2019-06-10 19:42:31 +01:00
|
|
|
#include "api.h"
|
|
|
|
|
#include "niederreiter.h"
|
|
|
|
|
#include "randombytes.h"
|
|
|
|
|
#include "rng.h"
|
2019-08-21 20:27:53 +01:00
|
|
|
#include "utils.h"
|
2019-06-10 19:42:31 +01:00
|
|
|
|
|
|
|
|
#include <string.h>
|
|
|
|
|
|
2019-08-21 13:28:31 +01:00
|
|
|
/*
|
2019-06-12 14:33:20 +01:00
|
|
|
static void pack_pk(uint8_t *pk_bytes, publicKeyNiederreiter_t *pk) {
|
|
|
|
|
size_t i;
|
|
|
|
|
for (i = 0; i < N0 - 1; i++) {
|
2019-06-16 16:01:29 +01:00
|
|
|
PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_tobytes(pk_bytes + i * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B,
|
|
|
|
|
pk->Mtr + i * NUM_DIGITS_GF2X_ELEMENT);
|
2019-06-12 14:33:20 +01:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-06-14 13:23:58 +01:00
|
|
|
static void unpack_pk(publicKeyNiederreiter_t *pk, const uint8_t *pk_bytes) {
|
2019-06-12 14:33:20 +01:00
|
|
|
size_t i;
|
|
|
|
|
for (i = 0; i < N0 - 1; i++) {
|
2019-06-16 16:01:29 +01:00
|
|
|
PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_frombytes(pk->Mtr + i * NUM_DIGITS_GF2X_ELEMENT,
|
2019-06-12 14:33:20 +01:00
|
|
|
pk_bytes + i * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void pack_ct(uint8_t *sk_bytes, DIGIT *ct) {
|
2019-06-16 16:01:29 +01:00
|
|
|
PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_tobytes(sk_bytes, ct);
|
2019-06-12 14:33:20 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void unpack_ct(DIGIT *ct, const uint8_t *ct_bytes) {
|
2019-06-16 16:01:29 +01:00
|
|
|
PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_frombytes(ct, ct_bytes);
|
2019-06-12 14:33:20 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void pack_error(uint8_t *error_bytes, DIGIT *error_digits) {
|
|
|
|
|
size_t i;
|
|
|
|
|
for (i = 0; i < N0; i++) {
|
2019-06-16 16:01:29 +01:00
|
|
|
PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_tobytes(error_bytes + i * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B,
|
|
|
|
|
error_digits + i * NUM_DIGITS_GF2X_ELEMENT);
|
2019-06-12 14:33:20 +01:00
|
|
|
}
|
|
|
|
|
}
|
2019-08-21 13:28:31 +01:00
|
|
|
*/
|
2019-06-12 14:33:20 +01:00
|
|
|
|
2019-08-21 13:28:31 +01:00
|
|
|
/* IND-CCA2 Keygen */
|
|
|
|
|
int PQCLEAN_LEDAKEMLT52_LEAKTIME_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) {
|
2019-06-10 19:42:31 +01:00
|
|
|
|
2019-08-21 13:28:31 +01:00
|
|
|
PQCLEAN_LEDAKEMLT52_LEAKTIME_niederreiter_keygen((publicKeyNiederreiter_t *) pk,
|
|
|
|
|
(privateKeyNiederreiter_t *) sk);
|
2019-06-10 19:42:31 +01:00
|
|
|
|
2019-06-12 14:33:20 +01:00
|
|
|
return 0;
|
2019-06-10 19:42:31 +01:00
|
|
|
}
|
|
|
|
|
|
2019-08-21 13:28:31 +01:00
|
|
|
/* IND-CCA2 Encapsulation */
|
|
|
|
|
int PQCLEAN_LEDAKEMLT52_LEAKTIME_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk) {
|
|
|
|
|
AES_XOF_struct hashedAndTruncatedSeed_expander;
|
|
|
|
|
POSITION_T errorPos[NUM_ERRORS_T];
|
2019-06-10 19:42:31 +01:00
|
|
|
DIGIT error_vector[N0 * NUM_DIGITS_GF2X_ELEMENT];
|
2019-08-21 13:28:31 +01:00
|
|
|
uint8_t seed[TRNG_BYTE_LENGTH];
|
|
|
|
|
uint8_t ss_input[2 * TRNG_BYTE_LENGTH] = {0};
|
|
|
|
|
uint8_t hashedSeed[HASH_BYTE_LENGTH];
|
|
|
|
|
uint8_t hashedAndTruncatedSeed[TRNG_BYTE_LENGTH] = {0};
|
|
|
|
|
uint8_t hashedErrorVector[HASH_BYTE_LENGTH];
|
|
|
|
|
uint8_t hashedAndTruncatedErrorVector[TRNG_BYTE_LENGTH] = {0};
|
|
|
|
|
uint8_t maskedSeed[TRNG_BYTE_LENGTH];
|
|
|
|
|
|
|
|
|
|
randombytes(seed, TRNG_BYTE_LENGTH);
|
|
|
|
|
memcpy(ss_input, seed, TRNG_BYTE_LENGTH);
|
|
|
|
|
HASH_FUNCTION(ss, ss_input, 2 * TRNG_BYTE_LENGTH);
|
|
|
|
|
HASH_FUNCTION(hashedSeed, seed, TRNG_BYTE_LENGTH);
|
|
|
|
|
|
|
|
|
|
memcpy(hashedAndTruncatedSeed, hashedSeed, TRNG_BYTE_LENGTH);
|
2019-06-10 19:42:31 +01:00
|
|
|
|
2019-08-21 13:28:31 +01:00
|
|
|
memset(&hashedAndTruncatedSeed_expander, 0x00, sizeof(AES_XOF_struct));
|
|
|
|
|
PQCLEAN_LEDAKEMLT52_LEAKTIME_seedexpander_from_trng(&hashedAndTruncatedSeed_expander, hashedAndTruncatedSeed);
|
|
|
|
|
PQCLEAN_LEDAKEMLT52_LEAKTIME_rand_error_pos(errorPos, &hashedAndTruncatedSeed_expander);
|
|
|
|
|
PQCLEAN_LEDAKEMLT52_LEAKTIME_expand_error(error_vector, errorPos);
|
2019-06-12 14:33:20 +01:00
|
|
|
|
2019-08-21 13:28:31 +01:00
|
|
|
HASH_FUNCTION(hashedErrorVector, (const uint8_t *) error_vector, (N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B));
|
2019-06-12 14:33:20 +01:00
|
|
|
|
2019-08-21 13:28:31 +01:00
|
|
|
memcpy(hashedAndTruncatedErrorVector, hashedErrorVector, TRNG_BYTE_LENGTH);
|
|
|
|
|
|
|
|
|
|
for (int i = 0; i < TRNG_BYTE_LENGTH; ++i) {
|
|
|
|
|
maskedSeed[i] = seed[i] ^ hashedAndTruncatedErrorVector[i];
|
|
|
|
|
}
|
2019-06-10 19:42:31 +01:00
|
|
|
|
2019-08-21 13:28:31 +01:00
|
|
|
PQCLEAN_LEDAKEMLT52_LEAKTIME_niederreiter_encrypt((DIGIT *) ct, (const publicKeyNiederreiter_t *)pk, error_vector);
|
|
|
|
|
|
|
|
|
|
memcpy(ct + (NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B), maskedSeed, TRNG_BYTE_LENGTH);
|
2019-06-10 19:42:31 +01:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2019-08-21 13:28:31 +01:00
|
|
|
/* INDCCA2 Decapsulation */
|
|
|
|
|
int PQCLEAN_LEDAKEMLT52_LEAKTIME_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk) {
|
|
|
|
|
AES_XOF_struct hashedAndTruncatedSeed_expander;
|
|
|
|
|
POSITION_T reconstructed_errorPos[NUM_ERRORS_T];
|
|
|
|
|
DIGIT reconstructed_error_vector[N0 * NUM_DIGITS_GF2X_ELEMENT];
|
2019-06-10 19:42:31 +01:00
|
|
|
DIGIT decoded_error_vector[N0 * NUM_DIGITS_GF2X_ELEMENT];
|
2019-08-21 13:28:31 +01:00
|
|
|
uint8_t hashedErrorVector[HASH_BYTE_LENGTH];
|
|
|
|
|
uint8_t hashedAndTruncatedErrorVector[TRNG_BYTE_LENGTH] = {0};
|
|
|
|
|
uint8_t decoded_seed[TRNG_BYTE_LENGTH];
|
|
|
|
|
uint8_t hashed_decoded_seed[HASH_BYTE_LENGTH];
|
|
|
|
|
uint8_t hashedAndTruncated_decoded_seed[TRNG_BYTE_LENGTH] = {0};
|
|
|
|
|
uint8_t ss_input[2 * TRNG_BYTE_LENGTH], tail[TRNG_BYTE_LENGTH] = {0};
|
|
|
|
|
|
|
|
|
|
int decode_ok = PQCLEAN_LEDAKEMLT52_LEAKTIME_niederreiter_decrypt(decoded_error_vector,
|
|
|
|
|
(const privateKeyNiederreiter_t *)sk,
|
|
|
|
|
(DIGIT *)ct);
|
|
|
|
|
|
|
|
|
|
HASH_FUNCTION(hashedErrorVector,
|
|
|
|
|
(const uint8_t *) decoded_error_vector,
|
|
|
|
|
(N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B));
|
|
|
|
|
|
|
|
|
|
memcpy(hashedAndTruncatedErrorVector, hashedErrorVector, TRNG_BYTE_LENGTH);
|
|
|
|
|
|
|
|
|
|
for (int i = 0; i < TRNG_BYTE_LENGTH; ++i) {
|
|
|
|
|
decoded_seed[i] = ct[(NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B) + i] ^
|
|
|
|
|
hashedAndTruncatedErrorVector[i];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
HASH_FUNCTION(hashed_decoded_seed, decoded_seed, TRNG_BYTE_LENGTH);
|
|
|
|
|
|
|
|
|
|
memcpy(hashedAndTruncated_decoded_seed, hashed_decoded_seed, TRNG_BYTE_LENGTH);
|
|
|
|
|
|
|
|
|
|
memset(&hashedAndTruncatedSeed_expander, 0x00, sizeof(AES_XOF_struct));
|
|
|
|
|
PQCLEAN_LEDAKEMLT52_LEAKTIME_seedexpander_from_trng(&hashedAndTruncatedSeed_expander,
|
|
|
|
|
hashed_decoded_seed);
|
|
|
|
|
|
|
|
|
|
PQCLEAN_LEDAKEMLT52_LEAKTIME_rand_error_pos(reconstructed_errorPos, &hashedAndTruncatedSeed_expander);
|
|
|
|
|
|
|
|
|
|
PQCLEAN_LEDAKEMLT52_LEAKTIME_expand_error(reconstructed_error_vector, reconstructed_errorPos);
|
|
|
|
|
|
2019-08-21 20:27:53 +01:00
|
|
|
int equal = PQCLEAN_LEDAKEMLT52_LEAKTIME_gf2x_verify(decoded_error_vector, reconstructed_error_vector, N0 * NUM_DIGITS_GF2X_ELEMENT);
|
|
|
|
|
// equal == 0, if the reconstructed error vector match !!!
|
2019-08-21 13:28:31 +01:00
|
|
|
|
2019-08-21 20:27:53 +01:00
|
|
|
int decryptOk = (decode_ok == 1 && equal == 0);
|
2019-08-21 13:28:31 +01:00
|
|
|
|
|
|
|
|
memcpy(ss_input, decoded_seed, TRNG_BYTE_LENGTH);
|
2019-08-21 20:27:53 +01:00
|
|
|
memcpy(ss_input + sizeof(decoded_seed), tail, TRNG_BYTE_LENGTH);
|
2019-08-21 13:28:31 +01:00
|
|
|
|
2019-08-21 20:27:53 +01:00
|
|
|
// Overwrite on failure
|
|
|
|
|
PQCLEAN_LEDAKEMLT52_LEAKTIME_cmov(ss_input + sizeof(decoded_seed),
|
|
|
|
|
((const privateKeyNiederreiter_t *) sk)->decryption_failure_secret,
|
|
|
|
|
TRNG_BYTE_LENGTH,
|
|
|
|
|
!decryptOk);
|
2019-06-10 19:42:31 +01:00
|
|
|
|
2019-08-21 13:28:31 +01:00
|
|
|
HASH_FUNCTION(ss, ss_input, 2 * TRNG_BYTE_LENGTH);
|
2019-06-10 19:42:31 +01:00
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
