diff --git a/dh/csidh/csidh_test.go b/dh/csidh/csidh_test.go index 7e5ffc2..6f6b691 100644 --- a/dh/csidh/csidh_test.go +++ b/dh/csidh/csidh_test.go @@ -97,11 +97,9 @@ func TestEphemeralKeyExchange(t *testing.T) { checkErr(t, GeneratePrivateKey(&prv2, rng), "PrivateKey generation failed") GeneratePublicKey(&pub2, &prv2, rng) - Ok(t, - DeriveSecret(&ss1, &pub1, &prv2, rng), + Ok(t, DeriveSecret(&ss1, &pub1, &prv2, rng), "Derivation failed") - Ok(t, - DeriveSecret(&ss2, &pub2, &prv1, rng), + Ok(t, DeriveSecret(&ss2, &pub2, &prv1, rng), "Derivation failed") if !bytes.Equal(ss1[:], ss2[:]) { diff --git a/dh/sidh/sidh.go b/dh/sidh/sidh.go index 1856f9e..b212528 100644 --- a/dh/sidh/sidh.go +++ b/dh/sidh/sidh.go @@ -15,23 +15,23 @@ type KeyVariant uint // Base type for public and private key. Used mainly to carry domain // parameters. -type key struct { +type Key struct { // Domain parameters of the algorithm to be used with a key - params *common.SidhParams + Params *common.SidhParams // Flag indicates wether corresponds to 2-, 3-torsion group or SIKE - keyVariant KeyVariant + KeyVariant KeyVariant } // Defines operations on public key type PublicKey struct { - key + Key // x-coordinates of P,Q,P-Q in this exact order affine3Pt [3]common.Fp2 } // Defines operations on private key type PrivateKey struct { - key + Key // Secret key Scalar []byte // Used only by KEM @@ -59,14 +59,14 @@ const ( ) // Accessor to key variant. -func (key *key) Variant() KeyVariant { - return key.keyVariant +func (key *Key) Variant() KeyVariant { + return key.KeyVariant } // NewPublicKey initializes public key. // Usage of this function guarantees that the object is correctly initialized. func NewPublicKey(id uint8, v KeyVariant) *PublicKey { - return &PublicKey{key: key{params: common.Params(id), keyVariant: v}} + return &PublicKey{Key: Key{Params: common.Params(id), KeyVariant: v}} } // Import clears content of the public key currently stored in the structure @@ -76,11 +76,11 @@ func (pub *PublicKey) Import(input []byte) error { if len(input) != pub.Size() { return errors.New("sidh: input to short") } - ssSz := pub.params.SharedSecretSize - common.BytesToFp2(&pub.affine3Pt[0], input[0:ssSz], pub.params.Bytelen) - common.BytesToFp2(&pub.affine3Pt[1], input[ssSz:2*ssSz], pub.params.Bytelen) - common.BytesToFp2(&pub.affine3Pt[2], input[2*ssSz:3*ssSz], pub.params.Bytelen) - switch pub.params.ID { + ssSz := pub.Params.SharedSecretSize + common.BytesToFp2(&pub.affine3Pt[0], input[0:ssSz], pub.Params.Bytelen) + common.BytesToFp2(&pub.affine3Pt[1], input[ssSz:2*ssSz], pub.Params.Bytelen) + common.BytesToFp2(&pub.affine3Pt[2], input[2*ssSz:3*ssSz], pub.Params.Bytelen) + switch pub.Params.ID { case Fp434: p434.ToMontgomery(&pub.affine3Pt[0], &pub.affine3Pt[0]) p434.ToMontgomery(&pub.affine3Pt[1], &pub.affine3Pt[1]) @@ -103,8 +103,8 @@ func (pub *PublicKey) Import(input []byte) error { // returned byte string is filled with zeros. func (pub *PublicKey) Export(out []byte) { var feTmp [3]common.Fp2 - ssSz := pub.params.SharedSecretSize - switch pub.params.ID { + ssSz := pub.Params.SharedSecretSize + switch pub.Params.ID { case Fp434: p434.FromMontgomery(&feTmp[0], &pub.affine3Pt[0]) p434.FromMontgomery(&feTmp[1], &pub.affine3Pt[1]) @@ -120,27 +120,27 @@ func (pub *PublicKey) Export(out []byte) { default: panic("Unsupported key") } - common.Fp2ToBytes(out[0:ssSz], &feTmp[0], pub.params.Bytelen) - common.Fp2ToBytes(out[ssSz:2*ssSz], &feTmp[1], pub.params.Bytelen) - common.Fp2ToBytes(out[2*ssSz:3*ssSz], &feTmp[2], pub.params.Bytelen) + common.Fp2ToBytes(out[0:ssSz], &feTmp[0], pub.Params.Bytelen) + common.Fp2ToBytes(out[ssSz:2*ssSz], &feTmp[1], pub.Params.Bytelen) + common.Fp2ToBytes(out[2*ssSz:3*ssSz], &feTmp[2], pub.Params.Bytelen) } // Size returns size of the public key in bytes. func (pub *PublicKey) Size() int { - return pub.params.PublicKeySize + return pub.Params.PublicKeySize } // NewPrivateKey initializes private key. // Usage of this function guarantees that the object is correctly initialized. func NewPrivateKey(id uint8, v KeyVariant) *PrivateKey { - prv := &PrivateKey{key: key{params: common.Params(id), keyVariant: v}} + prv := &PrivateKey{Key: Key{Params: common.Params(id), KeyVariant: v}} if (v & KeyVariantSidhA) == KeyVariantSidhA { - prv.Scalar = make([]byte, prv.params.A.SecretByteLen) + prv.Scalar = make([]byte, prv.Params.A.SecretByteLen) } else { - prv.Scalar = make([]byte, prv.params.B.SecretByteLen) + prv.Scalar = make([]byte, prv.Params.B.SecretByteLen) } if v == KeyVariantSike { - prv.S = make([]byte, prv.params.MsgLen) + prv.S = make([]byte, prv.Params.MsgLen) } return prv } @@ -156,14 +156,14 @@ func (prv *PrivateKey) Export(out []byte) { func (prv *PrivateKey) Size() int { tmp := len(prv.Scalar) if prv.Variant() == KeyVariantSike { - tmp += prv.params.MsgLen + tmp += prv.Params.MsgLen } return tmp } // Size returns size of the shared secret. func (prv *PrivateKey) SharedSecretSize() int { - return prv.params.SharedSecretSize + return prv.Params.SharedSecretSize } // Import clears content of the private key currently stored in the structure @@ -188,13 +188,13 @@ func (prv *PrivateKey) Import(input []byte) error { func (prv *PrivateKey) Generate(rand io.Reader) error { var dp *common.DomainParams - if (prv.keyVariant & KeyVariantSidhA) == KeyVariantSidhA { - dp = &prv.params.A + if (prv.KeyVariant & KeyVariantSidhA) == KeyVariantSidhA { + dp = &prv.Params.A } else { - dp = &prv.params.B + dp = &prv.Params.B } - if prv.keyVariant == KeyVariantSike { + if prv.KeyVariant == KeyVariantSike { if _, err := io.ReadFull(rand, prv.S); err != nil { return err } @@ -222,13 +222,13 @@ func (prv *PrivateKey) Generate(rand io.Reader) error { // Generates public key. func (prv *PrivateKey) GeneratePublicKey(pub *PublicKey) { - var isA = (prv.keyVariant & KeyVariantSidhA) == KeyVariantSidhA + var isA = (prv.KeyVariant & KeyVariantSidhA) == KeyVariantSidhA - if (pub.keyVariant != prv.keyVariant) || (pub.params.ID != prv.params.ID) { + if (pub.KeyVariant != prv.KeyVariant) || (pub.Params.ID != prv.Params.ID) { panic("sidh: incompatbile public key") } - switch prv.params.ID { + switch prv.Params.ID { case Fp434: if isA { p434.PublicKeyGenA(&pub.affine3Pt, prv.Scalar) @@ -258,13 +258,13 @@ func (prv *PrivateKey) GeneratePublicKey(pub *PublicKey) { // // Caller must make sure key SIDH key pair is not used more than once. func (prv *PrivateKey) DeriveSecret(ss []byte, pub *PublicKey) { - var isA = (prv.keyVariant & KeyVariantSidhA) == KeyVariantSidhA + var isA = (prv.KeyVariant & KeyVariantSidhA) == KeyVariantSidhA - if (pub.keyVariant == prv.keyVariant) || (pub.params.ID != prv.params.ID) { + if (pub.KeyVariant == prv.KeyVariant) || (pub.Params.ID != prv.Params.ID) { panic("sidh: public and private are incompatbile") } - switch prv.params.ID { + switch prv.Params.ID { case Fp434: if isA { p434.DeriveSecretA(ss, prv.Scalar, &pub.affine3Pt) diff --git a/dh/sidh/sike.go b/dh/sidh/sike.go index 7eac282..611b68b 100644 --- a/dh/sidh/sike.go +++ b/dh/sidh/sike.go @@ -60,7 +60,7 @@ func (c *KEM) Encapsulate(ciphertext, secret []byte, pub *PublicKey) error { panic("KEM unallocated") } - if KeyVariantSike != pub.keyVariant { + if KeyVariantSike != pub.KeyVariant { panic("Wrong type of public key") } @@ -80,9 +80,9 @@ func (c *KEM) Encapsulate(ciphertext, secret []byte, pub *PublicKey) error { var buf [3 * common.MaxSharedSecretBsz]byte var skA = PrivateKey{ - key: key{ - params: c.params, - keyVariant: KeyVariantSidhA}, + Key: Key{ + Params: c.params, + KeyVariant: KeyVariantSidhA}, Scalar: c.secretBytes} var pkA = NewPublicKey(c.params.ID, KeyVariantSidhA) @@ -114,11 +114,11 @@ func (c *KEM) Decapsulate(secret []byte, prv *PrivateKey, pub *PublicKey, cipher panic("KEM unallocated") } - if KeyVariantSike != pub.keyVariant { + if KeyVariantSike != pub.KeyVariant { panic("Wrong type of public key") } - if pub.keyVariant != prv.keyVariant { + if pub.KeyVariant != prv.KeyVariant { panic("Public and private key are of different type") } @@ -134,9 +134,9 @@ func (c *KEM) Decapsulate(secret []byte, prv *PrivateKey, pub *PublicKey, cipher var r [common.MaxSidhPrivateKeyBsz]byte var pkBytes [3 * common.MaxSharedSecretBsz]byte var skA = PrivateKey{ - key: key{ - params: c.params, - keyVariant: KeyVariantSidhA}, + Key: Key{ + Params: c.params, + KeyVariant: KeyVariantSidhA}, Scalar: c.secretBytes} var pkA = NewPublicKey(c.params.ID, KeyVariantSidhA) c1Len, err := c.decrypt(m[:], prv, ciphertext) @@ -166,7 +166,7 @@ func (c *KEM) Decapsulate(secret []byte, prv *PrivateKey, pub *PublicKey, cipher // // See more details in "On the security of supersingular isogeny cryptosystems" // (S. Galbraith, et al., 2016, ePrint #859). - mask := subtle.ConstantTimeCompare(pkBytes[:c.params.PublicKeySize], ciphertext[:pub.params.PublicKeySize]) + mask := subtle.ConstantTimeCompare(pkBytes[:c.params.PublicKeySize], ciphertext[:pub.Params.PublicKeySize]) common.Cpick(mask, m[:c1Len], m[:c1Len], prv.S) c.shake.Reset() _, _ = c.shake.Write(m[:c1Len]) @@ -201,11 +201,11 @@ func (c *KEM) SharedSecretSize() int { func (c *KEM) generateCiphertext(ctext []byte, skA *PrivateKey, pkA, pkB *PublicKey, ptext []byte) { var n [common.MaxMsgBsz]byte var j [common.MaxSharedSecretBsz]byte - var ptextLen = skA.params.MsgLen + var ptextLen = skA.Params.MsgLen skA.DeriveSecret(j[:], pkB) c.shake.Reset() - _, _ = c.shake.Write(j[:skA.params.SharedSecretSize]) + _, _ = c.shake.Write(j[:skA.Params.SharedSecretSize]) _, _ = c.shake.Read(n[:ptextLen]) for i := range ptext { n[i] ^= ptext[i] @@ -221,12 +221,12 @@ func (c *KEM) generateCiphertext(ctext []byte, skA *PrivateKey, pkA, pkB *Public func (c *KEM) encrypt(ctext []byte, rng io.Reader, pub *PublicKey, ptext []byte) error { var ptextLen = len(ptext) // c1 must be security level + 64 bits (see [SIKE] 1.4 and 4.3.3) - if ptextLen != pub.params.KemSize { + if ptextLen != pub.Params.KemSize { return errors.New("unsupported message length") } - skA := NewPrivateKey(pub.params.ID, KeyVariantSidhA) - pkA := NewPublicKey(pub.params.ID, KeyVariantSidhA) + skA := NewPrivateKey(pub.Params.ID, KeyVariantSidhA) + pkA := NewPublicKey(pub.Params.ID, KeyVariantSidhA) err := skA.Generate(rng) if err != nil { return err @@ -243,17 +243,17 @@ func (c *KEM) encrypt(ctext []byte, rng io.Reader, pub *PublicKey, ptext []byte) func (c *KEM) decrypt(n []byte, prv *PrivateKey, ctext []byte) (int, error) { var c1Len int var j [common.MaxSharedSecretBsz]byte - var pkLen = prv.params.PublicKeySize + var pkLen = prv.Params.PublicKeySize // ctext is a concatenation of (ciphertext = pubkey_A || c1) // it must be security level + 64 bits (see [SIKE] 1.4 and 4.3.3) // Lengths has been already checked by Decapsulate() c1Len = len(ctext) - pkLen - c0 := NewPublicKey(prv.params.ID, KeyVariantSidhA) + c0 := NewPublicKey(prv.Params.ID, KeyVariantSidhA) err := c0.Import(ctext[:pkLen]) prv.DeriveSecret(j[:], c0) c.shake.Reset() - _, _ = c.shake.Write(j[:prv.params.SharedSecretSize]) + _, _ = c.shake.Write(j[:prv.Params.SharedSecretSize]) _, _ = c.shake.Read(n[:c1Len]) for i := range n[:c1Len] { n[i] ^= ctext[pkLen+i]