kris/sidh-torture
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Init

Browse Source
This commit is contained in:
Henry Case 2018-08-22 13:57:32 +01:00
commit 2f4912c8fd
3 changed files with 436 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

107
msr/include/P751_api.h Normal file
View File

@ -0,0 +1,107 @@
/********************************************************************************************
* SIDH: an efficient supersingular isogeny cryptography library
*
* Abstract: API header file for P751
*********************************************************************************************/
#ifndef __P751_API_H__
#define __P751_API_H__
/*********************** Key encapsulation mechanism API ***********************/
#define CRYPTO_SECRETKEYBYTES 644 // MSG_BYTES + SECRETKEY_B_BYTES + CRYPTO_PUBLICKEYBYTES bytes
#define CRYPTO_PUBLICKEYBYTES 564
#define CRYPTO_BYTES 24
#define CRYPTO_CIPHERTEXTBYTES 596 // CRYPTO_PUBLICKEYBYTES + MSG_BYTES bytes
// Algorithm name
#define CRYPTO_ALGNAME "SIKEp751"
// SIKE's key generation
// It produces a private key sk and computes the public key pk.
// Outputs: secret key sk (CRYPTO_SECRETKEYBYTES = 644 bytes)
// public key pk (CRYPTO_PUBLICKEYBYTES = 564 bytes)
int crypto_kem_keypair_SIKEp751(unsigned char *pk, unsigned char *sk);
// SIKE's encapsulation
// Input: public key pk (CRYPTO_PUBLICKEYBYTES = 564 bytes)
// Outputs: shared secret ss (CRYPTO_BYTES = 24 bytes)
// ciphertext message ct (CRYPTO_CIPHERTEXTBYTES = 596 bytes)
int crypto_kem_enc_SIKEp751(unsigned char *ct, unsigned char *ss, const unsigned char *pk);
// SIKE's decapsulation
// Input: secret key sk (CRYPTO_SECRETKEYBYTES = 644 bytes)
// ciphertext message ct (CRYPTO_CIPHERTEXTBYTES = 596 bytes)
// Outputs: shared secret ss (CRYPTO_BYTES = 24 bytes)
int crypto_kem_dec_SIKEp751(unsigned char *ss, const unsigned char *ct, const unsigned char *sk);
// Encoding of keys for KEM-based isogeny system "SIKEp751" (wire format):
// ----------------------------------------------------------------------
// Elements over GF(p751) are encoded in 94 octets in little endian format (i.e., the least significant octet is located in the lowest memory address).
// Elements (a+b*i) over GF(p751^2), where a and b are defined over GF(p751), are encoded as {a, b}, with a in the lowest memory portion.
//
// Private keys sk consist of the concatenation of a 32-byte random value, a value in the range [0, 2^378-1] and the public key pk. In the SIKE API,
// private keys are encoded in 644 octets in little endian format.
// Public keys pk consist of 3 elements in GF(p751^2). In the SIKE API, pk is encoded in 564 octets.
// Ciphertexts ct consist of the concatenation of a public key value and a 32-byte value. In the SIKE API, ct is encoded in 564 + 32 = 596 octets.
// Shared keys ss consist of a value of 24 octets.
/*********************** Ephemeral key exchange API ***********************/
#define SIDH_SECRETKEYBYTES 48
#define SIDH_PUBLICKEYBYTES 564
#define SIDH_BYTES 188
// SECURITY NOTE: SIDH supports ephemeral Diffie-Hellman key exchange. It is NOT secure to use it with static keys.
// See "On the Security of Supersingular Isogeny Cryptosystems", S.D. Galbraith, C. Petit, B. Shani and Y.B. Ti, in ASIACRYPT 2016, 2016.
// Extended version available at: http://eprint.iacr.org/2016/859
// Generation of Alice's secret key
// Outputs random value in [0, 2^372 - 1] to be used as Alice's private key
void random_mod_order_A_SIDHp751(unsigned char* random_digits);
// Generation of Bob's secret key
// Outputs random value in [0, 2^Floor(Log(2,3^239)) - 1] to be used as Bob's private key
void random_mod_order_B_SIDHp751(unsigned char* random_digits);
// Alice's ephemeral public key generation
// Input: a private key PrivateKeyA in the range [0, 2^372 - 1], stored in 47 bytes.
// Output: the public key PublicKeyA consisting of 3 GF(p751^2) elements encoded in 564 bytes.
int EphemeralKeyGeneration_A_SIDHp751(const unsigned char* PrivateKeyA, unsigned char* PublicKeyA);
// Bob's ephemeral key-pair generation
// It produces a private key PrivateKeyB and computes the public key PublicKeyB.
// The private key is an integer in the range [0, 2^Floor(Log(2,3^239)) - 1], stored in 48 bytes.
// The public key consists of 3 GF(p751^2) elements encoded in 564 bytes.
int EphemeralKeyGeneration_B_SIDHp751(const unsigned char* PrivateKeyB, unsigned char* PublicKeyB);
// Alice's ephemeral shared secret computation
// It produces a shared secret key SharedSecretA using her secret key PrivateKeyA and Bob's public key PublicKeyB
// Inputs: Alice's PrivateKeyA is an integer in the range [0, 2^372 - 1], stored in 47 bytes.
// Bob's PublicKeyB consists of 3 GF(p751^2) elements encoded in 564 bytes.
// Output: a shared secret SharedSecretA that consists of one element in GF(p751^2) encoded in 188 bytes.
int EphemeralSecretAgreement_A_SIDHp751(const unsigned char* PrivateKeyA, const unsigned char* PublicKeyB, unsigned char* SharedSecretA);
// Bob's ephemeral shared secret computation
// It produces a shared secret key SharedSecretB using his secret key PrivateKeyB and Alice's public key PublicKeyA
// Inputs: Bob's PrivateKeyB is an integer in the range [0, 2^Floor(Log(2,3^239)) - 1], stored in 48 bytes.
// Alice's PublicKeyA consists of 3 GF(p751^2) elements encoded in 564 bytes.
// Output: a shared secret SharedSecretB that consists of one element in GF(p751^2) encoded in 188 bytes.
int EphemeralSecretAgreement_B_SIDHp751(const unsigned char* PrivateKeyB, const unsigned char* PublicKeyA, unsigned char* SharedSecretB);
// Encoding of keys for KEX-based isogeny system "SIDHp751" (wire format):
// ----------------------------------------------------------------------
// Elements over GF(p751) are encoded in 94 octets in little endian format (i.e., the least significant octet is located in the lowest memory address).
// Elements (a+b*i) over GF(p751^2), where a and b are defined over GF(p751), are encoded as {a, b}, with a in the lowest memory portion.
//
// Private keys PrivateKeyA and PrivateKeyB can have values in the range [0, 2^372-1] and [0, 2^378-1], resp. In the SIDH API, private keys are encoded
// in 48 octets in little endian format.
// Public keys PublicKeyA and PublicKeyB consist of 3 elements in GF(p751^2). In the SIDH API, they are encoded in 564 octets.
// Shared keys SharedSecretA and SharedSecretB consist of one element in GF(p751^2). In the SIDH API, they are encoded in 188 octets.
#endif

BIN
msr/lib/libsidh751.a Normal file
View File

Binary file not shown.

329
src/runner.go Normal file
View File

@ -0,0 +1,329 @@
package main
/*
#cgo CFLAGS: -I../msr/include
#cgo LDFLAGS: -L../msr/lib -lsidh751
#include <P751_api.h>
*/
import "C"
import "fmt"
import rand "crypto/rand"
import sidh "github.com/henrydcase/nobs/dh/sidh"
import sike "github.com/henrydcase/nobs/kem/sike"
import "unsafe"
const (
CSKsz = 644
GSKsz = 80 // 80 because MSR concatenates public key to the secret key
PKsz = 564
CTsz = 596
SSsz = 24
)
// Helpers for byte convertion
func convBytesGoToC(goBytes []byte, cBytes []C.uchar) {
for i,v:=range(goBytes) {
cBytes[i] = C.uchar(v)
}
}
func convBytesCToGo(cBytes []C.uchar, goBytes []byte) {
goBytes=C.GoBytes(unsafe.Pointer(&cBytes[0]), GSKsz)
}
// Helpers for key generation
func keygenMsr() (*sidh.PublicKey, *sidh.PrivateKey) {
var prvKey = sidh.NewPrivateKey(sidh.FP_751, sidh.KeyVariant_SIKE)
var pubKey = sidh.NewPublicKey(sidh.FP_751, sidh.KeyVariant_SIKE)
var msrPK [PKsz]C.uchar
var msrSK [CSKsz]C.uchar
if C.crypto_kem_keypair_SIKEp751(&msrPK[0], &msrSK[0]) != 0 {
panic(0)
}
if prvKey.Import(C.GoBytes(unsafe.Pointer(&msrSK[0]), GSKsz)) != nil {
panic(0)
}
if pubKey.Import(C.GoBytes(unsafe.Pointer(&msrPK[0]), PKsz)) != nil {
panic(0)
}
return pubKey, prvKey
}
func keygenCf() (*sidh.PublicKey, *sidh.PrivateKey) {
var prvKey = sidh.NewPrivateKey(sidh.FP_751, sidh.KeyVariant_SIKE)
err := prvKey.Generate(rand.Reader)
if err!=nil {
fmt.Errorf("ERR: Generate private key for CF failed")
}
pubKey, _ := sidh.GeneratePublicKey(prvKey)
return pubKey,prvKey
}
// MSR keygen
// MSR Encapsulate
// CF Decapsulate
func test_msrK_msrE_cfD() {
var msrCipherText [CTsz]C.uchar
var ss2 [SSsz]C.uchar
var msrSK [CSKsz]C.uchar
pubKey, prvKey := keygenMsr()
ctext, ss1, err := sike.Encapsulate(rand.Reader, pubKey)
if err != nil {
panic(0)
}
for i,_:=range(ctext) {
msrCipherText[i] = C.uchar(ctext[i])
}
convBytesGoToC(prvKey.Export(), msrSK[:])
convBytesGoToC(pubKey.Export(), msrSK[80:])
if C.crypto_kem_dec_SIKEp751(&msrSK[0], &msrCipherText[0], &ss2[0]) != 0 {
panic(0)
}
for _,i:=range(ss2) {
if byte(ss2[i]) != ss1[i] {
fmt.Printf("LEN=%d %X\n", len(ss2), ss2)
// fmt.Printf("LEN=%d %X\n", len(ss1), ss1)
fmt.Println("ERR: shared secrets differ")
break
}
}
}
// CF keygen
// CF Encapsulate
// MSR Decapsulate
func test_cfK_cfE_msrD() {
// C variables
var cSS [SSsz]C.uchar
var cCT [CTsz]C.uchar
var cPK [PKsz]C.uchar
var cSK [CSKsz]C.uchar
pubKey, prvKey := keygenCf()
convBytesGoToC(pubKey.Export(), cPK[:])
gCT, gSS, err := sike.Encapsulate(rand.Reader, pubKey)
if err != nil {
panic("err: SIKE CF encapsulation")
}
convBytesGoToC(gCT[:], cCT[:])
convBytesGoToC(prvKey.Export(), cSK[:])
convBytesGoToC(pubKey.Export(), cSK[80:])
if C.crypto_kem_dec_SIKEp751(&cSS[0], &cCT[0], &cSK[0]) != 0 {
panic("Decapsulation failed")
}
for i,_:=range(gSS) {
if gSS[i] != byte(cSS[i]) {
fmt.Printf("LEN=%d %X\n", len(gSS), gSS)
fmt.Printf("LEN=%d %X\n", len(cSS), cSS)
fmt.Println("ERR: shared secrets differ")
break
}
}
}
// CF keygen
// MSR Encapsulate
// CF Decapsulate
func test_cfK_msrE_cfD() {
// C variables
var cSS [SSsz]C.uchar
var cCT [CTsz]C.uchar
var cPK [PKsz]C.uchar
// GO variables
var gCT [CTsz]byte
pubKey, prvKey := keygenCf()
convBytesGoToC(pubKey.Export(), cPK[:])
C.crypto_kem_enc_SIKEp751(&cCT[0], &cSS[0], &cPK[0])
convBytesCToGo(cCT[:], gCT[:])
gSS, err := sike.Decapsulate(prvKey, pubKey, gCT[:])
if err != nil {
panic("Decapsulation failed")
}
for i,_:=range(gSS) {
if gSS[i] != byte(cSS[i]) {
fmt.Printf("LEN=%d %X\n", len(gSS), gSS)
fmt.Printf("LEN=%d %X\n", len(cSS), cSS)
fmt.Printf("LEN=%d %X\n", len(gCT), gCT)
fmt.Println("ERR: shared secrets differ")
break
}
}
}
func test_cfK_msrK_msrD() {
// C variables
var cSS [SSsz]C.uchar
var cSS2 [SSsz]C.uchar
var cCT [CTsz]C.uchar
var cPK [PKsz]C.uchar
var cSK [CSKsz]C.uchar
// GO variables
pubKey, prvKey := keygenCf()
convBytesGoToC(pubKey.Export(), cPK[:])
C.crypto_kem_enc_SIKEp751(&cCT[0], &cSS[0], &cPK[0])
convBytesGoToC(prvKey.Export(), cSK[:])
convBytesGoToC(pubKey.Export(), cSK[80:])
C.crypto_kem_dec_SIKEp751(&cSS2[0], &cCT[0], &cSK[0])
for i,_:=range(cSS) {
if cSS[i] != cSS2[i] {//gSS[i] != byte(cSS[i]) {
fmt.Printf("LEN=%d %X\n", len(cSS2), cSS2)
fmt.Printf("LEN=%d %X\n", len(cSS), cSS)
fmt.Println("ERR: shared secrets differ")
break
}
}
}
// MSR keygen
// CF Encapsulate
// MSR Decapsulate
func test_msrK_cfE_msrD() {
var cCT [CTsz]C.uchar
var cSS [SSsz]C.uchar
var cSK [CSKsz]C.uchar
pubKey, prvKey := keygenMsr()
gCT, gSS, err := sike.Encapsulate(rand.Reader, pubKey)
if err != nil {
panic(0)
}
convBytesGoToC(gCT, cCT[:])
convBytesGoToC(prvKey.Export(), cSK[:])
convBytesGoToC(pubKey.Export(), cSK[80:])
if C.crypto_kem_dec_SIKEp751(&cSS[0], &cCT[0], &cSK[0]) != 0 {
panic(0)
}
for i:=0; i<SSsz; i++ {
if byte(cSS[i]) != gSS[i] {
fmt.Println("ERR: shared secrets differ")
break
}
}
}
// MSR keygen
// MSR Encapsulate
// CF Decapsulate
func test_msrK_msrK_cfD() {
// C variables
var cSS [SSsz]C.uchar
var cCT [CTsz]C.uchar
var cPK [PKsz]C.uchar
var cSK [CSKsz]C.uchar
var gCT [CTsz]byte
// GO variables
pubKey, prvKey := keygenMsr()
convBytesGoToC(prvKey.Export(), cSK[:])
convBytesGoToC(pubKey.Export(), cSK[80:])
convBytesGoToC(pubKey.Export(), cPK[:])
C.crypto_kem_enc_SIKEp751(&cCT[0], &cSS[0], &cPK[0])
convBytesCToGo(cCT[:], gCT[:])
gSS, err := sike.Decapsulate(prvKey, pubKey, gCT[:])
if err!=nil {
panic(0)
}
for i,_:=range(cSS) {
if byte(cSS[i]) != gSS[i] {
fmt.Printf("LEN=%d %X\n", len(gSS), gSS)
fmt.Printf("LEN=%d %X\n", len(cSS), cSS)
fmt.Println("ERR: shared secrets differ")
break
}
}
}
// MSR keygen
// CF Encapsulate
// CF Decapsulate
func test_msrK_cfE_cfD() {
pubKey, prvKey := keygenMsr()
gCT, gSS1, err := sike.Encapsulate(rand.Reader, pubKey)
if err != nil {
panic("err: SIKE CF encapsulation")
}
gSS2, err := sike.Decapsulate(prvKey, pubKey, gCT)
if err!=nil || len(gSS1) != len(gSS2) {
panic("Decapsulation failed")
}
for i,_:=range(gSS1) {
if gSS1[i] != gSS2[i] {
fmt.Printf("LEN=%d %X\n", len(gSS1), gSS1)
fmt.Printf("LEN=%d %X\n", len(gSS2), gSS2)
fmt.Println("ERR: shared secrets differ")
break
}
}
}
// For CGO testing really
// ----------------------
func test_msrK_msrK_msrD() {
// C variables
var cSS [SSsz]C.uchar
var cSS2 [SSsz]C.uchar
var cCT [CTsz]C.uchar
var cPK [PKsz]C.uchar
var cSK [CSKsz]C.uchar
// GO variables
pubKey, prvKey := keygenMsr()
convBytesGoToC(prvKey.Export(), cSK[:])
convBytesGoToC(pubKey.Export(), cSK[80:])
convBytesGoToC(pubKey.Export(), cPK[:])
C.crypto_kem_enc_SIKEp751(&cCT[0], &cSS[0], &cPK[0])
C.crypto_kem_dec_SIKEp751(&cSS2[0], &cCT[0], &cSK[0])
for i,_:=range(cSS) {
if cSS[i] != cSS2[i] {
fmt.Printf("LEN=%d %X\n", len(cSS2), cSS2)
fmt.Printf("LEN=%d %X\n", len(cSS), cSS)
fmt.Println("ERR: shared secrets differ")
break
}
}
}
func debug() {
// fmt.Println("MSR+MSR+MSR")
// test_msrK_msrK_msrD()
// fmt.Println("CF+MSR+CF")
// test_cfK_msrE_cfD()
// fmt.Println("MSR+CF+MSR")
// test_msrK_cfE_msrD()
// fmt.Println("MSR+MSR+CF")
// test_msrK_msrK_cfD()
// fmt.Println("MSR+CF+CF")
// test_msrK_cfE_cfD()
fmt.Println("CF+CF+MSR")
test_cfK_cfE_msrD()
fmt.Println("CF+MSR+MSR")
test_cfK_msrK_msrD()
}
func main() {
for i:=0; i<1000; i++ {
debug()
}
}