2019-01-15 15:03:38 +00:00
|
|
|
#include "api.h"
|
|
|
|
#include "fips202.h"
|
2019-01-15 15:34:01 +00:00
|
|
|
#include "indcpa.h"
|
2019-01-15 15:03:38 +00:00
|
|
|
#include "params.h"
|
2019-01-15 15:34:01 +00:00
|
|
|
#include "randombytes.h"
|
2019-01-15 15:03:38 +00:00
|
|
|
#include "verify.h"
|
|
|
|
|
|
|
|
/*************************************************
|
2019-01-15 15:34:01 +00:00
|
|
|
* Name: crypto_kem_keypair
|
|
|
|
*
|
|
|
|
* Description: Generates public and private key
|
|
|
|
* for CCA-secure Kyber key encapsulation mechanism
|
|
|
|
*
|
|
|
|
* Arguments: - unsigned char *pk: pointer to output public key (an already
|
|
|
|
*allocated array of CRYPTO_PUBLICKEYBYTES bytes)
|
|
|
|
* - unsigned char *sk: pointer to output private key (an already
|
|
|
|
*allocated array of CRYPTO_SECRETKEYBYTES bytes)
|
|
|
|
*
|
|
|
|
* Returns 0 (success)
|
|
|
|
**************************************************/
|
|
|
|
int crypto_kem_keypair(unsigned char *pk, unsigned char *sk) {
|
2019-01-15 15:03:38 +00:00
|
|
|
size_t i;
|
|
|
|
indcpa_keypair(pk, sk);
|
2019-01-16 07:18:33 +00:00
|
|
|
for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++) {
|
2019-01-15 15:34:01 +00:00
|
|
|
sk[i + KYBER_INDCPA_SECRETKEYBYTES] = pk[i];
|
2019-01-16 07:18:33 +00:00
|
|
|
}
|
2019-01-15 15:34:01 +00:00
|
|
|
sha3_256(sk + KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES, pk,
|
|
|
|
KYBER_PUBLICKEYBYTES);
|
|
|
|
randombytes(sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES,
|
|
|
|
KYBER_SYMBYTES); /* Value z for pseudo-random output on reject */
|
2019-01-15 15:03:38 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*************************************************
|
2019-01-15 15:34:01 +00:00
|
|
|
* Name: crypto_kem_enc
|
|
|
|
*
|
|
|
|
* Description: Generates cipher text and shared
|
|
|
|
* secret for given public key
|
|
|
|
*
|
|
|
|
* Arguments: - unsigned char *ct: pointer to output cipher text (an
|
|
|
|
*already allocated array of CRYPTO_CIPHERTEXTBYTES bytes)
|
|
|
|
* - unsigned char *ss: pointer to output shared secret (an
|
|
|
|
*already allocated array of CRYPTO_BYTES bytes)
|
|
|
|
* - const unsigned char *pk: pointer to input public key (an
|
|
|
|
*already allocated array of CRYPTO_PUBLICKEYBYTES bytes)
|
|
|
|
*
|
|
|
|
* Returns 0 (success)
|
|
|
|
**************************************************/
|
|
|
|
int crypto_kem_enc(unsigned char *ct, unsigned char *ss,
|
|
|
|
const unsigned char *pk) {
|
|
|
|
unsigned char kr[2 * KYBER_SYMBYTES]; /* Will contain key, coins */
|
|
|
|
unsigned char buf[2 * KYBER_SYMBYTES];
|
2019-01-15 15:03:38 +00:00
|
|
|
|
|
|
|
randombytes(buf, KYBER_SYMBYTES);
|
2019-01-15 15:34:01 +00:00
|
|
|
sha3_256(buf, buf, KYBER_SYMBYTES); /* Don't release system RNG output */
|
2019-01-15 15:03:38 +00:00
|
|
|
|
2019-01-15 15:34:01 +00:00
|
|
|
sha3_256(buf + KYBER_SYMBYTES, pk,
|
|
|
|
KYBER_PUBLICKEYBYTES); /* Multitarget countermeasure for coins +
|
|
|
|
contributory KEM */
|
|
|
|
sha3_512(kr, buf, 2 * KYBER_SYMBYTES);
|
2019-01-15 15:03:38 +00:00
|
|
|
|
2019-01-15 15:34:01 +00:00
|
|
|
indcpa_enc(ct, buf, pk,
|
|
|
|
kr + KYBER_SYMBYTES); /* coins are in kr+KYBER_SYMBYTES */
|
2019-01-15 15:03:38 +00:00
|
|
|
|
2019-01-15 15:34:01 +00:00
|
|
|
sha3_256(kr + KYBER_SYMBYTES, ct,
|
|
|
|
KYBER_CIPHERTEXTBYTES); /* overwrite coins in kr with H(c) */
|
|
|
|
sha3_256(ss, kr,
|
|
|
|
2 * KYBER_SYMBYTES); /* hash concatenation of pre-k and H(c) to k */
|
2019-01-15 15:03:38 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*************************************************
|
2019-01-15 15:34:01 +00:00
|
|
|
* Name: crypto_kem_dec
|
|
|
|
*
|
|
|
|
* Description: Generates shared secret for given
|
|
|
|
* cipher text and private key
|
|
|
|
*
|
|
|
|
* Arguments: - unsigned char *ss: pointer to output shared secret (an
|
|
|
|
*already allocated array of CRYPTO_BYTES bytes)
|
|
|
|
* - const unsigned char *ct: pointer to input cipher text (an
|
|
|
|
*already allocated array of CRYPTO_CIPHERTEXTBYTES bytes)
|
|
|
|
* - const unsigned char *sk: pointer to input private key (an
|
|
|
|
*already allocated array of CRYPTO_SECRETKEYBYTES bytes)
|
|
|
|
*
|
|
|
|
* Returns 0.
|
|
|
|
*
|
|
|
|
* On failure, ss will contain a pseudo-random value.
|
|
|
|
**************************************************/
|
|
|
|
int crypto_kem_dec(unsigned char *ss, const unsigned char *ct,
|
|
|
|
const unsigned char *sk) {
|
|
|
|
size_t i;
|
2019-01-15 15:03:38 +00:00
|
|
|
int fail;
|
|
|
|
unsigned char cmp[KYBER_CIPHERTEXTBYTES];
|
2019-01-15 15:34:01 +00:00
|
|
|
unsigned char buf[2 * KYBER_SYMBYTES];
|
|
|
|
unsigned char kr[2 * KYBER_SYMBYTES]; /* Will contain key, coins, qrom-hash */
|
|
|
|
const unsigned char *pk = sk + KYBER_INDCPA_SECRETKEYBYTES;
|
2019-01-15 15:03:38 +00:00
|
|
|
|
|
|
|
indcpa_dec(buf, ct, sk);
|
|
|
|
|
2019-01-15 15:34:01 +00:00
|
|
|
for (i = 0; i < KYBER_SYMBYTES;
|
2019-01-16 07:18:33 +00:00
|
|
|
i++) { /* Multitarget countermeasure for coins + contributory KEM */
|
2019-01-15 15:34:01 +00:00
|
|
|
buf[KYBER_SYMBYTES + i] = sk[KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES +
|
|
|
|
i]; /* Save hash by storing H(pk) in sk */
|
2019-01-16 07:18:33 +00:00
|
|
|
}
|
2019-01-15 15:34:01 +00:00
|
|
|
sha3_512(kr, buf, 2 * KYBER_SYMBYTES);
|
|
|
|
|
|
|
|
indcpa_enc(cmp, buf, pk,
|
|
|
|
kr + KYBER_SYMBYTES); /* coins are in kr+KYBER_SYMBYTES */
|
2019-01-15 15:03:38 +00:00
|
|
|
|
|
|
|
fail = verify(ct, cmp, KYBER_CIPHERTEXTBYTES);
|
|
|
|
|
2019-01-15 15:34:01 +00:00
|
|
|
sha3_256(kr + KYBER_SYMBYTES, ct,
|
|
|
|
KYBER_CIPHERTEXTBYTES); /* overwrite coins in kr with H(c) */
|
2019-01-15 15:03:38 +00:00
|
|
|
|
2019-01-15 15:34:01 +00:00
|
|
|
cmov(kr, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES,
|
|
|
|
fail); /* Overwrite pre-k with z on re-encryption failure */
|
2019-01-15 15:03:38 +00:00
|
|
|
|
2019-01-15 15:34:01 +00:00
|
|
|
sha3_256(ss, kr,
|
|
|
|
2 * KYBER_SYMBYTES); /* hash concatenation of pre-k and H(c) to k */
|
2019-01-15 15:03:38 +00:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|