From 4883f2ce893128a7b2dbb0b6d546389271cd13b4 Mon Sep 17 00:00:00 2001 From: Ko- Date: Fri, 29 May 2020 16:41:41 +0200 Subject: [PATCH] Add domain separation to NewHope NewHope announced a new version of their specification that adds explicit domain separation. This is a port of https://github.com/newhopecrypto/newhope/commit/607a9d3 --- crypto_kem/newhope1024cca/clean/cpapke.c | 5 +++-- crypto_kem/newhope1024cca/clean/kem.c | 25 +++++++++++++----------- crypto_kem/newhope1024cpa/clean/cpapke.c | 5 +++-- crypto_kem/newhope1024cpa/clean/kem.c | 5 +++-- crypto_kem/newhope512cca/clean/cpapke.c | 5 +++-- crypto_kem/newhope512cca/clean/kem.c | 25 +++++++++++++----------- crypto_kem/newhope512cpa/clean/cpapke.c | 5 +++-- crypto_kem/newhope512cpa/clean/kem.c | 5 +++-- 8 files changed, 46 insertions(+), 34 deletions(-) diff --git a/crypto_kem/newhope1024cca/clean/cpapke.c b/crypto_kem/newhope1024cca/clean/cpapke.c index 09986223..11644c74 100644 --- a/crypto_kem/newhope1024cca/clean/cpapke.c +++ b/crypto_kem/newhope1024cca/clean/cpapke.c @@ -101,8 +101,9 @@ void PQCLEAN_NEWHOPE1024CCA_CLEAN_cpapke_keypair(unsigned char *pk, unsigned char *publicseed = z; unsigned char *noiseseed = z + NEWHOPE_SYMBYTES; - randombytes(z, NEWHOPE_SYMBYTES); - shake256(z, 2 * NEWHOPE_SYMBYTES, z, NEWHOPE_SYMBYTES); + z[0] = 0x01; + randombytes(z + 1, NEWHOPE_SYMBYTES); + shake256(z, 2 * NEWHOPE_SYMBYTES, z, NEWHOPE_SYMBYTES + 1); gen_a(&ahat, publicseed); diff --git a/crypto_kem/newhope1024cca/clean/kem.c b/crypto_kem/newhope1024cca/clean/kem.c index 2ac276c6..163d56f0 100644 --- a/crypto_kem/newhope1024cca/clean/kem.c +++ b/crypto_kem/newhope1024cca/clean/kem.c @@ -52,16 +52,18 @@ int PQCLEAN_NEWHOPE1024CCA_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned **************************************************/ int PQCLEAN_NEWHOPE1024CCA_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) { unsigned char k_coins_d[3 * NEWHOPE_SYMBYTES]; /* Will contain key, coins, qrom-hash */ - unsigned char buf[2 * NEWHOPE_SYMBYTES]; + unsigned char buf[2 * NEWHOPE_SYMBYTES + 1]; int i; - randombytes(buf, NEWHOPE_SYMBYTES); + buf[0] = 0x04; + randombytes(buf + 1, NEWHOPE_SYMBYTES); - shake256(buf, NEWHOPE_SYMBYTES, buf, NEWHOPE_SYMBYTES); /* Don't release system RNG output */ - shake256(buf + NEWHOPE_SYMBYTES, NEWHOPE_SYMBYTES, pk, NEWHOPE_CCAKEM_PUBLICKEYBYTES); /* Multitarget countermeasure for coins + contributory KEM */ - shake256(k_coins_d, 3 * NEWHOPE_SYMBYTES, buf, 2 * NEWHOPE_SYMBYTES); + shake256(buf + 1, NEWHOPE_SYMBYTES, buf, NEWHOPE_SYMBYTES + 1); /* Don't release system RNG output */ + shake256(buf + 1 + NEWHOPE_SYMBYTES, NEWHOPE_SYMBYTES, pk, NEWHOPE_CCAKEM_PUBLICKEYBYTES); /* Multitarget countermeasure for coins + contributory KEM */ + buf[0] = 0x08; + shake256(k_coins_d, 3 * NEWHOPE_SYMBYTES, buf, 2 * NEWHOPE_SYMBYTES + 1); - PQCLEAN_NEWHOPE1024CCA_CLEAN_cpapke_enc(ct, buf, pk, k_coins_d + NEWHOPE_SYMBYTES); /* coins are in k_coins_d+NEWHOPE_SYMBYTES */ + PQCLEAN_NEWHOPE1024CCA_CLEAN_cpapke_enc(ct, buf + 1, pk, k_coins_d + NEWHOPE_SYMBYTES); /* coins are in k_coins_d+NEWHOPE_SYMBYTES */ for (i = 0; i < NEWHOPE_SYMBYTES; i++) { ct[i + NEWHOPE_CPAPKE_CIPHERTEXTBYTES] = k_coins_d[i + 2 * NEWHOPE_SYMBYTES]; /* copy Targhi-Unruh hash into ct */ @@ -89,18 +91,19 @@ int PQCLEAN_NEWHOPE1024CCA_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char int PQCLEAN_NEWHOPE1024CCA_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { int i, fail; unsigned char ct_cmp[NEWHOPE_CCAKEM_CIPHERTEXTBYTES]; - unsigned char buf[2 * NEWHOPE_SYMBYTES]; + unsigned char buf[2 * NEWHOPE_SYMBYTES + 1]; unsigned char k_coins_d[3 * NEWHOPE_SYMBYTES]; /* Will contain key, coins, qrom-hash */ const unsigned char *pk = sk + NEWHOPE_CPAPKE_SECRETKEYBYTES; - PQCLEAN_NEWHOPE1024CCA_CLEAN_cpapke_dec(buf, ct, sk); + buf[0] = 0x08; + PQCLEAN_NEWHOPE1024CCA_CLEAN_cpapke_dec(buf + 1, ct, sk); for (i = 0; i < NEWHOPE_SYMBYTES; i++) { /* Use hash of pk stored in sk */ - buf[NEWHOPE_SYMBYTES + i] = sk[NEWHOPE_CCAKEM_SECRETKEYBYTES - 2 * NEWHOPE_SYMBYTES + i]; + buf[1 + NEWHOPE_SYMBYTES + i] = sk[NEWHOPE_CCAKEM_SECRETKEYBYTES - 2 * NEWHOPE_SYMBYTES + i]; } - shake256(k_coins_d, 3 * NEWHOPE_SYMBYTES, buf, 2 * NEWHOPE_SYMBYTES); + shake256(k_coins_d, 3 * NEWHOPE_SYMBYTES, buf, 2 * NEWHOPE_SYMBYTES + 1); - PQCLEAN_NEWHOPE1024CCA_CLEAN_cpapke_enc(ct_cmp, buf, pk, k_coins_d + NEWHOPE_SYMBYTES); /* coins are in k_coins_d+NEWHOPE_SYMBYTES */ + PQCLEAN_NEWHOPE1024CCA_CLEAN_cpapke_enc(ct_cmp, buf + 1, pk, k_coins_d + NEWHOPE_SYMBYTES); /* coins are in k_coins_d+NEWHOPE_SYMBYTES */ for (i = 0; i < NEWHOPE_SYMBYTES; i++) { ct_cmp[i + NEWHOPE_CPAPKE_CIPHERTEXTBYTES] = k_coins_d[i + 2 * NEWHOPE_SYMBYTES]; diff --git a/crypto_kem/newhope1024cpa/clean/cpapke.c b/crypto_kem/newhope1024cpa/clean/cpapke.c index ec5a5b07..fa11ebe7 100644 --- a/crypto_kem/newhope1024cpa/clean/cpapke.c +++ b/crypto_kem/newhope1024cpa/clean/cpapke.c @@ -101,8 +101,9 @@ void PQCLEAN_NEWHOPE1024CPA_CLEAN_cpapke_keypair(unsigned char *pk, unsigned char *publicseed = z; unsigned char *noiseseed = z + NEWHOPE_SYMBYTES; - randombytes(z, NEWHOPE_SYMBYTES); - shake256(z, 2 * NEWHOPE_SYMBYTES, z, NEWHOPE_SYMBYTES); + z[0] = 0x01; + randombytes(z + 1, NEWHOPE_SYMBYTES); + shake256(z, 2 * NEWHOPE_SYMBYTES, z, NEWHOPE_SYMBYTES + 1); gen_a(&ahat, publicseed); diff --git a/crypto_kem/newhope1024cpa/clean/kem.c b/crypto_kem/newhope1024cpa/clean/kem.c index 54f5a2f3..d1f41113 100644 --- a/crypto_kem/newhope1024cpa/clean/kem.c +++ b/crypto_kem/newhope1024cpa/clean/kem.c @@ -39,9 +39,10 @@ int PQCLEAN_NEWHOPE1024CPA_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned int PQCLEAN_NEWHOPE1024CPA_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) { unsigned char buf[2 * NEWHOPE_SYMBYTES]; - randombytes(buf, NEWHOPE_SYMBYTES); + buf[0] = 0x02; + randombytes(buf + 1, NEWHOPE_SYMBYTES); - shake256(buf, 2 * NEWHOPE_SYMBYTES, buf, NEWHOPE_SYMBYTES); /* Don't release system RNG output */ + shake256(buf, 2 * NEWHOPE_SYMBYTES, buf, NEWHOPE_SYMBYTES + 1); /* Don't release system RNG output */ PQCLEAN_NEWHOPE1024CPA_CLEAN_cpapke_enc(ct, buf, pk, buf + NEWHOPE_SYMBYTES); /* coins are in buf+NEWHOPE_SYMBYTES */ diff --git a/crypto_kem/newhope512cca/clean/cpapke.c b/crypto_kem/newhope512cca/clean/cpapke.c index f965a213..4328e6de 100644 --- a/crypto_kem/newhope512cca/clean/cpapke.c +++ b/crypto_kem/newhope512cca/clean/cpapke.c @@ -101,8 +101,9 @@ void PQCLEAN_NEWHOPE512CCA_CLEAN_cpapke_keypair(unsigned char *pk, unsigned char *publicseed = z; unsigned char *noiseseed = z + NEWHOPE_SYMBYTES; - randombytes(z, NEWHOPE_SYMBYTES); - shake256(z, 2 * NEWHOPE_SYMBYTES, z, NEWHOPE_SYMBYTES); + z[0] = 0x01; + randombytes(z + 1, NEWHOPE_SYMBYTES); + shake256(z, 2 * NEWHOPE_SYMBYTES, z, NEWHOPE_SYMBYTES + 1); gen_a(&ahat, publicseed); diff --git a/crypto_kem/newhope512cca/clean/kem.c b/crypto_kem/newhope512cca/clean/kem.c index a9d5da8c..ac674d7b 100644 --- a/crypto_kem/newhope512cca/clean/kem.c +++ b/crypto_kem/newhope512cca/clean/kem.c @@ -52,16 +52,18 @@ int PQCLEAN_NEWHOPE512CCA_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned c **************************************************/ int PQCLEAN_NEWHOPE512CCA_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) { unsigned char k_coins_d[3 * NEWHOPE_SYMBYTES]; /* Will contain key, coins, qrom-hash */ - unsigned char buf[2 * NEWHOPE_SYMBYTES]; + unsigned char buf[2 * NEWHOPE_SYMBYTES + 1]; int i; - randombytes(buf, NEWHOPE_SYMBYTES); + buf[0] = 0x04; + randombytes(buf + 1, NEWHOPE_SYMBYTES); - shake256(buf, NEWHOPE_SYMBYTES, buf, NEWHOPE_SYMBYTES); /* Don't release system RNG output */ - shake256(buf + NEWHOPE_SYMBYTES, NEWHOPE_SYMBYTES, pk, NEWHOPE_CCAKEM_PUBLICKEYBYTES); /* Multitarget countermeasure for coins + contributory KEM */ - shake256(k_coins_d, 3 * NEWHOPE_SYMBYTES, buf, 2 * NEWHOPE_SYMBYTES); + shake256(buf + 1, NEWHOPE_SYMBYTES, buf, NEWHOPE_SYMBYTES + 1); /* Don't release system RNG output */ + shake256(buf + 1 + NEWHOPE_SYMBYTES, NEWHOPE_SYMBYTES, pk, NEWHOPE_CCAKEM_PUBLICKEYBYTES); /* Multitarget countermeasure for coins + contributory KEM */ + buf[0] = 0x08; + shake256(k_coins_d, 3 * NEWHOPE_SYMBYTES, buf, 2 * NEWHOPE_SYMBYTES + 1); - PQCLEAN_NEWHOPE512CCA_CLEAN_cpapke_enc(ct, buf, pk, k_coins_d + NEWHOPE_SYMBYTES); /* coins are in k_coins_d+NEWHOPE_SYMBYTES */ + PQCLEAN_NEWHOPE512CCA_CLEAN_cpapke_enc(ct, buf + 1, pk, k_coins_d + NEWHOPE_SYMBYTES); /* coins are in k_coins_d+NEWHOPE_SYMBYTES */ for (i = 0; i < NEWHOPE_SYMBYTES; i++) { ct[i + NEWHOPE_CPAPKE_CIPHERTEXTBYTES] = k_coins_d[i + 2 * NEWHOPE_SYMBYTES]; /* copy Targhi-Unruh hash into ct */ @@ -89,18 +91,19 @@ int PQCLEAN_NEWHOPE512CCA_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char int PQCLEAN_NEWHOPE512CCA_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { int i, fail; unsigned char ct_cmp[NEWHOPE_CCAKEM_CIPHERTEXTBYTES]; - unsigned char buf[2 * NEWHOPE_SYMBYTES]; + unsigned char buf[2 * NEWHOPE_SYMBYTES + 1]; unsigned char k_coins_d[3 * NEWHOPE_SYMBYTES]; /* Will contain key, coins, qrom-hash */ const unsigned char *pk = sk + NEWHOPE_CPAPKE_SECRETKEYBYTES; - PQCLEAN_NEWHOPE512CCA_CLEAN_cpapke_dec(buf, ct, sk); + buf[0] = 0x08; + PQCLEAN_NEWHOPE512CCA_CLEAN_cpapke_dec(buf + 1, ct, sk); for (i = 0; i < NEWHOPE_SYMBYTES; i++) { /* Use hash of pk stored in sk */ - buf[NEWHOPE_SYMBYTES + i] = sk[NEWHOPE_CCAKEM_SECRETKEYBYTES - 2 * NEWHOPE_SYMBYTES + i]; + buf[1 + NEWHOPE_SYMBYTES + i] = sk[NEWHOPE_CCAKEM_SECRETKEYBYTES - 2 * NEWHOPE_SYMBYTES + i]; } - shake256(k_coins_d, 3 * NEWHOPE_SYMBYTES, buf, 2 * NEWHOPE_SYMBYTES); + shake256(k_coins_d, 3 * NEWHOPE_SYMBYTES, buf, 2 * NEWHOPE_SYMBYTES + 1); - PQCLEAN_NEWHOPE512CCA_CLEAN_cpapke_enc(ct_cmp, buf, pk, k_coins_d + NEWHOPE_SYMBYTES); /* coins are in k_coins_d+NEWHOPE_SYMBYTES */ + PQCLEAN_NEWHOPE512CCA_CLEAN_cpapke_enc(ct_cmp, buf + 1, pk, k_coins_d + NEWHOPE_SYMBYTES); /* coins are in k_coins_d+NEWHOPE_SYMBYTES */ for (i = 0; i < NEWHOPE_SYMBYTES; i++) { ct_cmp[i + NEWHOPE_CPAPKE_CIPHERTEXTBYTES] = k_coins_d[i + 2 * NEWHOPE_SYMBYTES]; diff --git a/crypto_kem/newhope512cpa/clean/cpapke.c b/crypto_kem/newhope512cpa/clean/cpapke.c index dbcc3434..c53b657a 100644 --- a/crypto_kem/newhope512cpa/clean/cpapke.c +++ b/crypto_kem/newhope512cpa/clean/cpapke.c @@ -101,8 +101,9 @@ void PQCLEAN_NEWHOPE512CPA_CLEAN_cpapke_keypair(unsigned char *pk, unsigned char *publicseed = z; unsigned char *noiseseed = z + NEWHOPE_SYMBYTES; - randombytes(z, NEWHOPE_SYMBYTES); - shake256(z, 2 * NEWHOPE_SYMBYTES, z, NEWHOPE_SYMBYTES); + z[0] = 0x01; + randombytes(z + 1, NEWHOPE_SYMBYTES); + shake256(z, 2 * NEWHOPE_SYMBYTES, z, NEWHOPE_SYMBYTES + 1); gen_a(&ahat, publicseed); diff --git a/crypto_kem/newhope512cpa/clean/kem.c b/crypto_kem/newhope512cpa/clean/kem.c index 95fbd4ff..ae3f9d4b 100644 --- a/crypto_kem/newhope512cpa/clean/kem.c +++ b/crypto_kem/newhope512cpa/clean/kem.c @@ -39,9 +39,10 @@ int PQCLEAN_NEWHOPE512CPA_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned c int PQCLEAN_NEWHOPE512CPA_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) { unsigned char buf[2 * NEWHOPE_SYMBYTES]; - randombytes(buf, NEWHOPE_SYMBYTES); + buf[0] = 0x02; + randombytes(buf + 1, NEWHOPE_SYMBYTES); - shake256(buf, 2 * NEWHOPE_SYMBYTES, buf, NEWHOPE_SYMBYTES); /* Don't release system RNG output */ + shake256(buf, 2 * NEWHOPE_SYMBYTES, buf, NEWHOPE_SYMBYTES + 1); /* Don't release system RNG output */ PQCLEAN_NEWHOPE512CPA_CLEAN_cpapke_enc(ct, buf, pk, buf + NEWHOPE_SYMBYTES); /* coins are in buf+NEWHOPE_SYMBYTES */