pqc/crypto_kem/ledakemlt12/leaktime/niederreiter.c

193 lines
7.6 KiB
C
Raw Normal View History

2019-06-10 17:57:26 +01:00
#include "H_Q_matrices_generation.h"
#include "bf_decoding.h"
#include "dfr_test.h"
#include "gf2x_arith_mod_xPplusOne.h"
#include "niederreiter.h"
#include "qc_ldpc_parameters.h"
2019-08-21 13:28:31 +01:00
#include "randombytes.h"
2019-06-10 17:57:26 +01:00
#include "rng.h"
#include <string.h>
2019-08-21 13:28:31 +01:00
void PQCLEAN_LEDAKEMLT12_LEAKTIME_niederreiter_keygen(publicKeyNiederreiter_t *pk, privateKeyNiederreiter_t *sk) {
2019-06-10 17:57:26 +01:00
2019-08-21 13:28:31 +01:00
AES_XOF_struct keys_expander;
POSITION_T HPosOnes[N0][DV];
POSITION_T QPosOnes[N0][M];
2019-06-10 17:57:26 +01:00
POSITION_T LPosOnes[N0][DV * M];
POSITION_T auxPosOnes[DV * M];
unsigned char processedQOnes[N0];
2019-08-21 13:28:31 +01:00
DIGIT Ln0dense[NUM_DIGITS_GF2X_ELEMENT] = {0};
DIGIT Ln0Inv[NUM_DIGITS_GF2X_ELEMENT] = {0};
int is_L_full;
2019-08-23 11:41:58 +01:00
int isDFRok = 0;
2019-08-21 13:28:31 +01:00
memset(&keys_expander, 0x00, sizeof(AES_XOF_struct));
randombytes(sk->prng_seed, TRNG_BYTE_LENGTH);
PQCLEAN_LEDAKEMLT12_LEAKTIME_seedexpander_from_trng(&keys_expander, sk->prng_seed);
2019-08-21 13:28:31 +01:00
sk->rejections = (uint8_t) 0;
2019-06-10 17:57:26 +01:00
do {
2019-08-21 13:28:31 +01:00
PQCLEAN_LEDAKEMLT12_LEAKTIME_generateHPosOnes(HPosOnes, &keys_expander);
PQCLEAN_LEDAKEMLT12_LEAKTIME_generateQPosOnes(QPosOnes, &keys_expander);
2019-06-10 17:57:26 +01:00
for (int i = 0; i < N0; i++) {
for (int j = 0; j < DV * M; j++) {
LPosOnes[i][j] = INVALID_POS_VALUE;
}
}
memset(processedQOnes, 0x00, sizeof(processedQOnes));
2019-06-10 17:57:26 +01:00
for (int colQ = 0; colQ < N0; colQ++) {
for (int i = 0; i < N0; i++) {
2019-06-16 16:01:29 +01:00
PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_mul_sparse(DV * M, auxPosOnes,
2019-06-10 17:57:26 +01:00
DV, HPosOnes[i],
qBlockWeights[i][colQ], QPosOnes[i] + processedQOnes[i]);
2019-06-16 16:01:29 +01:00
PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_add_sparse(DV * M, LPosOnes[colQ],
2019-06-10 17:57:26 +01:00
DV * M, LPosOnes[colQ],
DV * M, auxPosOnes);
processedQOnes[i] += qBlockWeights[i][colQ];
}
}
is_L_full = 1;
2019-08-24 14:48:38 +01:00
for (size_t i = 0; i < N0; i++) {
2019-06-10 17:57:26 +01:00
is_L_full = is_L_full && (LPosOnes[i][DV * M - 1] != INVALID_POS_VALUE);
}
sk->rejections = sk->rejections + 1;
if (is_L_full) {
2019-08-21 13:28:31 +01:00
isDFRok = PQCLEAN_LEDAKEMLT12_LEAKTIME_DFR_test(LPosOnes, &(sk->secondIterThreshold));
2019-06-10 17:57:26 +01:00
}
2019-08-21 13:28:31 +01:00
} while (!is_L_full || !isDFRok);
2019-06-10 17:57:26 +01:00
sk->rejections = sk->rejections - 1;
2019-08-21 13:28:31 +01:00
PQCLEAN_LEDAKEMLT12_LEAKTIME_seedexpander(&keys_expander,
sk->decryption_failure_secret,
(unsigned long)TRNG_BYTE_LENGTH);
2019-08-24 14:48:38 +01:00
for (size_t j = 0; j < DV * M; j++) {
2019-06-10 17:57:26 +01:00
if (LPosOnes[N0 - 1][j] != INVALID_POS_VALUE) {
2019-06-16 16:01:29 +01:00
PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_set_coeff(Ln0dense, LPosOnes[N0 - 1][j], 1);
2019-06-10 17:57:26 +01:00
}
}
2019-06-16 16:01:29 +01:00
PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_inverse(Ln0Inv, Ln0dense);
2019-08-24 14:48:38 +01:00
for (size_t i = 0; i < N0 - 1; i++) {
2019-06-16 16:01:29 +01:00
PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_mul_dense_to_sparse(pk->Mtr + i * NUM_DIGITS_GF2X_ELEMENT,
2019-06-10 17:57:26 +01:00
Ln0Inv,
LPosOnes[i],
DV * M);
}
2019-08-24 14:48:38 +01:00
for (size_t i = 0; i < N0 - 1; i++) {
2019-06-16 16:01:29 +01:00
PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_transpose_in_place(pk->Mtr + i * NUM_DIGITS_GF2X_ELEMENT);
2019-06-10 17:57:26 +01:00
}
}
2019-08-21 13:28:31 +01:00
void PQCLEAN_LEDAKEMLT12_LEAKTIME_niederreiter_encrypt(DIGIT syndrome[],
const publicKeyNiederreiter_t *pk,
const DIGIT err[]) {
2019-06-10 17:57:26 +01:00
DIGIT saux[NUM_DIGITS_GF2X_ELEMENT];
memset(syndrome, 0x00, NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B);
2019-08-21 13:28:31 +01:00
for (size_t i = 0; i < N0 - 1; i++) {
2019-06-16 16:01:29 +01:00
PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_mul(saux,
pk->Mtr + i * NUM_DIGITS_GF2X_ELEMENT,
err + i * NUM_DIGITS_GF2X_ELEMENT);
PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_add(syndrome, syndrome, saux);
2019-08-21 13:28:31 +01:00
}
2019-06-16 16:01:29 +01:00
PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_add(syndrome, syndrome, err + (N0 - 1)*NUM_DIGITS_GF2X_ELEMENT);
2019-06-10 17:57:26 +01:00
}
2019-06-16 16:01:29 +01:00
int PQCLEAN_LEDAKEMLT12_LEAKTIME_niederreiter_decrypt(DIGIT *err, const privateKeyNiederreiter_t *sk, const DIGIT *syndrome) {
2019-06-10 17:57:26 +01:00
AES_XOF_struct niederreiter_decrypt_expander;
POSITION_T HPosOnes[N0][DV];
POSITION_T QPosOnes[N0][M];
POSITION_T LPosOnes[N0][DV * M];
2019-08-21 13:28:31 +01:00
POSITION_T auxPosOnes[DV * M];
POSITION_T HtrPosOnes[N0][DV];
POSITION_T QtrPosOnes[N0][M];
POSITION_T auxSparse[DV * M];
POSITION_T Ln0trSparse[DV * M];
DIGIT err_computed[N0 * NUM_DIGITS_GF2X_ELEMENT] = {0};
DIGIT err_mockup[N0 * NUM_DIGITS_GF2X_ELEMENT];
DIGIT privateSyndrome[NUM_DIGITS_GF2X_ELEMENT];
2019-08-24 14:48:38 +01:00
uint8_t processedQOnes[N0];
int rejections = sk->rejections;
2019-08-24 14:48:38 +01:00
int decrypt_ok = 0;
int err_weight;
2019-06-16 16:01:29 +01:00
PQCLEAN_LEDAKEMLT12_LEAKTIME_seedexpander_from_trng(&niederreiter_decrypt_expander, sk->prng_seed);
2019-06-10 17:57:26 +01:00
do {
2019-08-21 13:28:31 +01:00
PQCLEAN_LEDAKEMLT12_LEAKTIME_generateHPosOnes(HPosOnes, &niederreiter_decrypt_expander);
PQCLEAN_LEDAKEMLT12_LEAKTIME_generateQPosOnes(QPosOnes, &niederreiter_decrypt_expander);
2019-08-24 14:48:38 +01:00
for (size_t i = 0; i < N0; i++) {
for (size_t j = 0; j < DV * M; j++) {
2019-06-10 17:57:26 +01:00
LPosOnes[i][j] = INVALID_POS_VALUE;
}
}
memset(processedQOnes, 0x00, sizeof(processedQOnes));
2019-08-24 14:48:38 +01:00
for (size_t colQ = 0; colQ < N0; colQ++) {
for (size_t i = 0; i < N0; i++) {
2019-06-16 16:01:29 +01:00
PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_mul_sparse(DV * M, auxPosOnes,
2019-06-10 17:57:26 +01:00
DV, HPosOnes[i],
qBlockWeights[i][colQ], QPosOnes[i] + processedQOnes[i]);
2019-06-16 16:01:29 +01:00
PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_add_sparse(DV * M, LPosOnes[colQ],
2019-06-10 17:57:26 +01:00
DV * M, LPosOnes[colQ],
DV * M, auxPosOnes);
processedQOnes[i] += qBlockWeights[i][colQ];
}
}
rejections--;
} while (rejections >= 0);
2019-08-21 13:28:31 +01:00
PQCLEAN_LEDAKEMLT12_LEAKTIME_transposeHPosOnes(HtrPosOnes, HPosOnes);
PQCLEAN_LEDAKEMLT12_LEAKTIME_transposeQPosOnes(QtrPosOnes, QPosOnes);
2019-06-10 17:57:26 +01:00
2019-08-24 14:48:38 +01:00
for (size_t i = 0; i < DV * M; i++) {
2019-06-10 17:57:26 +01:00
Ln0trSparse[i] = INVALID_POS_VALUE;
auxSparse[i] = INVALID_POS_VALUE;
}
2019-08-24 14:48:38 +01:00
for (size_t i = 0; i < N0; i++) {
2019-06-16 16:01:29 +01:00
PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_mul_sparse(DV * M, auxSparse,
2019-06-10 17:57:26 +01:00
DV, HPosOnes[i],
2019-08-24 14:48:38 +01:00
qBlockWeights[i][N0 - 1], &QPosOnes[i][M - qBlockWeights[i][N0 - 1]]);
2019-06-16 16:01:29 +01:00
PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_add_sparse(DV * M, Ln0trSparse,
2019-06-10 17:57:26 +01:00
DV * M, Ln0trSparse,
DV * M, auxSparse);
}
2019-06-16 16:01:29 +01:00
PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_transpose_in_place_sparse(DV * M, Ln0trSparse);
2019-06-10 17:57:26 +01:00
2019-08-21 13:28:31 +01:00
PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_mod_mul_dense_to_sparse(privateSyndrome,
syndrome,
Ln0trSparse,
DV * M);
2019-06-10 17:57:26 +01:00
2019-08-24 14:48:38 +01:00
decrypt_ok = PQCLEAN_LEDAKEMLT12_LEAKTIME_bf_decoding(err_computed,
(const POSITION_T (*)[DV]) HtrPosOnes,
(const POSITION_T (*)[M]) QtrPosOnes,
privateSyndrome, sk->secondIterThreshold);
2019-06-10 17:57:26 +01:00
2019-08-24 14:48:38 +01:00
err_weight = 0;
for (size_t i = 0 ; i < N0; i++) {
2019-08-21 13:28:31 +01:00
err_weight += PQCLEAN_LEDAKEMLT12_LEAKTIME_population_count(err_computed + (NUM_DIGITS_GF2X_ELEMENT * i));
2019-06-10 17:57:26 +01:00
}
2019-08-24 14:48:38 +01:00
decrypt_ok = decrypt_ok && (err_weight == NUM_ERRORS_T);
2019-06-10 17:57:26 +01:00
2019-08-21 13:28:31 +01:00
/* prepare mockup error vector in case a decoding failure occurs */
memcpy(err_mockup, syndrome, NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B);
memcpy(err_mockup + NUM_DIGITS_GF2X_ELEMENT, sk->decryption_failure_secret, TRNG_BYTE_LENGTH);
memset(((unsigned char *) err_mockup) + (NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B) + TRNG_BYTE_LENGTH, 0x00,
(N0 - 1)*NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B - TRNG_BYTE_LENGTH);
memcpy(err, err_computed, N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B);
2019-08-24 14:48:38 +01:00
// Overwrite on decryption failure
2019-08-24 14:48:38 +01:00
PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_cmov(err, err_mockup, N0 * NUM_DIGITS_GF2X_ELEMENT, !decrypt_ok);
2019-06-10 17:57:26 +01:00
2019-08-24 14:48:38 +01:00
return decrypt_ok;
2019-06-10 17:57:26 +01:00
}