kris
/
pqcrypto
mirror of https://github.com/henrydcase/pqc.git
1
1
Fork 0
Code Issues 1 Releases 2 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
532 Commits
9 Branches
132 MiB
Tree: cc551546bf
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'cc551546bf'
${ noResults }
pqcrypto/crypto_kem/ntruhps4096821/clean/owcpa.c

owcpa.c 6.1 KiB
Raw Normal View History

Add ntruhps4096821
5 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174 
  1. #include "owcpa.h"

  2. #include "poly.h"

  3. #include "sample.h"

  4. 

  5. static int owcpa_check_r(const poly *r) {

  6.     /* Check that r is in message space. */

  7.     /* Note: Assumes that r has coefficients in {0, 1, ..., q-1} */

  8.     int i;

  9.     uint64_t t = 0;

  10.     uint16_t c;

  11.     for (i = 0; i < NTRU_N; i++) {

  12.         c = MODQ(r->coeffs[i] + 1);

  13.         t |= c & (NTRU_Q - 4); /* 0 if c is in {0,1,2,3} */

  14.         t |= (c + 1) & 0x4;   /* 0 if c is in {0,1,2} */

  15.     }

  16.     t |= r->coeffs[NTRU_N - 1]; /* Coefficient n-1 must be zero */

  17.     t = (~t + 1); // two's complement

  18.     t >>= 63;

  19.     return (int) t;

  20. }

  21. 

  22. static int owcpa_check_m(const poly *m) {

  23.     /* Check that m is in message space. */

  24.     /* Note: Assumes that m has coefficients in {0,1,2}. */

  25.     int i;

  26.     uint64_t t = 0;

  27.     uint16_t p1 = 0;

  28.     uint16_t m1 = 0;

  29.     for (i = 0; i < NTRU_N; i++) {

  30.         p1 += m->coeffs[i] & 0x01;

  31.         m1 += (m->coeffs[i] & 0x02) >> 1;

  32.     }

  33.     /* Need p1 = m1 and p1 + m1 = NTRU_WEIGHT */

  34.     t |= p1 ^ m1;

  35.     t |= (p1 + m1) ^ NTRU_WEIGHT;

  36.     t = (~t + 1); // two's complement

  37.     t >>= 63;

  38.     return (int) t;

  39. }

  40. 

  41. void PQCLEAN_NTRUHPS4096821_CLEAN_owcpa_samplemsg(unsigned char msg[NTRU_OWCPA_MSGBYTES],

  42.         const unsigned char seed[NTRU_SAMPLE_RM_BYTES]) {

  43.     poly r, m;

  44. 

  45.     PQCLEAN_NTRUHPS4096821_CLEAN_sample_rm(&r, &m, seed);

  46. 

  47.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_S3_tobytes(msg, &r);

  48.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_S3_tobytes(msg + NTRU_PACK_TRINARY_BYTES, &m);

  49. }

  50. 

  51. void PQCLEAN_NTRUHPS4096821_CLEAN_owcpa_keypair(unsigned char *pk,

  52.         unsigned char *sk,

  53.         const unsigned char seed[NTRU_SAMPLE_FG_BYTES]) {

  54.     int i;

  55. 

  56.     poly x1, x2, x3, x4, x5;

  57. 

  58.     poly *f = &x1, *invf_mod3 = &x2;

  59.     poly *g = &x3, *G = &x2;

  60.     poly *Gf = &x3, *invGf = &x4, *tmp = &x5;

  61.     poly *invh = &x3, *h = &x3;

  62. 

  63.     PQCLEAN_NTRUHPS4096821_CLEAN_sample_fg(f, g, seed);

  64. 

  65.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_S3_inv(invf_mod3, f);

  66.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_S3_tobytes(sk, f);

  67.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_S3_tobytes(sk + NTRU_PACK_TRINARY_BYTES, invf_mod3);

  68. 

  69.     /* Lift coeffs of f and g from Z_p to Z_q */

  70.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_Z3_to_Zq(f);

  71.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_Z3_to_Zq(g);

  72. 

  73.     /* G = 3*g */

  74.     for (i = 0; i < NTRU_N; i++) {

  75.         G->coeffs[i] = MODQ(3 * g->coeffs[i]);

  76.     }

  77. 

  78.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_Rq_mul(Gf, G, f);

  79. 

  80.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_Rq_inv(invGf, Gf);

  81. 

  82.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_Rq_mul(tmp, invGf, f);

  83.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_Sq_mul(invh, tmp, f);

  84.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_Sq_tobytes(sk + 2 * NTRU_PACK_TRINARY_BYTES, invh);

  85. 

  86.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_Rq_mul(tmp, invGf, G);

  87.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_Rq_mul(h, tmp, G);

  88.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_Rq_sum_zero_tobytes(pk, h);

  89. }

  90. 

  91. 

  92. void PQCLEAN_NTRUHPS4096821_CLEAN_owcpa_enc(unsigned char *c,

  93.         const unsigned char *rm,

  94.         const unsigned char *pk) {

  95.     int i;

  96.     poly x1, x2, x3;

  97.     poly *h = &x1, *liftm = &x1;

  98.     poly *r = &x2, *m = &x2;

  99.     poly *ct = &x3;

  100. 

  101.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_Rq_sum_zero_frombytes(h, pk);

  102. 

  103.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_S3_frombytes(r, rm);

  104.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_Z3_to_Zq(r);

  105. 

  106.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_Rq_mul(ct, r, h);

  107. 

  108.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_S3_frombytes(m, rm + NTRU_PACK_TRINARY_BYTES);

  109.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_lift(liftm, m);

  110.     for (i = 0; i < NTRU_N; i++) {

  111.         ct->coeffs[i] = MODQ(ct->coeffs[i] + liftm->coeffs[i]);

  112.     }

  113. 

  114.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_Rq_sum_zero_tobytes(c, ct);

  115. }

  116. 

  117. int PQCLEAN_NTRUHPS4096821_CLEAN_owcpa_dec(unsigned char *rm,

  118.         const unsigned char *ciphertext,

  119.         const unsigned char *secretkey) {

  120.     int i;

  121.     int fail;

  122.     poly x1, x2, x3, x4;

  123. 

  124.     poly *c = &x1, *f = &x2, *cf = &x3;

  125.     poly *mf = &x2, *finv3 = &x3, *m = &x4;

  126.     poly *liftm = &x2, *invh = &x3, *r = &x4;

  127.     poly *b = &x1;

  128. 

  129.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_Rq_sum_zero_frombytes(c, ciphertext);

  130.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_S3_frombytes(f, secretkey);

  131.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_Z3_to_Zq(f);

  132. 

  133.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_Rq_mul(cf, c, f);

  134.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_Rq_to_S3(mf, cf);

  135. 

  136.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_S3_frombytes(finv3, secretkey + NTRU_PACK_TRINARY_BYTES);

  137.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_S3_mul(m, mf, finv3);

  138.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_S3_tobytes(rm + NTRU_PACK_TRINARY_BYTES, m);

  139. 

  140.     /* NOTE: For the IND-CCA2 KEM we must ensure that c = Enc(h, (r,m)).       */

  141.     /* We can avoid re-computing r*h + Lift(m) as long as we check that        */

  142.     /* r (defined as b/h mod (q, Phi_n)) and m are in the message space.       */

  143.     /* (m can take any value in S3 in NTRU_HRSS) */

  144.     fail = 0;

  145.     fail |= owcpa_check_m(m);

  146. 

  147.     /* b = c - Lift(m) mod (q, x^n - 1) */

  148.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_lift(liftm, m);

  149.     for (i = 0; i < NTRU_N; i++) {

  150.         b->coeffs[i] = MODQ(c->coeffs[i] - liftm->coeffs[i]);

  151.     }

  152. 

  153.     /* r = b / h mod (q, Phi_n) */

  154.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_Sq_frombytes(invh, secretkey + 2 * NTRU_PACK_TRINARY_BYTES);

  155.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_Sq_mul(r, b, invh);

  156. 

  157.     /* NOTE: Our definition of r as b/h mod (q, Phi_n) follows Figure 4 of     */

  158.     /*   [Sch18] https://eprint.iacr.org/2018/1174/20181203:032458.            */

  159.     /* This differs from Figure 10 of Saito--Xagawa--Yamakawa                  */

  160.     /*   [SXY17] https://eprint.iacr.org/2017/1005/20180516:055500             */

  161.     /* where r gets a final reduction modulo p.                                */

  162.     /* We need this change to use Proposition 1 of [Sch18].                    */

  163. 

  164.     /* Proposition 1 of [Sch18] shows that re-encryption with (r,m) yields c.  */

  165.     /* if and only if fail==0 after the following call to owcpa_check_r        */

  166.     /* The procedure given in Fig. 8 of [Sch18] can be skipped because we have */

  167.     /* c(1) = 0 due to the use of poly_Rq_sum_zero_{to,from}bytes.             */

  168.     fail |= owcpa_check_r(r);

  169. 

  170.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_trinary_Zq_to_Z3(r);

  171.     PQCLEAN_NTRUHPS4096821_CLEAN_poly_S3_tobytes(rm, r);

  172. 

  173.     return fail;

  174. }