Add domain separation to NewHope

NewHope announced a new version of their specification that adds
explicit domain separation. This is a port of
https://github.com/newhopecrypto/newhope/commit/607a9d3

crypto_kem/newhope1024cca/clean/cpapke.c

@@ -101,8 +101,9 @@ void PQCLEAN_NEWHOPE1024CCA_CLEAN_cpapke_keypair(unsigned char *pk,
     unsigned char *publicseed = z;
     unsigned char *noiseseed = z + NEWHOPE_SYMBYTES;
 
-    randombytes(z, NEWHOPE_SYMBYTES);
-    shake256(z, 2 * NEWHOPE_SYMBYTES, z, NEWHOPE_SYMBYTES);
+    z[0] = 0x01;
+    randombytes(z + 1, NEWHOPE_SYMBYTES);
+    shake256(z, 2 * NEWHOPE_SYMBYTES, z, NEWHOPE_SYMBYTES + 1);
 
     gen_a(&ahat, publicseed);
 

crypto_kem/newhope1024cca/clean/kem.c

@@ -52,16 +52,18 @@ int PQCLEAN_NEWHOPE1024CCA_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned
 **************************************************/
 int PQCLEAN_NEWHOPE1024CCA_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) {
     unsigned char k_coins_d[3 * NEWHOPE_SYMBYTES];                                              /* Will contain key, coins, qrom-hash */
-    unsigned char buf[2 * NEWHOPE_SYMBYTES];
+    unsigned char buf[2 * NEWHOPE_SYMBYTES + 1];
     int i;
 
-    randombytes(buf, NEWHOPE_SYMBYTES);
+    buf[0] = 0x04;
+    randombytes(buf + 1, NEWHOPE_SYMBYTES);
 
-    shake256(buf, NEWHOPE_SYMBYTES, buf, NEWHOPE_SYMBYTES);                                     /* Don't release system RNG output */
-    shake256(buf + NEWHOPE_SYMBYTES, NEWHOPE_SYMBYTES, pk, NEWHOPE_CCAKEM_PUBLICKEYBYTES);      /* Multitarget countermeasure for coins + contributory KEM */
-    shake256(k_coins_d, 3 * NEWHOPE_SYMBYTES, buf, 2 * NEWHOPE_SYMBYTES);
+    shake256(buf + 1, NEWHOPE_SYMBYTES, buf, NEWHOPE_SYMBYTES + 1);                             /* Don't release system RNG output */
+    shake256(buf + 1 + NEWHOPE_SYMBYTES, NEWHOPE_SYMBYTES, pk, NEWHOPE_CCAKEM_PUBLICKEYBYTES);  /* Multitarget countermeasure for coins + contributory KEM */
+    buf[0] = 0x08;
+    shake256(k_coins_d, 3 * NEWHOPE_SYMBYTES, buf, 2 * NEWHOPE_SYMBYTES + 1);
 
-    PQCLEAN_NEWHOPE1024CCA_CLEAN_cpapke_enc(ct, buf, pk, k_coins_d + NEWHOPE_SYMBYTES);                                      /* coins are in k_coins_d+NEWHOPE_SYMBYTES */
+    PQCLEAN_NEWHOPE1024CCA_CLEAN_cpapke_enc(ct, buf + 1, pk, k_coins_d + NEWHOPE_SYMBYTES);     /* coins are in k_coins_d+NEWHOPE_SYMBYTES */
 
     for (i = 0; i < NEWHOPE_SYMBYTES; i++) {
         ct[i + NEWHOPE_CPAPKE_CIPHERTEXTBYTES] = k_coins_d[i + 2 * NEWHOPE_SYMBYTES];    /* copy Targhi-Unruh hash into ct */
@@ -89,18 +91,19 @@ int PQCLEAN_NEWHOPE1024CCA_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char
 int PQCLEAN_NEWHOPE1024CCA_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) {
     int i, fail;
     unsigned char ct_cmp[NEWHOPE_CCAKEM_CIPHERTEXTBYTES];
-    unsigned char buf[2 * NEWHOPE_SYMBYTES];
+    unsigned char buf[2 * NEWHOPE_SYMBYTES + 1];
     unsigned char k_coins_d[3 * NEWHOPE_SYMBYTES];                                              /* Will contain key, coins, qrom-hash */
     const unsigned char *pk = sk + NEWHOPE_CPAPKE_SECRETKEYBYTES;
 
-    PQCLEAN_NEWHOPE1024CCA_CLEAN_cpapke_dec(buf, ct, sk);
+    buf[0] = 0x08;
+    PQCLEAN_NEWHOPE1024CCA_CLEAN_cpapke_dec(buf + 1, ct, sk);
 
     for (i = 0; i < NEWHOPE_SYMBYTES; i++) {                                                    /* Use hash of pk stored in sk */
-        buf[NEWHOPE_SYMBYTES + i] = sk[NEWHOPE_CCAKEM_SECRETKEYBYTES - 2 * NEWHOPE_SYMBYTES + i];
+        buf[1 + NEWHOPE_SYMBYTES + i] = sk[NEWHOPE_CCAKEM_SECRETKEYBYTES - 2 * NEWHOPE_SYMBYTES + i];
     }
-    shake256(k_coins_d, 3 * NEWHOPE_SYMBYTES, buf, 2 * NEWHOPE_SYMBYTES);
+    shake256(k_coins_d, 3 * NEWHOPE_SYMBYTES, buf, 2 * NEWHOPE_SYMBYTES + 1);
 
-    PQCLEAN_NEWHOPE1024CCA_CLEAN_cpapke_enc(ct_cmp, buf, pk, k_coins_d + NEWHOPE_SYMBYTES);                                  /* coins are in k_coins_d+NEWHOPE_SYMBYTES */
+    PQCLEAN_NEWHOPE1024CCA_CLEAN_cpapke_enc(ct_cmp, buf + 1, pk, k_coins_d + NEWHOPE_SYMBYTES); /* coins are in k_coins_d+NEWHOPE_SYMBYTES */
 
     for (i = 0; i < NEWHOPE_SYMBYTES; i++) {
         ct_cmp[i + NEWHOPE_CPAPKE_CIPHERTEXTBYTES] = k_coins_d[i + 2 * NEWHOPE_SYMBYTES];

crypto_kem/newhope1024cpa/clean/cpapke.c

@@ -101,8 +101,9 @@ void PQCLEAN_NEWHOPE1024CPA_CLEAN_cpapke_keypair(unsigned char *pk,
     unsigned char *publicseed = z;
     unsigned char *noiseseed = z + NEWHOPE_SYMBYTES;
 
-    randombytes(z, NEWHOPE_SYMBYTES);
-    shake256(z, 2 * NEWHOPE_SYMBYTES, z, NEWHOPE_SYMBYTES);
+    z[0] = 0x01;
+    randombytes(z + 1, NEWHOPE_SYMBYTES);
+    shake256(z, 2 * NEWHOPE_SYMBYTES, z, NEWHOPE_SYMBYTES + 1);
 
     gen_a(&ahat, publicseed);
 

crypto_kem/newhope1024cpa/clean/kem.c

@@ -39,9 +39,10 @@ int PQCLEAN_NEWHOPE1024CPA_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned
 int PQCLEAN_NEWHOPE1024CPA_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) {
     unsigned char buf[2 * NEWHOPE_SYMBYTES];
 
-    randombytes(buf, NEWHOPE_SYMBYTES);
+    buf[0] = 0x02;
+    randombytes(buf + 1, NEWHOPE_SYMBYTES);
 
-    shake256(buf, 2 * NEWHOPE_SYMBYTES, buf, NEWHOPE_SYMBYTES);                    /* Don't release system RNG output */
+    shake256(buf, 2 * NEWHOPE_SYMBYTES, buf, NEWHOPE_SYMBYTES + 1);                    /* Don't release system RNG output */
 
     PQCLEAN_NEWHOPE1024CPA_CLEAN_cpapke_enc(ct, buf, pk, buf + NEWHOPE_SYMBYTES);                               /* coins are in buf+NEWHOPE_SYMBYTES */
 

crypto_kem/newhope512cca/clean/cpapke.c

@@ -101,8 +101,9 @@ void PQCLEAN_NEWHOPE512CCA_CLEAN_cpapke_keypair(unsigned char *pk,
     unsigned char *publicseed = z;
     unsigned char *noiseseed = z + NEWHOPE_SYMBYTES;
 
-    randombytes(z, NEWHOPE_SYMBYTES);
-    shake256(z, 2 * NEWHOPE_SYMBYTES, z, NEWHOPE_SYMBYTES);
+    z[0] = 0x01;
+    randombytes(z + 1, NEWHOPE_SYMBYTES);
+    shake256(z, 2 * NEWHOPE_SYMBYTES, z, NEWHOPE_SYMBYTES + 1);
 
     gen_a(&ahat, publicseed);
 

crypto_kem/newhope512cca/clean/kem.c

@@ -52,16 +52,18 @@ int PQCLEAN_NEWHOPE512CCA_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned c
 **************************************************/
 int PQCLEAN_NEWHOPE512CCA_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) {
     unsigned char k_coins_d[3 * NEWHOPE_SYMBYTES];                                              /* Will contain key, coins, qrom-hash */
-    unsigned char buf[2 * NEWHOPE_SYMBYTES];
+    unsigned char buf[2 * NEWHOPE_SYMBYTES + 1];
     int i;
 
-    randombytes(buf, NEWHOPE_SYMBYTES);
+    buf[0] = 0x04;
+    randombytes(buf + 1, NEWHOPE_SYMBYTES);
 
-    shake256(buf, NEWHOPE_SYMBYTES, buf, NEWHOPE_SYMBYTES);                                     /* Don't release system RNG output */
-    shake256(buf + NEWHOPE_SYMBYTES, NEWHOPE_SYMBYTES, pk, NEWHOPE_CCAKEM_PUBLICKEYBYTES);      /* Multitarget countermeasure for coins + contributory KEM */
-    shake256(k_coins_d, 3 * NEWHOPE_SYMBYTES, buf, 2 * NEWHOPE_SYMBYTES);
+    shake256(buf + 1, NEWHOPE_SYMBYTES, buf, NEWHOPE_SYMBYTES + 1);                             /* Don't release system RNG output */
+    shake256(buf + 1 + NEWHOPE_SYMBYTES, NEWHOPE_SYMBYTES, pk, NEWHOPE_CCAKEM_PUBLICKEYBYTES);  /* Multitarget countermeasure for coins + contributory KEM */
+    buf[0] = 0x08;
+    shake256(k_coins_d, 3 * NEWHOPE_SYMBYTES, buf, 2 * NEWHOPE_SYMBYTES + 1);
 
-    PQCLEAN_NEWHOPE512CCA_CLEAN_cpapke_enc(ct, buf, pk, k_coins_d + NEWHOPE_SYMBYTES);                                      /* coins are in k_coins_d+NEWHOPE_SYMBYTES */
+    PQCLEAN_NEWHOPE512CCA_CLEAN_cpapke_enc(ct, buf + 1, pk, k_coins_d + NEWHOPE_SYMBYTES);      /* coins are in k_coins_d+NEWHOPE_SYMBYTES */
 
     for (i = 0; i < NEWHOPE_SYMBYTES; i++) {
         ct[i + NEWHOPE_CPAPKE_CIPHERTEXTBYTES] = k_coins_d[i + 2 * NEWHOPE_SYMBYTES];    /* copy Targhi-Unruh hash into ct */
@@ -89,18 +91,19 @@ int PQCLEAN_NEWHOPE512CCA_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char
 int PQCLEAN_NEWHOPE512CCA_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) {
     int i, fail;
     unsigned char ct_cmp[NEWHOPE_CCAKEM_CIPHERTEXTBYTES];
-    unsigned char buf[2 * NEWHOPE_SYMBYTES];
+    unsigned char buf[2 * NEWHOPE_SYMBYTES + 1];
     unsigned char k_coins_d[3 * NEWHOPE_SYMBYTES];                                              /* Will contain key, coins, qrom-hash */
     const unsigned char *pk = sk + NEWHOPE_CPAPKE_SECRETKEYBYTES;
 
-    PQCLEAN_NEWHOPE512CCA_CLEAN_cpapke_dec(buf, ct, sk);
+    buf[0] = 0x08;
+    PQCLEAN_NEWHOPE512CCA_CLEAN_cpapke_dec(buf + 1, ct, sk);
 
     for (i = 0; i < NEWHOPE_SYMBYTES; i++) {                                                    /* Use hash of pk stored in sk */
-        buf[NEWHOPE_SYMBYTES + i] = sk[NEWHOPE_CCAKEM_SECRETKEYBYTES - 2 * NEWHOPE_SYMBYTES + i];
+        buf[1 + NEWHOPE_SYMBYTES + i] = sk[NEWHOPE_CCAKEM_SECRETKEYBYTES - 2 * NEWHOPE_SYMBYTES + i];
     }
-    shake256(k_coins_d, 3 * NEWHOPE_SYMBYTES, buf, 2 * NEWHOPE_SYMBYTES);
+    shake256(k_coins_d, 3 * NEWHOPE_SYMBYTES, buf, 2 * NEWHOPE_SYMBYTES + 1);
 
-    PQCLEAN_NEWHOPE512CCA_CLEAN_cpapke_enc(ct_cmp, buf, pk, k_coins_d + NEWHOPE_SYMBYTES);                                  /* coins are in k_coins_d+NEWHOPE_SYMBYTES */
+    PQCLEAN_NEWHOPE512CCA_CLEAN_cpapke_enc(ct_cmp, buf + 1, pk, k_coins_d + NEWHOPE_SYMBYTES);  /* coins are in k_coins_d+NEWHOPE_SYMBYTES */
 
     for (i = 0; i < NEWHOPE_SYMBYTES; i++) {
         ct_cmp[i + NEWHOPE_CPAPKE_CIPHERTEXTBYTES] = k_coins_d[i + 2 * NEWHOPE_SYMBYTES];

crypto_kem/newhope512cpa/clean/cpapke.c

@@ -101,8 +101,9 @@ void PQCLEAN_NEWHOPE512CPA_CLEAN_cpapke_keypair(unsigned char *pk,
     unsigned char *publicseed = z;
     unsigned char *noiseseed = z + NEWHOPE_SYMBYTES;
 
-    randombytes(z, NEWHOPE_SYMBYTES);
-    shake256(z, 2 * NEWHOPE_SYMBYTES, z, NEWHOPE_SYMBYTES);
+    z[0] = 0x01;
+    randombytes(z + 1, NEWHOPE_SYMBYTES);
+    shake256(z, 2 * NEWHOPE_SYMBYTES, z, NEWHOPE_SYMBYTES + 1);
 
     gen_a(&ahat, publicseed);
 

crypto_kem/newhope512cpa/clean/kem.c

@@ -39,9 +39,10 @@ int PQCLEAN_NEWHOPE512CPA_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned c
 int PQCLEAN_NEWHOPE512CPA_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) {
     unsigned char buf[2 * NEWHOPE_SYMBYTES];
 
-    randombytes(buf, NEWHOPE_SYMBYTES);
+    buf[0] = 0x02;
+    randombytes(buf + 1, NEWHOPE_SYMBYTES);
 
-    shake256(buf, 2 * NEWHOPE_SYMBYTES, buf, NEWHOPE_SYMBYTES);                    /* Don't release system RNG output */
+    shake256(buf, 2 * NEWHOPE_SYMBYTES, buf, NEWHOPE_SYMBYTES + 1);                    /* Don't release system RNG output */
 
     PQCLEAN_NEWHOPE512CPA_CLEAN_cpapke_enc(ct, buf, pk, buf + NEWHOPE_SYMBYTES);                               /* coins are in buf+NEWHOPE_SYMBYTES */