1
0
mirror of https://github.com/henrydcase/nobs.git synced 2024-11-22 23:28:57 +00:00
nobs/dh/sidh/sidh.go
2020-08-25 11:19:07 +01:00

324 lines
9.6 KiB
Go

package sidh
import (
"errors"
"io"
"github.com/henrydcase/nobs/dh/sidh/common"
"github.com/henrydcase/nobs/dh/sidh/internal/p434"
"github.com/henrydcase/nobs/dh/sidh/internal/p503"
"github.com/henrydcase/nobs/dh/sidh/internal/p751"
)
// I keep it bool in order to be able to apply logical NOT.
type KeyVariant uint
// Base type for public and private key. Used mainly to carry domain
// parameters.
type Key struct {
// Domain parameters of the algorithm to be used with a key
Params *common.SidhParams
// Flag indicates wether corresponds to 2-, 3-torsion group or SIKE
KeyVariant KeyVariant
}
// Defines operations on public key
type PublicKey struct {
Key
// x-coordinates of P,Q,P-Q in this exact order
affine3Pt [3]common.Fp2
}
// Defines operations on private key
type PrivateKey struct {
Key
// Secret key
Scalar []byte
// Used only by KEM
S []byte
}
// Id's correspond to bitlength of the prime field characteristic
// Currently Fp751 is the only one supported by this implementation
const (
Fp434 = common.Fp434
Fp503 = common.Fp503
Fp751 = common.Fp751
)
const (
// First 2 bits identify SIDH variant third bit indicates
// wether key is a SIKE variant (set) or SIDH (not set)
// 001 - SIDH: corresponds to 2-torsion group
KeyVariantSidhA KeyVariant = 1 << 0
// 010 - SIDH: corresponds to 3-torsion group
KeyVariantSidhB = 1 << 1
// 110 - SIKE
KeyVariantSike = 1<<2 | KeyVariantSidhB
)
// Accessor to key variant.
func (key *Key) Variant() KeyVariant {
return key.KeyVariant
}
// NewPublicKey initializes public key.
// Usage of this function guarantees that the object is correctly initialized.
func NewPublicKey(id uint8, v KeyVariant) *PublicKey {
return &PublicKey{Key: Key{Params: common.Params(id), KeyVariant: v}}
}
// Import clears content of the public key currently stored in the structure
// and imports key stored in the byte string. Returns error in case byte string
// size is wrong. Doesn't perform any validation.
func (pub *PublicKey) Import(input []byte) error {
if len(input) != pub.Size() {
return errors.New("sidh: input to short")
}
ssSz := pub.Params.SharedSecretSize
common.BytesToFp2(&pub.affine3Pt[0], input[0:ssSz], pub.Params.Bytelen)
common.BytesToFp2(&pub.affine3Pt[1], input[ssSz:2*ssSz], pub.Params.Bytelen)
common.BytesToFp2(&pub.affine3Pt[2], input[2*ssSz:3*ssSz], pub.Params.Bytelen)
switch pub.Params.ID {
case Fp434:
p434.ToMontgomery(&pub.affine3Pt[0], &pub.affine3Pt[0])
p434.ToMontgomery(&pub.affine3Pt[1], &pub.affine3Pt[1])
p434.ToMontgomery(&pub.affine3Pt[2], &pub.affine3Pt[2])
case Fp503:
p503.ToMontgomery(&pub.affine3Pt[0], &pub.affine3Pt[0])
p503.ToMontgomery(&pub.affine3Pt[1], &pub.affine3Pt[1])
p503.ToMontgomery(&pub.affine3Pt[2], &pub.affine3Pt[2])
case Fp751:
p751.ToMontgomery(&pub.affine3Pt[0], &pub.affine3Pt[0])
p751.ToMontgomery(&pub.affine3Pt[1], &pub.affine3Pt[1])
p751.ToMontgomery(&pub.affine3Pt[2], &pub.affine3Pt[2])
default:
panic("Unsupported key")
}
return nil
}
// Exports currently stored key. In case structure hasn't been filled with key data
// returned byte string is filled with zeros.
func (pub *PublicKey) Export(out []byte) {
var feTmp [3]common.Fp2
ssSz := pub.Params.SharedSecretSize
switch pub.Params.ID {
case Fp434:
p434.FromMontgomery(&feTmp[0], &pub.affine3Pt[0])
p434.FromMontgomery(&feTmp[1], &pub.affine3Pt[1])
p434.FromMontgomery(&feTmp[2], &pub.affine3Pt[2])
case Fp503:
p503.FromMontgomery(&feTmp[0], &pub.affine3Pt[0])
p503.FromMontgomery(&feTmp[1], &pub.affine3Pt[1])
p503.FromMontgomery(&feTmp[2], &pub.affine3Pt[2])
case Fp751:
p751.FromMontgomery(&feTmp[0], &pub.affine3Pt[0])
p751.FromMontgomery(&feTmp[1], &pub.affine3Pt[1])
p751.FromMontgomery(&feTmp[2], &pub.affine3Pt[2])
default:
panic("Unsupported key")
}
common.Fp2ToBytes(out[0:ssSz], &feTmp[0], pub.Params.Bytelen)
common.Fp2ToBytes(out[ssSz:2*ssSz], &feTmp[1], pub.Params.Bytelen)
common.Fp2ToBytes(out[2*ssSz:3*ssSz], &feTmp[2], pub.Params.Bytelen)
}
// Size returns size of the public key in bytes.
func (pub *PublicKey) Size() int {
return pub.Params.PublicKeySize
}
// NewPrivateKey initializes private key.
// Usage of this function guarantees that the object is correctly initialized.
func NewPrivateKey(id uint8, v KeyVariant) *PrivateKey {
prv := &PrivateKey{Key: Key{Params: common.Params(id), KeyVariant: v}}
if (v & KeyVariantSidhA) == KeyVariantSidhA {
prv.Scalar = make([]byte, prv.Params.A.SecretByteLen)
} else {
prv.Scalar = make([]byte, prv.Params.B.SecretByteLen)
}
if v == KeyVariantSike {
prv.S = make([]byte, prv.Params.MsgLen)
}
return prv
}
// Exports currently stored key. In case structure hasn't been filled with key data
// returned byte string is filled with zeros.
func (prv *PrivateKey) Export(out []byte) {
copy(out, prv.S)
copy(out[len(prv.S):], prv.Scalar)
}
// Size returns size of the private key in bytes.
func (prv *PrivateKey) Size() int {
tmp := len(prv.Scalar)
if prv.Variant() == KeyVariantSike {
tmp += prv.Params.MsgLen
}
return tmp
}
// Size returns size of the shared secret.
func (prv *PrivateKey) SharedSecretSize() int {
return prv.Params.SharedSecretSize
}
// Import clears content of the private key currently stored in the structure
// and imports key from octet string. In case of SIKE, the random value 'S'
// must be prepended to the value of actual private key (see SIKE spec for details).
// Function doesn't import public key value to PrivateKey object.
func (prv *PrivateKey) Import(input []byte) error {
if len(input) != prv.Size() {
return errors.New("sidh: input to short")
}
copy(prv.S, input[:len(prv.S)])
copy(prv.Scalar, input[len(prv.S):])
return nil
}
// Generates random private key for SIDH or SIKE. Generated value is
// formed as little-endian integer from key-space <2^(e2-1)..2^e2 - 1>
// for KeyVariant_A or <2^(s-1)..2^s - 1>, where s = floor(log_2(3^e3)),
// for KeyVariant_B.
//
// Returns error in case user provided RNG fails.
func (prv *PrivateKey) Generate(rand io.Reader) error {
var dp *common.DomainParams
if (prv.KeyVariant & KeyVariantSidhA) == KeyVariantSidhA {
dp = &prv.Params.A
} else {
dp = &prv.Params.B
}
if prv.KeyVariant == KeyVariantSike {
if _, err := io.ReadFull(rand, prv.S); err != nil {
return err
}
}
// Private key generation takes advantage of the fact that keyspace for secret
// key is (0, 2^x - 1), for some possitivite value of 'x' (see SIKE, 1.3.8).
// It means that all bytes in the secret key, but the last one, can take any
// value between <0x00,0xFF>. Similarly for the last byte, but generation
// needs to chop off some bits, to make sure generated value is an element of
// a key-space.
if _, err := io.ReadFull(rand, prv.Scalar); err != nil {
return err
}
prv.Scalar[len(prv.Scalar)-1] &= (1 << (dp.SecretBitLen % 8)) - 1
// Make sure scalar is SecretBitLen long. SIKE spec says that key
// space starts from 0, but I'm not comfortable with having low
// value scalars used for private keys. It is still secrure as per
// table 5.1 in [SIKE].
prv.Scalar[len(prv.Scalar)-1] |= 1 << ((dp.SecretBitLen % 8) - 1)
return nil
}
// Generates public key.
func (prv *PrivateKey) GeneratePublicKey(pub *PublicKey) {
var isA = (prv.KeyVariant & KeyVariantSidhA) == KeyVariantSidhA
if (pub.KeyVariant != prv.KeyVariant) || (pub.Params.ID != prv.Params.ID) {
panic("sidh: incompatbile public key")
}
switch prv.Params.ID {
case Fp434:
if isA {
p434.PublicKeyGenA(&pub.affine3Pt, prv.Scalar)
} else {
p434.PublicKeyGenB(&pub.affine3Pt, prv.Scalar)
}
case Fp503:
if isA {
p503.PublicKeyGenA(&pub.affine3Pt, prv.Scalar)
} else {
p503.PublicKeyGenB(&pub.affine3Pt, prv.Scalar)
}
case Fp751:
if isA {
p751.PublicKeyGenA(&pub.affine3Pt, prv.Scalar)
} else {
p751.PublicKeyGenB(&pub.affine3Pt, prv.Scalar)
}
default:
panic("Field not supported")
}
}
// Computes a SIDH shared secret. Function requires that pub has different
// KeyVariant than prv. Length of returned output is 2*ceil(log_2 P)/8),
// where P is a prime defining finite field.
//
// Caller must make sure key SIDH key pair is not used more than once.
func (prv *PrivateKey) DeriveSecret(ss []byte, pub *PublicKey) {
var isA = (prv.KeyVariant & KeyVariantSidhA) == KeyVariantSidhA
if (pub.KeyVariant == prv.KeyVariant) || (pub.Params.ID != prv.Params.ID) {
panic("sidh: public and private are incompatbile")
}
switch prv.Params.ID {
case Fp434:
if isA {
p434.DeriveSecretA(ss, prv.Scalar, &pub.affine3Pt)
} else {
p434.DeriveSecretB(ss, prv.Scalar, &pub.affine3Pt)
}
case Fp503:
if isA {
p503.DeriveSecretA(ss, prv.Scalar, &pub.affine3Pt)
} else {
p503.DeriveSecretB(ss, prv.Scalar, &pub.affine3Pt)
}
case Fp751:
if isA {
p751.DeriveSecretA(ss, prv.Scalar, &pub.affine3Pt)
} else {
p751.DeriveSecretB(ss, prv.Scalar, &pub.affine3Pt)
}
default:
panic("Field not supported")
}
}
// Alternative API
// TODO: this looks better than the one above - swap it
func (c *Key) Init(fieldID uint8, v KeyVariant) {
c.Params = common.Params(fieldID)
if c.Params == nil {
panic("Params nil")
}
c.KeyVariant = v
}
func (c *PrivateKey) Init(fieldId uint8, v KeyVariant) {
c.Key.Init(fieldId, v)
if (v & KeyVariantSidhA) == KeyVariantSidhA {
c.Scalar = make([]byte, c.Params.A.SecretByteLen)
} else {
c.Scalar = make([]byte, c.Params.B.SecretByteLen)
}
if v == KeyVariantSike {
c.S = make([]byte, c.Params.MsgLen)
}
}
func GeneratePrivateKey(prv *PrivateKey, rng io.Reader) {
prv.Generate(rng)
}
func GeneratePublicKey(pub *PublicKey, prv *PrivateKey) {
prv.GeneratePublicKey(pub)
}
func DeriveSecret(ss []byte, pub *PublicKey, prv *PrivateKey) {
prv.DeriveSecret(ss, pub)
}