2019-06-10 17:57:26 +01:00
|
|
|
#include "H_Q_matrices_generation.h"
|
|
|
|
|
#include "bf_decoding.h"
|
|
|
|
|
#include "dfr_test.h"
|
|
|
|
|
#include "gf2x_arith_mod_xPplusOne.h"
|
|
|
|
|
#include "niederreiter.h"
|
|
|
|
|
#include "qc_ldpc_parameters.h"
|
|
|
|
|
#include "rng.h"
|
|
|
|
|
|
|
|
|
|
#include <string.h>
|
|
|
|
|
|
2019-06-16 16:01:29 +01:00
|
|
|
void PQCLEAN_LEDAKEMLT32_LEAKTIME_niederreiter_keygen(publicKeyNiederreiter_t *pk, privateKeyNiederreiter_t *sk, AES_XOF_struct *keys_expander) {
|
2019-06-10 17:57:26 +01:00
|
|
|
|
2019-06-11 13:21:49 +01:00
|
|
|
POSITION_T HPosOnes[N0][DV]; // sequence of N0 circ block matrices (p x p): Hi
|
|
|
|
|
POSITION_T HtrPosOnes[N0][DV]; // Sparse tranposed circulant H
|
|
|
|
|
POSITION_T QPosOnes[N0][M]; // Sparse Q, Each row contains the position of the ones of all the blocks of a row of Q as exponent+P*block_position
|
2019-06-10 17:57:26 +01:00
|
|
|
POSITION_T LPosOnes[N0][DV * M];
|
2019-06-11 13:21:49 +01:00
|
|
|
POSITION_T auxPosOnes[DV * M];
|
|
|
|
|
unsigned char processedQOnes[N0];
|
|
|
|
|
DIGIT Ln0dense[NUM_DIGITS_GF2X_ELEMENT];
|
|
|
|
|
DIGIT Ln0Inv[NUM_DIGITS_GF2X_ELEMENT];
|
2019-06-10 17:57:26 +01:00
|
|
|
int is_L_full = 0;
|
2019-06-14 15:07:31 +01:00
|
|
|
uint8_t threshold = (DV * M) / 2 + 1; // threshold for round 2
|
2019-06-10 17:57:26 +01:00
|
|
|
sk->rejections = (int8_t) 0;
|
2019-06-11 13:21:49 +01:00
|
|
|
|
2019-06-10 17:57:26 +01:00
|
|
|
do {
|
2019-06-16 16:01:29 +01:00
|
|
|
PQCLEAN_LEDAKEMLT32_LEAKTIME_generateHPosOnes_HtrPosOnes(HPosOnes, HtrPosOnes, keys_expander);
|
|
|
|
|
PQCLEAN_LEDAKEMLT32_LEAKTIME_generateQsparse(QPosOnes, keys_expander);
|
2019-06-10 17:57:26 +01:00
|
|
|
for (int i = 0; i < N0; i++) {
|
|
|
|
|
for (int j = 0; j < DV * M; j++) {
|
|
|
|
|
LPosOnes[i][j] = INVALID_POS_VALUE;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-06-11 13:21:49 +01:00
|
|
|
memset(processedQOnes, 0x00, sizeof(processedQOnes));
|
2019-06-10 17:57:26 +01:00
|
|
|
for (int colQ = 0; colQ < N0; colQ++) {
|
|
|
|
|
for (int i = 0; i < N0; i++) {
|
2019-06-16 16:01:29 +01:00
|
|
|
PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_mul_sparse(DV * M, auxPosOnes,
|
2019-06-10 17:57:26 +01:00
|
|
|
DV, HPosOnes[i],
|
|
|
|
|
qBlockWeights[i][colQ], QPosOnes[i] + processedQOnes[i]);
|
2019-06-16 16:01:29 +01:00
|
|
|
PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_add_sparse(DV * M, LPosOnes[colQ],
|
2019-06-10 17:57:26 +01:00
|
|
|
DV * M, LPosOnes[colQ],
|
|
|
|
|
DV * M, auxPosOnes);
|
|
|
|
|
processedQOnes[i] += qBlockWeights[i][colQ];
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
is_L_full = 1;
|
|
|
|
|
for (int i = 0; i < N0; i++) {
|
|
|
|
|
is_L_full = is_L_full && (LPosOnes[i][DV * M - 1] != INVALID_POS_VALUE);
|
|
|
|
|
}
|
|
|
|
|
sk->rejections = sk->rejections + 1;
|
|
|
|
|
if (is_L_full) {
|
2019-06-16 16:01:29 +01:00
|
|
|
threshold = PQCLEAN_LEDAKEMLT32_LEAKTIME_DFR_test(LPosOnes);
|
2019-06-10 17:57:26 +01:00
|
|
|
}
|
2019-06-14 13:23:58 +01:00
|
|
|
} while (!is_L_full || threshold == DFR_TEST_FAIL);
|
2019-06-10 17:57:26 +01:00
|
|
|
sk->rejections = sk->rejections - 1;
|
2019-06-14 13:23:58 +01:00
|
|
|
sk->threshold = threshold;
|
2019-06-10 17:57:26 +01:00
|
|
|
|
2019-06-11 13:21:49 +01:00
|
|
|
memset(Ln0dense, 0x00, sizeof(Ln0dense));
|
2019-06-10 17:57:26 +01:00
|
|
|
for (int j = 0; j < DV * M; j++) {
|
|
|
|
|
if (LPosOnes[N0 - 1][j] != INVALID_POS_VALUE) {
|
2019-06-16 16:01:29 +01:00
|
|
|
PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_set_coeff(Ln0dense, LPosOnes[N0 - 1][j], 1);
|
2019-06-10 17:57:26 +01:00
|
|
|
}
|
|
|
|
|
}
|
2019-06-11 13:21:49 +01:00
|
|
|
|
|
|
|
|
memset(Ln0Inv, 0x00, sizeof(Ln0Inv));
|
2019-06-16 16:01:29 +01:00
|
|
|
PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_inverse(Ln0Inv, Ln0dense);
|
2019-06-10 17:57:26 +01:00
|
|
|
for (int i = 0; i < N0 - 1; i++) {
|
2019-06-16 16:01:29 +01:00
|
|
|
PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_mul_dense_to_sparse(pk->Mtr + i * NUM_DIGITS_GF2X_ELEMENT,
|
2019-06-10 17:57:26 +01:00
|
|
|
Ln0Inv,
|
|
|
|
|
LPosOnes[i],
|
|
|
|
|
DV * M);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for (int i = 0; i < N0 - 1; i++) {
|
2019-06-16 16:01:29 +01:00
|
|
|
PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_transpose_in_place(pk->Mtr + i * NUM_DIGITS_GF2X_ELEMENT);
|
2019-06-10 17:57:26 +01:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2019-06-16 16:01:29 +01:00
|
|
|
void PQCLEAN_LEDAKEMLT32_LEAKTIME_niederreiter_encrypt(DIGIT *syndrome, const publicKeyNiederreiter_t *pk, const DIGIT *err) {
|
2019-06-10 17:57:26 +01:00
|
|
|
int i;
|
|
|
|
|
DIGIT saux[NUM_DIGITS_GF2X_ELEMENT];
|
|
|
|
|
|
|
|
|
|
memset(syndrome, 0x00, NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B);
|
|
|
|
|
for (i = 0; i < N0 - 1; i++) {
|
2019-06-16 16:01:29 +01:00
|
|
|
PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_mul(saux,
|
|
|
|
|
pk->Mtr + i * NUM_DIGITS_GF2X_ELEMENT,
|
|
|
|
|
err + i * NUM_DIGITS_GF2X_ELEMENT);
|
|
|
|
|
PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_add(syndrome, syndrome, saux);
|
2019-06-11 13:21:49 +01:00
|
|
|
}
|
2019-06-16 16:01:29 +01:00
|
|
|
PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_add(syndrome, syndrome, err + (N0 - 1)*NUM_DIGITS_GF2X_ELEMENT);
|
2019-06-10 17:57:26 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2019-06-16 16:01:29 +01:00
|
|
|
int PQCLEAN_LEDAKEMLT32_LEAKTIME_niederreiter_decrypt(DIGIT *err, const privateKeyNiederreiter_t *sk, const DIGIT *syndrome) {
|
2019-06-10 17:57:26 +01:00
|
|
|
AES_XOF_struct niederreiter_decrypt_expander;
|
|
|
|
|
POSITION_T HPosOnes[N0][DV];
|
|
|
|
|
POSITION_T HtrPosOnes[N0][DV];
|
|
|
|
|
POSITION_T QPosOnes[N0][M];
|
2019-06-11 13:21:49 +01:00
|
|
|
POSITION_T QtrPosOnes[N0][M];
|
|
|
|
|
POSITION_T auxPosOnes[DV * M];
|
2019-06-10 17:57:26 +01:00
|
|
|
POSITION_T LPosOnes[N0][DV * M];
|
2019-06-11 13:21:49 +01:00
|
|
|
POSITION_T auxSparse[DV * M];
|
|
|
|
|
POSITION_T Ln0trSparse[DV * M];
|
|
|
|
|
unsigned char processedQOnes[N0];
|
|
|
|
|
unsigned transposed_ones_idx[N0];
|
|
|
|
|
DIGIT privateSyndrome[NUM_DIGITS_GF2X_ELEMENT];
|
|
|
|
|
DIGIT mockup_error_vector[N0 * NUM_DIGITS_GF2X_ELEMENT];
|
|
|
|
|
int rejections = sk->rejections;
|
|
|
|
|
int currQoneIdx, endQblockIdx;
|
|
|
|
|
int decryptOk, err_weight;
|
|
|
|
|
|
2019-06-16 16:01:29 +01:00
|
|
|
PQCLEAN_LEDAKEMLT32_LEAKTIME_seedexpander_from_trng(&niederreiter_decrypt_expander, sk->prng_seed);
|
2019-06-11 13:21:49 +01:00
|
|
|
|
2019-06-10 17:57:26 +01:00
|
|
|
do {
|
2019-06-16 16:01:29 +01:00
|
|
|
PQCLEAN_LEDAKEMLT32_LEAKTIME_generateHPosOnes_HtrPosOnes(HPosOnes, HtrPosOnes, &niederreiter_decrypt_expander);
|
|
|
|
|
PQCLEAN_LEDAKEMLT32_LEAKTIME_generateQsparse(QPosOnes, &niederreiter_decrypt_expander);
|
2019-06-10 17:57:26 +01:00
|
|
|
for (int i = 0; i < N0; i++) {
|
|
|
|
|
for (int j = 0; j < DV * M; j++) {
|
|
|
|
|
LPosOnes[i][j] = INVALID_POS_VALUE;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-06-11 13:21:49 +01:00
|
|
|
memset(processedQOnes, 0x00, sizeof(processedQOnes));
|
2019-06-10 17:57:26 +01:00
|
|
|
for (int colQ = 0; colQ < N0; colQ++) {
|
|
|
|
|
for (int i = 0; i < N0; i++) {
|
2019-06-16 16:01:29 +01:00
|
|
|
PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_mul_sparse(DV * M, auxPosOnes,
|
2019-06-10 17:57:26 +01:00
|
|
|
DV, HPosOnes[i],
|
|
|
|
|
qBlockWeights[i][colQ], QPosOnes[i] + processedQOnes[i]);
|
2019-06-16 16:01:29 +01:00
|
|
|
PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_add_sparse(DV * M, LPosOnes[colQ],
|
2019-06-10 17:57:26 +01:00
|
|
|
DV * M, LPosOnes[colQ],
|
|
|
|
|
DV * M, auxPosOnes);
|
|
|
|
|
processedQOnes[i] += qBlockWeights[i][colQ];
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
rejections--;
|
|
|
|
|
} while (rejections >= 0);
|
|
|
|
|
|
2019-06-11 13:21:49 +01:00
|
|
|
memset(transposed_ones_idx, 0x00, sizeof(transposed_ones_idx));
|
2019-06-10 17:57:26 +01:00
|
|
|
for (unsigned source_row_idx = 0; source_row_idx < N0 ; source_row_idx++) {
|
2019-06-11 13:21:49 +01:00
|
|
|
currQoneIdx = 0; // position in the column of QtrPosOnes[][...]
|
|
|
|
|
endQblockIdx = 0;
|
2019-06-10 17:57:26 +01:00
|
|
|
for (int blockIdx = 0; blockIdx < N0; blockIdx++) {
|
|
|
|
|
endQblockIdx += qBlockWeights[source_row_idx][blockIdx];
|
|
|
|
|
for (; currQoneIdx < endQblockIdx; currQoneIdx++) {
|
|
|
|
|
QtrPosOnes[blockIdx][transposed_ones_idx[blockIdx]] = (P -
|
|
|
|
|
QPosOnes[source_row_idx][currQoneIdx]) % P;
|
|
|
|
|
transposed_ones_idx[blockIdx]++;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for (int i = 0; i < DV * M; i++) {
|
|
|
|
|
Ln0trSparse[i] = INVALID_POS_VALUE;
|
|
|
|
|
auxSparse[i] = INVALID_POS_VALUE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for (int i = 0; i < N0; i++) {
|
2019-06-16 16:01:29 +01:00
|
|
|
PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_mul_sparse(DV * M, auxSparse,
|
2019-06-10 17:57:26 +01:00
|
|
|
DV, HPosOnes[i],
|
|
|
|
|
qBlockWeights[i][N0 - 1], &QPosOnes[i][ M - qBlockWeights[i][N0 - 1]]);
|
2019-06-16 16:01:29 +01:00
|
|
|
PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_add_sparse(DV * M, Ln0trSparse,
|
2019-06-10 17:57:26 +01:00
|
|
|
DV * M, Ln0trSparse,
|
|
|
|
|
DV * M, auxSparse);
|
|
|
|
|
}
|
|
|
|
|
|
2019-06-16 16:01:29 +01:00
|
|
|
PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_transpose_in_place_sparse(DV * M, Ln0trSparse);
|
|
|
|
|
PQCLEAN_LEDAKEMLT32_LEAKTIME_gf2x_mod_mul_dense_to_sparse(privateSyndrome, syndrome, Ln0trSparse, DV * M);
|
2019-06-10 17:57:26 +01:00
|
|
|
|
|
|
|
|
/* prepare mockup error vector in case a decoding failure occurs */
|
|
|
|
|
memset(mockup_error_vector, 0x00, N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B);
|
|
|
|
|
memcpy(mockup_error_vector, syndrome, NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B);
|
2019-06-16 16:01:29 +01:00
|
|
|
PQCLEAN_LEDAKEMLT32_LEAKTIME_seedexpander(&niederreiter_decrypt_expander,
|
|
|
|
|
((unsigned char *) mockup_error_vector) + (NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B),
|
|
|
|
|
TRNG_BYTE_LENGTH);
|
2019-06-10 17:57:26 +01:00
|
|
|
|
|
|
|
|
memset(err, 0x00, N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B);
|
2019-06-16 16:01:29 +01:00
|
|
|
decryptOk = PQCLEAN_LEDAKEMLT32_LEAKTIME_bf_decoding(err, (const POSITION_T (*)[DV]) HtrPosOnes,
|
2019-06-14 13:23:58 +01:00
|
|
|
(const POSITION_T (*)[M]) QtrPosOnes, privateSyndrome, sk->threshold);
|
2019-06-10 17:57:26 +01:00
|
|
|
|
2019-06-11 13:21:49 +01:00
|
|
|
err_weight = 0;
|
2019-06-10 17:57:26 +01:00
|
|
|
for (int i = 0 ; i < N0; i++) {
|
2019-06-16 16:01:29 +01:00
|
|
|
err_weight += PQCLEAN_LEDAKEMLT32_LEAKTIME_population_count(err + (NUM_DIGITS_GF2X_ELEMENT * i));
|
2019-06-10 17:57:26 +01:00
|
|
|
}
|
|
|
|
|
decryptOk = decryptOk && (err_weight == NUM_ERRORS_T);
|
|
|
|
|
|
|
|
|
|
if (!decryptOk) { // TODO: not constant time, replace with cmov?
|
|
|
|
|
memcpy(err, mockup_error_vector, N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return decryptOk;
|
|
|
|
|
}
|
