25개 이상의 토픽을 선택하실 수 없습니다. Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

754 lines
23 KiB

  1. package sike
  2. import (
  3. "bufio"
  4. "bytes"
  5. "crypto/rand"
  6. "encoding/hex"
  7. "io"
  8. "math/big"
  9. "os"
  10. "strings"
  11. "testing"
  12. )
  13. var tdata = struct {
  14. name string
  15. katFile string
  16. PrA_sidh string
  17. PkA_sidh string
  18. PrB_sidh string
  19. PkB_sidh string
  20. PkB_sike string
  21. PrB_sike string
  22. }{
  23. name: "SIKEp434",
  24. katFile: "etc/PQCkemKAT_374.rsp",
  25. PrA_sidh: "3A727E04EA9B7E2A766A6F846489E7E7B915263BCEED308BB10FC900",
  26. PkA_sidh: "9E668D1E6750ED4B91EE052C32839CA9DD2E56D52BC24DECC950AAAD24CEED3F9049C77FE80F0B9B01E7F8DAD7833EEC2286544D6380009C379CDD3E7517CEF5E20EB01F8231D52FC30DC61D2F63FB357F85DC6396E8A95DB9740BD3A972C8DB7901B31F074CD3E45345CA78F900817130E688A29A7CF0073B5C00FF2C65FBE776918EF9BD8E75B29EF7FAB791969B60B0C5B37A8992EDEF95FA7BAC40A95DAFE02E237301FEE9A7A43FD0B73477E8035DD12B73FAFEF18D39904DDE3653A754F36BE1888F6607C6A7951349A414352CF31A29F2C40302DB406C48018C905EB9DC46AFBF42A9187A9BB9E51B587622A2862DC7D5CC598BF38ED6320FB51D8697AD3D7A72ABCC32A393F0133DA8DF5E253D9E00B760B2DF342FCE974DCFE946CFE4727783531882800F9E5DD594D6D5A6275EEFEF9713ED838F4A06BB34D7B8D46E0B385AAEA1C7963601",
  27. PrB_sidh: "E37BFE55B43B32448F375903D8D226EC94ADBFEA1D2B3536EB987001",
  28. PkB_sidh: "C9F73E4497AAA3FDF9EB688135866A8A83934BA10E273B8CC3808CF0C1F5FAB3E9BB295885881B73DEBC875670C0F51C4BB40DF5FEDE01B8AF32D1BF10508B8C17B2734EB93B2B7F5D84A4A0F2F816E9E2C32AC253C0B6025B124D05A87A9E2A8567930F44BAA14219B941B6B400B4AED1D796DA12A5A9F0B8F3F5EE9DD43F64CB24A3B1719DF278ADF56B5F3395187829DA2319DEABF6BBD6EDA244DE2B62CC5AC250C1009DD1CD4712B0B37406612AD002B5E51A62B51AC9C0374D143ABBBD58275FAFC4A5E959C54838C2D6D9FB43B7B2609061267B6A2E6C6D01D295C4223E0D3D7A4CDCFB28A7818A737935279751A6DD8290FD498D1F6AD5F4FFF6BDFA536713F509DCE8047252F1E7D0DD9FCC414C0070B5DCCE3665A21A032D7FBE749181032183AFAD240B7E671E87FBBEC3A8CA4C11AA7A9A23AC69AE2ACF54B664DECD27753D63508F1B02",
  29. PrB_sike: "4B622DE1350119C45A9F2E2EF3DC5DF56A27FCDFCDDAF58CD69B903752D68C200934E160B234E49EDE247601",
  30. PkB_sike: "1BD0A2E81307B6F96461317DDF535ACC0E59C742627BAE60D27605E10FAF722D22A73E184CB572A12E79DCD58C6B54FB01442114CBE9010B6CAEC25D04C16C5E42540C1524C545B8C67614ED4183C9FA5BD0BE45A7F89FBC770EE8E7E5E391C7EE6F35F74C29E6D9E35B1663DA01E48E9DEB2347512D366FDE505161677055E3EF23054D276E817E2C57025DA1C10D2461F68617F2D11256EEE4E2D7DBDF6C8E34F3A0FD00C625428CB41857002159DAB94267ABE42D630C6AAA91AF837C7A6740754EA6634C45454C51B0BB4D44C3CCCCE4B32C00901CF69C008D013348379B2F9837F428A01B6173584691F2A6F3A3C4CF487D20D261B36C8CDB1BC158E2A5162A9DA4F7A97AA0879B9897E2B6891B672201F9AEFBF799C27B2587120AC586A511360926FB7DA8EBF5CB5272F396AE06608422BE9792E2CE9BEF21BF55B7EFF8DC7EC8C99910D3F800",
  31. }
  32. /* -------------------------------------------------------------------------
  33. Helpers
  34. -------------------------------------------------------------------------*/
  35. // Fail if err !=nil. Display msg as an error message
  36. func checkErr(t testing.TB, err error, msg string) {
  37. t.Helper()
  38. if err != nil {
  39. t.Error(msg)
  40. }
  41. }
  42. // Utility used for running same test with all registered prime fields
  43. type MultiIdTestingFunc func(testing.TB)
  44. // Converts string to private key
  45. func convToPrv(s string, v KeyVariant) *PrivateKey {
  46. key := NewPrivateKey(v)
  47. hex, e := hex.DecodeString(s)
  48. if e != nil {
  49. panic("non-hex number provided")
  50. }
  51. e = key.Import(hex)
  52. if e != nil {
  53. panic("Can't import private key")
  54. }
  55. return key
  56. }
  57. // Converts string to public key
  58. func convToPub(s string, v KeyVariant) *PublicKey {
  59. key := NewPublicKey(v)
  60. hex, e := hex.DecodeString(s)
  61. if e != nil {
  62. panic("non-hex number provided")
  63. }
  64. e = key.Import(hex)
  65. if e != nil {
  66. panic("Can't import public key")
  67. }
  68. return key
  69. }
  70. /* -------------------------------------------------------------------------
  71. Unit tests
  72. -------------------------------------------------------------------------*/
  73. func TestKeygen(t *testing.T) {
  74. var keyExp, keyGot [55 * 2 * 3]byte
  75. alicePrivate := convToPrv(tdata.PrA_sidh, KeyVariant_SIDH_A)
  76. bobPrivate := convToPrv(tdata.PrB_sidh, KeyVariant_SIDH_B)
  77. expPubA := convToPub(tdata.PkA_sidh, KeyVariant_SIDH_A)
  78. expPubB := convToPub(tdata.PkB_sidh, KeyVariant_SIDH_B)
  79. pubA := NewPublicKey(KeyVariant_SIDH_A)
  80. alicePrivate.GeneratePublicKey(pubA)
  81. pubB := NewPublicKey(KeyVariant_SIDH_B)
  82. bobPrivate.GeneratePublicKey(pubB)
  83. pubA.Export(keyExp[:])
  84. expPubA.Export(keyGot[:])
  85. if !bytes.Equal(keyExp[:], keyGot[:]) {
  86. t.Fatalf("unexpected value of public key A [\nGot: %X\nExp: %X]\n",
  87. keyExp, keyGot)
  88. }
  89. for i, _ := range keyExp {
  90. keyExp[i] = 0
  91. keyGot[i] = 0
  92. }
  93. pubB.Export(keyExp[:])
  94. expPubB.Export(keyGot[:])
  95. if !bytes.Equal(keyExp[:], keyGot[:]) {
  96. t.Fatalf("unexpected value of public key B [\nGot: %X\nExp: %X]\n",
  97. keyGot, keyExp)
  98. }
  99. }
  100. func TestImportExport(t *testing.T) {
  101. var err error
  102. var aBytes, bBytes [110 * 3]byte
  103. a := NewPublicKey(KeyVariant_SIDH_A)
  104. b := NewPublicKey(KeyVariant_SIDH_B)
  105. // Import keys
  106. aHex, err := hex.DecodeString(tdata.PkA_sidh)
  107. checkErr(t, err, "invalid hex-number provided")
  108. err = a.Import(aHex)
  109. checkErr(t, err, "import failed")
  110. bHex, err := hex.DecodeString(tdata.PkB_sike)
  111. checkErr(t, err, "invalid hex-number provided")
  112. err = b.Import(bHex)
  113. checkErr(t, err, "import failed")
  114. a.Export(aBytes[:])
  115. b.Export(bBytes[:])
  116. // Export and check if same
  117. if !bytes.Equal(bBytes[:], bHex) || !bytes.Equal(aBytes[:], aHex) {
  118. t.Fatalf("export/import failed")
  119. }
  120. if (len(bBytes) != b.Size()) || (len(aBytes) != a.Size()) {
  121. t.Fatalf("wrong size of exported keys")
  122. }
  123. }
  124. func testPrivateKeyBelowMax(t testing.TB) {
  125. for variant, keySz := range map[KeyVariant]*DomainParams{
  126. KeyVariant_SIDH_A: &Params.A,
  127. KeyVariant_SIDH_B: &Params.B} {
  128. func(v KeyVariant, dp *DomainParams) {
  129. var blen = int(dp.SecretByteLen)
  130. var prv = NewPrivateKey(v)
  131. var secretBytes = make([]byte, prv.Size())
  132. // Calculate either (2^e2 - 1) or (2^s - 1); where s=ceil(log_2(3^e3)))
  133. maxSecertVal := big.NewInt(int64(dp.SecretBitLen))
  134. maxSecertVal.Exp(big.NewInt(int64(2)), maxSecertVal, nil)
  135. maxSecertVal.Sub(maxSecertVal, big.NewInt(1))
  136. // Do same test 1000 times
  137. for i := 0; i < 1000; i++ {
  138. err := prv.Generate(rand.Reader)
  139. checkErr(t, err, "Private key generation")
  140. // Convert to big-endian, as that's what expected by (*Int)SetBytes()
  141. prv.Export(secretBytes)
  142. for i := 0; i < int(blen/2); i++ {
  143. tmp := secretBytes[i] ^ secretBytes[blen-i-1]
  144. secretBytes[i] = tmp ^ secretBytes[i]
  145. secretBytes[blen-i-1] = tmp ^ secretBytes[blen-i-1]
  146. }
  147. prvBig := new(big.Int).SetBytes(secretBytes)
  148. // Check if generated key is bigger then acceptable
  149. if prvBig.Cmp(maxSecertVal) == 1 {
  150. t.Error("Generated private key is wrong")
  151. }
  152. }
  153. }(variant, keySz)
  154. }
  155. }
  156. func testKeyAgreement(t *testing.T, pkA, prA, pkB, prB string) {
  157. var e error
  158. var s1, s2 [110 * 3]byte
  159. // KeyPairs
  160. alicePublic := convToPub(pkA, KeyVariant_SIDH_A)
  161. bobPublic := convToPub(pkB, KeyVariant_SIDH_B)
  162. alicePrivate := convToPrv(prA, KeyVariant_SIDH_A)
  163. bobPrivate := convToPrv(prB, KeyVariant_SIDH_B)
  164. // Do actual test
  165. e = DeriveSecret(s1[:], bobPrivate, alicePublic)
  166. checkErr(t, e, "derivation s1")
  167. e = DeriveSecret(s2[:], alicePrivate, bobPublic)
  168. checkErr(t, e, "derivation s1")
  169. if !bytes.Equal(s1[:], s2[:]) {
  170. t.Fatalf("two shared keys: %d, %d do not match", s1, s2)
  171. }
  172. // Negative case
  173. dec, e := hex.DecodeString(tdata.PkA_sidh)
  174. if e != nil {
  175. t.FailNow()
  176. }
  177. dec[0] = ^dec[0]
  178. e = alicePublic.Import(dec)
  179. if e != nil {
  180. t.FailNow()
  181. }
  182. e = DeriveSecret(s1[:], bobPrivate, alicePublic)
  183. checkErr(t, e, "derivation of s1 failed")
  184. e = DeriveSecret(s2[:], alicePrivate, bobPublic)
  185. checkErr(t, e, "derivation of s2 failed")
  186. if bytes.Equal(s1[:], s2[:]) {
  187. t.Fatalf("The two shared keys: %d, %d match", s1, s2)
  188. }
  189. }
  190. func TestDerivationRoundTrip(t *testing.T) {
  191. var err error
  192. var s1, s2 [110 * 3]byte
  193. pubA := NewPublicKey(KeyVariant_SIDH_A)
  194. prvA := NewPrivateKey(KeyVariant_SIDH_A)
  195. pubB := NewPublicKey(KeyVariant_SIDH_B)
  196. prvB := NewPrivateKey(KeyVariant_SIDH_B)
  197. // Generate private keys
  198. err = prvA.Generate(rand.Reader)
  199. checkErr(t, err, "key generation failed")
  200. err = prvB.Generate(rand.Reader)
  201. checkErr(t, err, "key generation failed")
  202. // Generate public keys
  203. prvA.GeneratePublicKey(pubA)
  204. prvB.GeneratePublicKey(pubB)
  205. // Derive shared secret
  206. err = DeriveSecret(s1[:], prvB, pubA)
  207. checkErr(t, err, "")
  208. err = DeriveSecret(s2[:], prvA, pubB)
  209. checkErr(t, err, "")
  210. if !bytes.Equal(s1[:], s2[:]) {
  211. t.Fatalf("Two shared keys: \n%X, \n%X do not match", s1, s2)
  212. }
  213. }
  214. // encrypt, decrypt, check if input/output plaintext is the same
  215. func TestPKERoundTrip(t *testing.T) {
  216. // Message to be encrypted
  217. var msg = make([]byte, Params.MsgLen)
  218. var ct = make([]byte, kem.CiphertextSize())
  219. for i, _ := range msg {
  220. msg[i] = byte(i)
  221. }
  222. // Import keys
  223. pkB := NewPublicKey(KeyVariant_SIKE)
  224. skB := NewPrivateKey(KeyVariant_SIKE)
  225. pk_hex, err := hex.DecodeString(tdata.PkB_sike)
  226. if err != nil {
  227. t.Fatal(err)
  228. }
  229. sk_hex, err := hex.DecodeString(tdata.PrB_sike)
  230. if err != nil {
  231. t.Fatal(err)
  232. }
  233. if pkB.Import(pk_hex) != nil || skB.Import(sk_hex) != nil {
  234. t.Error("Import")
  235. }
  236. err = encrypt(ct, rand.Reader, pkB, msg[:])
  237. if err != nil {
  238. t.Fatal(err)
  239. }
  240. var pt [40]byte
  241. pt_len, err := decrypt(pt[:], skB, ct)
  242. if err != nil {
  243. t.Fatal(err)
  244. }
  245. if !bytes.Equal(pt[:pt_len], msg[:]) {
  246. t.Errorf("Decryption failed \n got : %X\n exp : %X", pt, msg)
  247. }
  248. }
  249. // Generate key and check if can encrypt
  250. func TestPKEKeyGeneration(t *testing.T) {
  251. // Message to be encrypted
  252. var msg = make([]byte, Params.MsgLen)
  253. var ct = make([]byte, kem.CiphertextSize())
  254. var err error
  255. for i, _ := range msg {
  256. msg[i] = byte(i)
  257. }
  258. sk := NewPrivateKey(KeyVariant_SIKE)
  259. err = sk.Generate(rand.Reader)
  260. checkErr(t, err, "PEK key generation")
  261. pk := NewPublicKey(KeyVariant_SIKE)
  262. sk.GeneratePublicKey(pk)
  263. // Try to encrypt
  264. err = encrypt(ct, rand.Reader, pk, msg[:])
  265. checkErr(t, err, "PEK encryption")
  266. var pt [40]byte
  267. pt_len, err := decrypt(pt[:], sk, ct)
  268. checkErr(t, err, "PEK key decryption")
  269. if !bytes.Equal(pt[:pt_len], msg[:]) {
  270. t.Fatalf("Decryption failed \n got : %X\n exp : %X", pt, msg)
  271. }
  272. }
  273. func TestNegativePKE(t *testing.T) {
  274. var msg [40]byte
  275. var err error
  276. var ct = make([]byte, kem.CiphertextSize())
  277. // Generate key
  278. pk := NewPublicKey(KeyVariant_SIKE)
  279. sk := NewPrivateKey(KeyVariant_SIKE)
  280. err = sk.Generate(rand.Reader)
  281. checkErr(t, err, "key generation")
  282. sk.GeneratePublicKey(pk)
  283. // bytelen(msg) - 1
  284. err = encrypt(ct, rand.Reader, pk, msg[:Params.KemSize+8-1])
  285. if err == nil {
  286. t.Fatal("Error hasn't been returned")
  287. }
  288. for _, v := range ct {
  289. if v != 0 {
  290. t.Fatal("Returned ciphertext must be not changed")
  291. }
  292. }
  293. // KemSize - 1
  294. var pt [40]byte
  295. pt_len, err := decrypt(pt[:], sk, msg[:Params.KemSize+8-1])
  296. if err == nil {
  297. t.Fatal("Error hasn't been returned")
  298. }
  299. if pt_len != 0 {
  300. t.Fatal("Ciphertext must be nil")
  301. }
  302. }
  303. func testKEMRoundTrip(t *testing.T, pkB, skB []byte) {
  304. ct := make([]byte, kem.CiphertextSize())
  305. ss_e := make([]byte, kem.SharedSecretSize())
  306. ss_d := make([]byte, kem.SharedSecretSize())
  307. // Import keys
  308. pk := NewPublicKey(KeyVariant_SIKE)
  309. sk := NewPrivateKey(KeyVariant_SIKE)
  310. if pk.Import(pkB) != nil || sk.Import(skB) != nil {
  311. t.Error("Import failed")
  312. }
  313. checkErr(t, kem.Encapsulate(ct, ss_e, pk),
  314. "error: Encapsulation during round-trip")
  315. checkErr(t, kem.Decapsulate(ss_d, sk, pk, ct),
  316. "error: Decapsulation during round-trip")
  317. if !bytes.Equal(ss_e, ss_d) {
  318. t.Error("Shared secrets from decapsulation and encapsulation differ")
  319. }
  320. }
  321. func TestKEMRoundTrip(t *testing.T) {
  322. pk, err := hex.DecodeString(tdata.PkB_sike)
  323. checkErr(t, err, "public key B not a number")
  324. sk, err := hex.DecodeString(tdata.PrB_sike)
  325. checkErr(t, err, "private key B not a number")
  326. testKEMRoundTrip(t, pk, sk)
  327. }
  328. func TestKEMKeyGeneration(t *testing.T) {
  329. ct := make([]byte, kem.CiphertextSize())
  330. ss_e := make([]byte, kem.SharedSecretSize())
  331. ss_d := make([]byte, kem.SharedSecretSize())
  332. // Generate key
  333. pk := NewPublicKey(KeyVariant_SIKE)
  334. sk := NewPrivateKey(KeyVariant_SIKE)
  335. checkErr(t, sk.Generate(rand.Reader), "error: key generation")
  336. sk.GeneratePublicKey(pk)
  337. // calculated shared secret
  338. checkErr(t, kem.Encapsulate(ct, ss_e, pk),
  339. "encapsulation failed")
  340. checkErr(t, kem.Decapsulate(ss_d, sk, pk, ct),
  341. "decapsulation failed")
  342. if !bytes.Equal(ss_e, ss_d) {
  343. t.Fatalf("KEM failed \n encapsulated: %X\n decapsulated: %X", ss_d, ss_e)
  344. }
  345. }
  346. func TestNegativeKEM(t *testing.T) {
  347. ct := make([]byte, kem.CiphertextSize())
  348. ss_e := make([]byte, kem.SharedSecretSize())
  349. ss_d := make([]byte, kem.SharedSecretSize())
  350. pk := NewPublicKey(KeyVariant_SIKE)
  351. sk := NewPrivateKey(KeyVariant_SIKE)
  352. checkErr(t, sk.Generate(rand.Reader), "error: key generation")
  353. sk.GeneratePublicKey(pk)
  354. checkErr(t, kem.Encapsulate(ct, ss_e, pk),
  355. "pre-requisite for a test failed")
  356. ct[0] = ct[0] - 1
  357. checkErr(t, kem.Decapsulate(ss_d, sk, pk, ct),
  358. "decapsulation returns error when invalid ciphertext provided")
  359. if bytes.Equal(ss_e[:], ss_d) {
  360. // no idea how this could ever happen, but it would be very bad
  361. t.Error("critical error")
  362. }
  363. // Try encapsulating with SIDH key
  364. pkSidh := NewPublicKey(KeyVariant_SIDH_B)
  365. prSidh := NewPrivateKey(KeyVariant_SIDH_B)
  366. err := kem.Encapsulate(ct, ss_e, pkSidh)
  367. if err == nil {
  368. t.Error("encapsulation accepts SIDH public key")
  369. }
  370. // Try decapsulating with SIDH key
  371. err = kem.Decapsulate(ss_e, prSidh, pk, ct)
  372. if err == nil {
  373. t.Error("decapsulation accepts SIDH private key key")
  374. }
  375. }
  376. // In case invalid ciphertext is provided, SIKE's decapsulation must
  377. // return same (but unpredictable) result for a given key.
  378. func TestNegativeKEMSameWrongResult(t *testing.T) {
  379. ct := make([]byte, kem.CiphertextSize())
  380. ss_e := make([]byte, kem.SharedSecretSize())
  381. ss_d1 := make([]byte, kem.SharedSecretSize())
  382. ss_d2 := make([]byte, kem.SharedSecretSize())
  383. sk := NewPrivateKey(KeyVariant_SIKE)
  384. pk := NewPublicKey(KeyVariant_SIKE)
  385. // generate keys
  386. checkErr(t, sk.Generate(rand.Reader), "error: key generation")
  387. sk.GeneratePublicKey(pk)
  388. checkErr(t, kem.Encapsulate(ct, ss_e, pk),
  389. "pre-requisite for a test failed")
  390. // make ciphertext wrong
  391. ct[0] = ct[0] - 1
  392. checkErr(t, kem.Decapsulate(ss_d1, sk, pk, ct),
  393. "pre-requisite for a test failed")
  394. // second decapsulation must be done with same, but imported private key
  395. var expSk = make([]byte, sk.Size())
  396. sk.Export(expSk)
  397. // creat new private key
  398. sk = NewPrivateKey(KeyVariant_SIKE)
  399. checkErr(t, sk.Import(expSk),
  400. "import failed")
  401. // try decapsulating again. ss2 must be same as ss1 and different than
  402. // original plaintext
  403. checkErr(t, kem.Decapsulate(ss_d2, sk, pk, ct),
  404. "pre-requisite for a test failed")
  405. if !bytes.Equal(ss_d1, ss_d2) {
  406. t.Error("decapsulation is insecure")
  407. }
  408. if bytes.Equal(ss_e, ss_d1) || bytes.Equal(ss_e, ss_d2) {
  409. // this test requires that decapsulation returns wrong result
  410. t.Errorf("test implementation error")
  411. }
  412. }
  413. func testKeygen(t *testing.T, pk, sk []byte) {
  414. var pubKeyBytes [110 * 3]byte
  415. // Import provided private key
  416. var prvKey = NewPrivateKey(KeyVariant_SIKE)
  417. if prvKey.Import(sk) != nil {
  418. panic("sike test: can't load KAT")
  419. }
  420. // Generate public key
  421. pubKey := NewPublicKey(KeyVariant_SIKE)
  422. prvKey.GeneratePublicKey(pubKey)
  423. pubKey.Export(pubKeyBytes[:])
  424. if !bytes.Equal(pubKeyBytes[:], pk) {
  425. t.Fatalf("KAT keygen form private failed\nExp: %X\nGot: %X\n", pubKeyBytes[:], pk)
  426. }
  427. }
  428. func TestKeyAgreement(t *testing.T) {
  429. testKeyAgreement(t, tdata.PkA_sidh, tdata.PrA_sidh, tdata.PkB_sidh, tdata.PrB_sidh)
  430. }
  431. // Same values as in sike_test.cc
  432. func TestDecapsulation(t *testing.T) {
  433. var sk = [28 + 16]byte{
  434. 0x04, 0x5E, 0x01, 0x42, 0xB8, 0x2F, 0xE1, 0x9A, 0x38, 0x25,
  435. 0x92, 0xE7, 0xDC, 0xBA, 0xF7, 0x1B, 0xB1, 0xFD, 0x34, 0x42,
  436. 0xDB, 0x02, 0xBC, 0x9D, 0x4C, 0xD0, 0x72, 0x34, 0x4D, 0xBD,
  437. 0x06, 0xDF, 0x1C, 0x7D, 0x0A, 0x88, 0xB2, 0x50, 0xC4, 0xF6,
  438. 0xAE, 0xE8, 0x25, 0x01,
  439. }
  440. var pk = [330]byte{
  441. 0x6D, 0x8D, 0xF5, 0x7B, 0xCD, 0x47, 0xCA, 0xCB, 0x7A, 0x38,
  442. 0xB7, 0xA6, 0x90, 0xB7, 0x37, 0x03, 0xD4, 0x6F, 0x27, 0x73,
  443. 0x74, 0x17, 0x5A, 0xA4, 0x0D, 0xC6, 0x81, 0xAD, 0xDB, 0xF7,
  444. 0x18, 0xB2, 0x3C, 0x30, 0xCF, 0xAA, 0x08, 0x11, 0x91, 0xCC,
  445. 0x27, 0x4E, 0xF1, 0xA6, 0xB7, 0xDA, 0xD2, 0xCF, 0x99, 0x7F,
  446. 0xF7, 0xE1, 0xD0, 0xCE, 0x00, 0xD2, 0x4B, 0xA4, 0x33, 0xB4,
  447. 0x87, 0x01, 0x3F, 0x02, 0xF7, 0xF9, 0xDE, 0xC3, 0x60, 0x62,
  448. 0xDA, 0x3F, 0x74, 0xA9, 0x44, 0xBE, 0x19, 0xD5, 0x03, 0x2A,
  449. 0x79, 0x8C, 0xA7, 0xFF, 0xEA, 0xB3, 0xBB, 0xB5, 0xD4, 0x1D,
  450. 0x8F, 0x92, 0xCE, 0x62, 0x6E, 0x99, 0x24, 0xD7, 0x57, 0xFA,
  451. 0xCD, 0xB6, 0xE2, 0x8E, 0xFD, 0x22, 0x0E, 0x31, 0x21, 0x01,
  452. 0x8D, 0x79, 0xF8, 0x3E, 0x27, 0xEC, 0x43, 0x40, 0xDB, 0x82,
  453. 0xE5, 0xEB, 0x6C, 0x97, 0x66, 0x29, 0x15, 0x68, 0xB7, 0x4D,
  454. 0x84, 0xD1, 0x8A, 0x0B, 0x12, 0x36, 0x2C, 0x0C, 0x0A, 0x6E,
  455. 0x4E, 0xDE, 0xA5, 0x8A, 0xDE, 0x77, 0xDD, 0x70, 0x49, 0x73,
  456. 0xAC, 0x27, 0x6D, 0x8D, 0x25, 0x9A, 0xE4, 0x25, 0xE8, 0x95,
  457. 0x8F, 0xFE, 0x90, 0x3B, 0x00, 0x69, 0x20, 0xE8, 0x7C, 0xA5,
  458. 0xF5, 0x79, 0xC0, 0x61, 0x51, 0x91, 0x35, 0x25, 0x3F, 0x17,
  459. 0x2F, 0x70, 0x73, 0xF0, 0x89, 0xB5, 0xC8, 0x25, 0xB8, 0xE5,
  460. 0x7E, 0x34, 0xDD, 0x11, 0xE5, 0xD6, 0xC3, 0xD5, 0x29, 0x89,
  461. 0xC6, 0x2C, 0x99, 0x53, 0x1D, 0x2C, 0x77, 0xB0, 0xB6, 0xA1,
  462. 0xBD, 0x79, 0xFB, 0x4A, 0xC2, 0x48, 0x4C, 0x62, 0x51, 0x00,
  463. 0xE3, 0x91, 0x2A, 0xCB, 0x84, 0x03, 0x5D, 0x2D, 0xC8, 0x33,
  464. 0xE9, 0x14, 0xBF, 0x74, 0x21, 0xBC, 0xF4, 0x76, 0xE5, 0x42,
  465. 0xB8, 0xBD, 0xE2, 0xE7, 0x20, 0x95, 0x54, 0xF2, 0xED, 0xC0,
  466. 0x79, 0x38, 0x1E, 0xD2, 0xEA, 0x1A, 0x63, 0x85, 0xE7, 0x3A,
  467. 0xDA, 0xAD, 0xAB, 0x1B, 0x1E, 0x19, 0x9E, 0x73, 0xD0, 0x10,
  468. 0x2E, 0x38, 0xAC, 0x8B, 0x00, 0x6A, 0x30, 0x2C, 0x3D, 0x70,
  469. 0x8E, 0x39, 0x6D, 0xC0, 0x12, 0x61, 0x7D, 0x2A, 0x0A, 0x04,
  470. 0x95, 0x8E, 0x09, 0x3C, 0x7B, 0xEC, 0x2E, 0xBC, 0xE8, 0xE8,
  471. 0xE8, 0x37, 0x29, 0xC4, 0x7E, 0x76, 0x48, 0xB9, 0x3B, 0x72,
  472. 0xE5, 0x99, 0x9B, 0xF9, 0xE3, 0x99, 0x72, 0x3F, 0x35, 0x29,
  473. 0x85, 0xE0, 0xC8, 0xBF, 0xB1, 0x6B, 0xB1, 0x6E, 0x72, 0x00,
  474. }
  475. var ct = [330 + 16]byte{
  476. 0x7C, 0xAB, 0x4E, 0x65, 0x2E, 0xBA, 0xD2, 0xBD, 0x8B, 0x66,
  477. 0xCA, 0x2B, 0xA8, 0xF9, 0xEF, 0xE2, 0xFD, 0x2E, 0xCA, 0x83,
  478. 0xE9, 0xCF, 0x50, 0x63, 0x7B, 0x5C, 0x3D, 0xA5, 0xE7, 0xF5,
  479. 0x9F, 0x73, 0xAC, 0xC8, 0xE4, 0x85, 0xFC, 0x05, 0xCD, 0xED,
  480. 0x03, 0x25, 0x02, 0xA4, 0xF5, 0x57, 0x4A, 0x76, 0x3C, 0xDE,
  481. 0x76, 0x52, 0xD0, 0x1B, 0x01, 0xA3, 0xD3, 0xB1, 0x8E, 0xC6,
  482. 0xE1, 0x54, 0x3F, 0x9B, 0xA9, 0xB6, 0x9B, 0x1A, 0xED, 0x62,
  483. 0xB5, 0x7A, 0x58, 0xFB, 0xAC, 0xF2, 0xBD, 0xE6, 0x95, 0x0B,
  484. 0xED, 0x3A, 0x5D, 0x34, 0xB0, 0x54, 0x2D, 0xEF, 0xA9, 0xA7,
  485. 0xA3, 0xA8, 0xD2, 0xA1, 0x8B, 0x96, 0xFA, 0x8F, 0xDD, 0x2E,
  486. 0xE4, 0x93, 0x82, 0x97, 0x19, 0x72, 0xC7, 0x7E, 0x50, 0x00,
  487. 0x8A, 0xE0, 0x0C, 0x5A, 0x94, 0xB2, 0xE1, 0xC3, 0xA5, 0x4D,
  488. 0x92, 0x97, 0xA2, 0x59, 0x97, 0xBC, 0xB9, 0x7F, 0x27, 0x92,
  489. 0xA7, 0x7F, 0x5A, 0x7B, 0x8D, 0x24, 0xFF, 0x9A, 0x99, 0xDB,
  490. 0xDB, 0xE1, 0x5B, 0xD2, 0x10, 0x34, 0x2D, 0x45, 0xA5, 0xE5,
  491. 0x99, 0x7F, 0xFE, 0x02, 0xCC, 0x57, 0x7A, 0x3A, 0xAB, 0xB3,
  492. 0x27, 0xE1, 0x55, 0x70, 0x01, 0x3D, 0xC8, 0xAB, 0x90, 0xC6,
  493. 0x8F, 0x63, 0x8B, 0x30, 0x6F, 0xA1, 0xDC, 0x91, 0xE5, 0x25,
  494. 0xDF, 0x9A, 0x68, 0x05, 0xC2, 0xD4, 0x13, 0x64, 0xAA, 0xEF,
  495. 0x21, 0x63, 0x5E, 0xFF, 0x41, 0xFD, 0xF3, 0x92, 0x76, 0xA6,
  496. 0x09, 0x90, 0xBD, 0x65, 0x56, 0xC9, 0x6D, 0x41, 0xA7, 0x9E,
  497. 0xC7, 0x15, 0xBF, 0xE1, 0x2D, 0xB0, 0x96, 0x26, 0x21, 0x01,
  498. 0x60, 0x54, 0x71, 0x56, 0xD9, 0xA2, 0x9B, 0xD2, 0x21, 0x9C,
  499. 0xD9, 0x0F, 0xF8, 0x5F, 0xC4, 0xF4, 0xF6, 0x8E, 0xCA, 0x87,
  500. 0x7B, 0x7A, 0xDE, 0x28, 0x05, 0x3F, 0x3F, 0xE7, 0xDA, 0x3B,
  501. 0x56, 0x64, 0xE0, 0x8D, 0xEB, 0x4A, 0x54, 0x88, 0x05, 0x4C,
  502. 0x5E, 0x99, 0x45, 0x8C, 0x65, 0x8A, 0x6E, 0x2D, 0x53, 0x1C,
  503. 0x9B, 0x44, 0xA7, 0xEF, 0x01, 0xF8, 0x31, 0x4D, 0x31, 0xE3,
  504. 0x75, 0x7B, 0x5F, 0x79, 0x5F, 0xE7, 0x47, 0x4C, 0x08, 0x86,
  505. 0x84, 0xC8, 0x84, 0x48, 0x89, 0x89, 0x5F, 0x7F, 0x92, 0x68,
  506. 0x2E, 0x9F, 0xBA, 0x46, 0x6D, 0x34, 0x93, 0x86, 0xE4, 0xEA,
  507. 0xE6, 0x1F, 0xF8, 0xE1, 0x94, 0xFF, 0x6E, 0xB6, 0x8D, 0x46,
  508. 0x64, 0xF0, 0xE3, 0xB7, 0x84, 0x0A, 0x5B, 0xE2, 0xC4, 0x01,
  509. 0x6E, 0xA5, 0xB8, 0xFA, 0xA5, 0x5A, 0x1C, 0x2D, 0xF6, 0x81,
  510. 0xC2, 0x44, 0x81, 0x5B, 0x00, 0x17,
  511. }
  512. var ss_exp = [16]byte{
  513. 0xCB, 0x9C, 0x6B, 0x0A, 0x64, 0x95, 0x32, 0xA7, 0x35, 0x4E,
  514. 0xE5, 0x14, 0xC8, 0xB7, 0x82, 0xB6,
  515. }
  516. var prvObj = NewPrivateKey(KeyVariant_SIKE)
  517. var pubObj = NewPublicKey(KeyVariant_SIKE)
  518. if pubObj.Import(pk[:]) != nil || prvObj.Import(sk[:]) != nil {
  519. t.Error("Can't import one of the keys")
  520. }
  521. res := make([]byte, kem.SharedSecretSize())
  522. checkErr(t, kem.Decapsulate(res, prvObj, pubObj, ct[:]),
  523. "error: Decapsulation failed")
  524. if !bytes.Equal(ss_exp[:], res) {
  525. t.Error("Wrong decapsulation result")
  526. }
  527. }
  528. func readAndCheckLine(r *bufio.Reader) []byte {
  529. // Read next line from buffer
  530. line, isPrefix, err := r.ReadLine()
  531. if err != nil || isPrefix {
  532. panic("Wrong format of input file")
  533. }
  534. // Function expects that line is in format "KEY = HEX_VALUE". Get
  535. // value, which should be a hex string
  536. hexst := strings.Split(string(line), "=")[1]
  537. hexst = strings.TrimSpace(hexst)
  538. // Convert value to byte string
  539. ret, err := hex.DecodeString(hexst)
  540. if err != nil {
  541. panic("Wrong format of input file")
  542. }
  543. return ret
  544. }
  545. func TestKAT(t *testing.T) {
  546. ssGot := make([]byte, kem.SharedSecretSize())
  547. testDecapsulation := func(t *testing.T, pk, sk, ct, ssExpected []byte) {
  548. var pubKey = NewPublicKey(KeyVariant_SIKE)
  549. var prvKey = NewPrivateKey(KeyVariant_SIKE)
  550. if pubKey.Import(pk) != nil || prvKey.Import(sk) != nil {
  551. panic("sike test: can't load KAT")
  552. }
  553. err := kem.Decapsulate(ssGot, prvKey, pubKey, ct)
  554. if err != nil {
  555. panic("sike test: can't perform degcapsulation KAT")
  556. }
  557. if (err != nil) || !bytes.Equal(ssGot, ssExpected) {
  558. t.Fatalf("KAT decapsulation failed\n")
  559. }
  560. }
  561. f, err := os.Open(tdata.katFile)
  562. if err != nil {
  563. t.Fatal(err)
  564. }
  565. r := bufio.NewReader(f)
  566. for {
  567. line, isPrefix, err := r.ReadLine()
  568. if err != nil || isPrefix {
  569. if err == io.EOF {
  570. break
  571. } else {
  572. t.Fatal(err)
  573. }
  574. }
  575. if len(strings.TrimSpace(string(line))) == 0 || line[0] == '#' {
  576. continue
  577. }
  578. // count
  579. _ = strings.Split(string(line), "=")[1]
  580. // seed
  581. _ = readAndCheckLine(r)
  582. // pk
  583. pk := readAndCheckLine(r)
  584. // sk (secret key in test vector is concatenation of
  585. // MSG + SECRET_BOB_KEY + PUBLIC_BOB_KEY. We use only MSG+SECRET_BOB_KEY
  586. sk := readAndCheckLine(r)
  587. sk = sk[:Params.MsgLen+int(Params.B.SecretByteLen)]
  588. // ct
  589. ct := readAndCheckLine(r)
  590. // ss
  591. ss := readAndCheckLine(r)
  592. testKeygen(t, pk, sk)
  593. testDecapsulation(t, pk, sk, ct, ss)
  594. testKEMRoundTrip(t, pk, sk)
  595. }
  596. }
  597. /* -------------------------------------------------------------------------
  598. Benchmarking
  599. -------------------------------------------------------------------------*/
  600. func BenchmarkKeygen(b *testing.B) {
  601. pk := NewPublicKey(KeyVariant_SIKE)
  602. prv := NewPrivateKey(KeyVariant_SIKE)
  603. prv.Generate(rand.Reader)
  604. for n := 0; n < b.N; n++ {
  605. prv.GeneratePublicKey(pk)
  606. }
  607. }
  608. func BenchmarkEncaps(b *testing.B) {
  609. pub := NewPublicKey(KeyVariant_SIKE)
  610. prv := NewPrivateKey(KeyVariant_SIKE)
  611. if prv.Generate(rand.Reader) != nil {
  612. b.FailNow()
  613. }
  614. prv.GeneratePublicKey(pub)
  615. var ct [16 + 330]byte
  616. var ss [16]byte
  617. for n := 0; n < b.N; n++ {
  618. kem.Reset()
  619. kem.Encapsulate(ct[:], ss[:], pub)
  620. }
  621. }
  622. func BenchmarkDecaps(b *testing.B) {
  623. var ct [16 + 330]byte
  624. var ss [16]byte
  625. pkA := NewPublicKey(KeyVariant_SIKE)
  626. prvA := NewPrivateKey(KeyVariant_SIKE)
  627. pkB := NewPublicKey(KeyVariant_SIKE)
  628. prvB := NewPrivateKey(KeyVariant_SIKE)
  629. if prvA.Generate(rand.Reader) != nil || prvB.Generate(rand.Reader) != nil {
  630. b.FailNow()
  631. }
  632. prvA.GeneratePublicKey(pkA)
  633. prvB.GeneratePublicKey(pkB)
  634. err := kem.Encapsulate(ct[:], ss[:], pkA)
  635. if err != nil {
  636. b.FailNow()
  637. }
  638. for n := 0; n < b.N; n++ {
  639. kem.Decapsulate(ss[:], prvA, pkB, ct[:])
  640. }
  641. }
  642. var kem KEM
  643. func init() {
  644. kem.Allocate(rand.Reader)
  645. }