(t, pk, sk, ct, ss) testKEMRoundTrip(t, pk, sk) } } /* ------------------------------------------------------------------------- Benchmarking -------------------------------------------------------------------------*/ func BenchmarkKeygen(b *testing.B) { pk := NewPublicKey(KeyVariant_SIKE) prv := NewPrivateKey(KeyVariant_SIKE) prv.Generate(rand.Reader) for n := 0; n < b.N; n++ { prv.GeneratePublicKey(pk) } } func BenchmarkEncaps(b *testing.B) { pub := NewPublicKey(KeyVariant_SIKE) prv := NewPrivateKey(KeyVariant_SIKE) if prv.Generate(rand.Reader) != nil { b.FailNow() } prv.GeneratePublicKey(pub) var ct [24 + 378]byte var ss [16]byte for n := 0; n < b.N; n++ { kemSikeP503.Reset() kemSikeP503.Encapsulate(ct[:], ss[:], pub) } } func BenchmarkDecaps(b *testing.B) { var ct [24 + 378]byte var ss [16]byte pkA := NewPublicKey(KeyVariant_SIKE) prvA := NewPrivateKey(KeyVariant_SIKE) pkB := NewPublicKey(KeyVariant_SIKE) prvB := NewPrivateKey(KeyVariant_SIKE) if prvA.Generate(rand.Reader) != nil || prvB.Generate(rand.Reader) != nil { b.FailNow() } prvA.GeneratePublicKey(pkA) prvB.GeneratePublicKey(pkB) err := kemSikeP503.Encapsulate(ct[:], ss[:], pkA) if err != nil { b.FailNow() } for n := 0; n < b.N; n++ { kemSikeP503.Decapsulate(ss[:], prvA, pkB, ct[:]) } } var kemSikeP503 KEM func init() { kemSikeP503.Allocate(rand.Reader) }