kris
/
pqcrypto
ミラー元 https://github.com/henrydcase/pqc.git
1
1
フォーク 0
コード 課題 1 リリース 2 Wiki アクティビティ
選択できるのは25トピックまでです。 トピックは、先頭が英数字で、英数字とダッシュ('-')を使用した35文字以内のものにしてください。
834 コミット
9 ブランチ
76 MiB
 
 
 
ツリー: cf5107b69f
ブランチ タグ
${ item.name }
ブランチ ${ searchTerm } を作成
'cf5107b69f' から
${ noResults }
pqcrypto/crypto_kem/ledakemlt12/leaktime/kem.c

158 行
6.2 KiB
Raw Blame 履歴 

  1. #include "api.h"

  2. #include "niederreiter.h"

  3. #include "randombytes.h"

  4. #include "rng.h"

  5. #include "utils.h"

  6. 

  7. #include <string.h>

  8. 

  9. 

  10. #define pack_ct(sk_bytes, ct) PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_tobytes(sk_bytes, ct);

  11. #define unpack_ct(ct, ct_bytes) PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_frombytes(ct, ct_bytes)

  12. 

  13. static void pack_pk(uint8_t *pk_bytes, publicKeyNiederreiter_t *pk) {

  14.     for (size_t i = 0; i < N0 - 1; i++) {

  15.         PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_tobytes(pk_bytes + i * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B,

  16.                 pk->Mtr + i * NUM_DIGITS_GF2X_ELEMENT);

  17.     }

  18. }

  19. 

  20. static void unpack_pk(publicKeyNiederreiter_t *pk, const uint8_t *pk_bytes) {

  21.     for (size_t i = 0; i < N0 - 1; i++) {

  22.         PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_frombytes(pk->Mtr + i * NUM_DIGITS_GF2X_ELEMENT,

  23.                 pk_bytes + i * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B);

  24.     }

  25. }

  26. 

  27. static void pack_error(uint8_t *error_bytes, DIGIT *error_digits) {

  28.     size_t i;

  29.     for (i = 0; i < N0; i++) {

  30.         PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_tobytes(error_bytes + i * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B,

  31.                 error_digits + i * NUM_DIGITS_GF2X_ELEMENT);

  32.     }

  33. }

  34. 

  35. /* IND-CCA2 Keygen */

  36. int PQCLEAN_LEDAKEMLT12_LEAKTIME_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) {

  37.     publicKeyNiederreiter_t niederreiter_pk;

  38. 

  39.     PQCLEAN_LEDAKEMLT12_LEAKTIME_niederreiter_keygen(&niederreiter_pk, (privateKeyNiederreiter_t *) sk);

  40. 

  41.     pack_pk(pk, &niederreiter_pk);

  42. 

  43.     return 0;

  44. }

  45. 

  46. /* IND-CCA2 Encapsulation */

  47. int PQCLEAN_LEDAKEMLT12_LEAKTIME_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk) {

  48.     publicKeyNiederreiter_t niederreiter_pk;

  49.     DIGIT syndrome[NUM_DIGITS_GF2X_ELEMENT];

  50.     AES_XOF_struct hashedAndTruncatedSeed_expander;

  51.     POSITION_T errorPos[NUM_ERRORS_T];

  52.     DIGIT error_vector[N0 * NUM_DIGITS_GF2X_ELEMENT];

  53.     uint8_t error_bytes[N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B];

  54.     uint8_t seed[TRNG_BYTE_LENGTH];

  55.     uint8_t ss_input[2 * TRNG_BYTE_LENGTH] = {0};

  56.     uint8_t hashedSeed[HASH_BYTE_LENGTH];

  57.     uint8_t hashedAndTruncatedSeed[TRNG_BYTE_LENGTH] = {0};

  58.     uint8_t hashedErrorVector[HASH_BYTE_LENGTH];

  59.     uint8_t hashedAndTruncatedErrorVector[TRNG_BYTE_LENGTH] = {0};

  60.     uint8_t maskedSeed[TRNG_BYTE_LENGTH];

  61. 

  62.     unpack_pk(&niederreiter_pk, pk);

  63. 

  64.     randombytes(seed, TRNG_BYTE_LENGTH);

  65.     memcpy(ss_input, seed, TRNG_BYTE_LENGTH);

  66. 

  67.     HASH_FUNCTION(ss, ss_input, 2 * TRNG_BYTE_LENGTH);

  68.     HASH_FUNCTION(hashedSeed, seed, TRNG_BYTE_LENGTH);

  69. 

  70.     memcpy(hashedAndTruncatedSeed, hashedSeed, TRNG_BYTE_LENGTH);

  71. 

  72.     memset(&hashedAndTruncatedSeed_expander, 0x00, sizeof(AES_XOF_struct));

  73.     PQCLEAN_LEDAKEMLT12_LEAKTIME_seedexpander_from_trng(&hashedAndTruncatedSeed_expander, hashedAndTruncatedSeed);

  74.     PQCLEAN_LEDAKEMLT12_LEAKTIME_rand_error_pos(errorPos, &hashedAndTruncatedSeed_expander);

  75.     PQCLEAN_LEDAKEMLT12_LEAKTIME_expand_error(error_vector, errorPos);

  76. 

  77.     pack_error(error_bytes, error_vector);

  78.     HASH_FUNCTION(hashedErrorVector, error_bytes, (N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B));

  79. 

  80.     memcpy(hashedAndTruncatedErrorVector, hashedErrorVector, TRNG_BYTE_LENGTH);

  81. 

  82.     for (size_t i = 0; i < TRNG_BYTE_LENGTH; ++i) {

  83.         maskedSeed[i] = seed[i] ^ hashedAndTruncatedErrorVector[i];

  84.     }

  85. 

  86.     PQCLEAN_LEDAKEMLT12_LEAKTIME_niederreiter_encrypt(syndrome,

  87.             (const publicKeyNiederreiter_t *) &niederreiter_pk, error_vector);

  88. 

  89.     pack_ct(ct, syndrome);

  90.     memcpy(ct + (NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B), maskedSeed, TRNG_BYTE_LENGTH);

  91. 

  92.     return 0;

  93. }

  94. 

  95. 

  96. /* IND-CCA2 Decapsulation  */

  97. int PQCLEAN_LEDAKEMLT12_LEAKTIME_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk) {

  98.     DIGIT syndrome[NUM_DIGITS_GF2X_ELEMENT];

  99.     AES_XOF_struct hashedAndTruncatedSeed_expander;

  100.     POSITION_T reconstructed_errorPos[NUM_ERRORS_T];

  101.     DIGIT reconstructed_error_vector[N0 * NUM_DIGITS_GF2X_ELEMENT];

  102.     DIGIT decoded_error_vector[N0 * NUM_DIGITS_GF2X_ELEMENT];

  103.     uint8_t decoded_error_bytes[N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B];

  104.     uint8_t hashedErrorVector[HASH_BYTE_LENGTH];

  105.     uint8_t hashedAndTruncatedErrorVector[TRNG_BYTE_LENGTH] = {0};

  106.     uint8_t decoded_seed[TRNG_BYTE_LENGTH];

  107.     uint8_t hashed_decoded_seed[HASH_BYTE_LENGTH];

  108.     uint8_t hashedAndTruncated_decoded_seed[TRNG_BYTE_LENGTH] = {0};

  109.     uint8_t ss_input[2 * TRNG_BYTE_LENGTH], tail[TRNG_BYTE_LENGTH] = {0};

  110.     int decode_ok, decrypt_ok, equal;

  111. 

  112.     unpack_ct(syndrome, ct);

  113. 

  114.     decode_ok = PQCLEAN_LEDAKEMLT12_LEAKTIME_niederreiter_decrypt(decoded_error_vector,

  115.                 (const privateKeyNiederreiter_t *)sk, syndrome);

  116. 

  117.     pack_error(decoded_error_bytes, decoded_error_vector);

  118.     HASH_FUNCTION(hashedErrorVector, decoded_error_bytes, N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B);

  119. 

  120.     memcpy(hashedAndTruncatedErrorVector, hashedErrorVector, TRNG_BYTE_LENGTH);

  121. 

  122.     for (size_t i = 0; i < TRNG_BYTE_LENGTH; ++i) {

  123.         decoded_seed[i] = ct[(NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B) + i] ^

  124.                           hashedAndTruncatedErrorVector[i];

  125.     }

  126. 

  127.     HASH_FUNCTION(hashed_decoded_seed, decoded_seed, TRNG_BYTE_LENGTH);

  128. 

  129.     memcpy(hashedAndTruncated_decoded_seed, hashed_decoded_seed, TRNG_BYTE_LENGTH);

  130. 

  131.     memset(&hashedAndTruncatedSeed_expander, 0x00, sizeof(AES_XOF_struct));

  132.     PQCLEAN_LEDAKEMLT12_LEAKTIME_seedexpander_from_trng(&hashedAndTruncatedSeed_expander,

  133.             hashed_decoded_seed);

  134. 

  135.     PQCLEAN_LEDAKEMLT12_LEAKTIME_rand_error_pos(reconstructed_errorPos, &hashedAndTruncatedSeed_expander);

  136. 

  137.     PQCLEAN_LEDAKEMLT12_LEAKTIME_expand_error(reconstructed_error_vector, reconstructed_errorPos);

  138. 

  139.     equal = PQCLEAN_LEDAKEMLT12_LEAKTIME_gf2x_verify(decoded_error_vector,

  140.             reconstructed_error_vector, N0 * NUM_DIGITS_GF2X_ELEMENT);

  141.     // equal == 0, if the reconstructed error vector match !!!

  142. 

  143.     decrypt_ok = (decode_ok == 1 && equal == 0);

  144. 

  145.     memcpy(ss_input, decoded_seed, TRNG_BYTE_LENGTH);

  146.     memcpy(ss_input + sizeof(decoded_seed), tail, TRNG_BYTE_LENGTH);

  147. 

  148.     // Overwrite on failure

  149.     PQCLEAN_LEDAKEMLT12_LEAKTIME_cmov(ss_input + sizeof(decoded_seed),

  150.                                       ((const privateKeyNiederreiter_t *) sk)->decryption_failure_secret,

  151.                                       TRNG_BYTE_LENGTH,

  152.                                       !decrypt_ok);

  153. 

  154.     HASH_FUNCTION(ss, ss_input, 2 * TRNG_BYTE_LENGTH);

  155. 

  156.     return 0;

  157. }