sharpetronics/liboqs
1
0
Fork 0
mirror of https://github.com/open-quantum-safe/liboqs.git synced 2025-11-22 00:09:23 -05:00
Code Issues Projects Releases Wiki Activity

make prettyprint

Browse Source
This commit is contained in:
Christian Paquin 2018-01-08 20:47:58 -05:00
parent 1695d0fbe4
commit 980d78d66a
14 changed files with 1315 additions and 1416 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/kex_sidh_msr/P503/P503.c
View File

@ -7,7 +7,6 @@
#include "P503_api.h"
#include "P503_internal.h"
// Encoding of field elements, elements over Z_order, elements over GF(p^2) and elliptic curve points:
// --------------------------------------------------------------------------------------------------
// Elements over GF(p) and Z_order are encoded with the least significant octet (and digit) located at the leftmost position (i.e., little endian format).
@ -65,7 +64,6 @@ static const uint64_t Montgomery_rprime[NWORDS64_ORDER] = { 0x49C8A87190C0697D,
// Value order_Bob/3 mod p503
static const uint64_t Border_div3[NWORDS_ORDER] = {0xEB5CFCD82C28A2B9, 0x4CFF3B5F9FDFCE96, 0xB07B3A7CDF4DBC02, 0x055DE9C5756D2D32};
// Fixed parameters for isogeny tree computation
static const unsigned int strat_Alice[MAX_Alice - 1] = {
61, 32, 16, 8, 4, 2, 1, 1, 2, 1, 1, 4, 2, 1, 1, 2, 1, 1, 8, 4, 2, 1, 1, 2, 1, 1,

5
src/kex_sidh_msr/P503/P503_api.h
View File

@ -9,7 +9,6 @@
#include <oqs/rand.h>
/*********************** Key encapsulation mechanism API ***********************/
#define CRYPTO_SECRETKEYBYTES 434 // MSG_BYTES + SECRETKEY_B_BYTES + CRYPTO_PUBLICKEYBYTES bytes
@ -38,7 +37,6 @@ int crypto_kem_enc_SIKEp503(unsigned char *ct, unsigned char *ss, const unsigned
// Outputs: shared secret ss (CRYPTO_BYTES = 16 bytes)
int crypto_kem_dec_SIKEp503(unsigned char *ss, const unsigned char *ct, const unsigned char *sk, OQS_RAND *rand);
// Encoding of keys for KEM-based isogeny system "SIKEp503" (wire format):
// ----------------------------------------------------------------------
// Elements over GF(p503) are encoded in 63 octets in little endian format (i.e., the least significant octet is located in the lowest memory address).
@ -50,7 +48,6 @@ int crypto_kem_dec_SIKEp503(unsigned char *ss, const unsigned char *ct, const un
// Ciphertexts ct consist of the concatenation of a public key value and a 24-byte value. In the SIKE API, ct is encoded in 378 + 24 = 402 octets.
// Shared keys ss consist of a value of 16 octets.
/*********************** Ephemeral key exchange API ***********************/
#define SIDH_SECRETKEYBYTES 32
@ -94,7 +91,6 @@ int EphemeralSecretAgreement_A_SIDHp503(const unsigned char* PrivateKeyA, const
// Output: a shared secret SharedSecretB that consists of one element in GF(p503^2) encoded in 126 bytes.
int EphemeralSecretAgreement_B_SIDHp503(const unsigned char *PrivateKeyB, const unsigned char *PublicKeyA, unsigned char *SharedSecretB);
// Encoding of keys for KEX-based isogeny system "SIDHp503" (wire format):
// ----------------------------------------------------------------------
// Elements over GF(p503) are encoded in 63 octets in little endian format (i.e., the least significant octet is located in the lowest memory address).
@ -105,5 +101,4 @@ int EphemeralSecretAgreement_B_SIDHp503(const unsigned char* PrivateKeyB, const
// Public keys PublicKeyA and PublicKeyB consist of 3 elements in GF(p503^2). In the SIDH API, they are encoded in 378 octets.
// Shared keys SharedSecretA and SharedSecretB consist of one element in GF(p503^2). In the SIDH API, they are encoded in 126 octets.
#endif

11
src/kex_sidh_msr/P503/P503_internal.h
View File

@ -9,7 +9,6 @@
#include "../config.h"
#if (TARGET == TARGET_AMD64)
#define NWORDS_FIELD 8 // Number of words of a 503-bit field element
#define p503_ZERO_WORDS 3 // Number of "0" digits in the least significant part of p503 + 1
@ -24,7 +23,6 @@
#define p503_ZERO_WORDS 3
#endif
// Basic constants
#define NBITS_FIELD 503
@ -56,18 +54,18 @@
#define SECRETKEY_B_BYTES (OBOB_BITS + 7) / 8
#define FP2_ENCODED_BYTES 2 * ((NBITS_FIELD + 7) / 8)
// SIDH's basic element definitions and point representations
typedef digit_t felm_t[NWORDS_FIELD]; // Datatype for representing 503-bit field elements (512-bit max.)
typedef digit_t dfelm_t[2 * NWORDS_FIELD]; // Datatype for representing double-precision 2x503-bit field elements (512-bit max.)
typedef felm_t f2elm_t[2]; // Datatype for representing quadratic extension field elements GF(p503^2)
typedef struct { f2elm_t X; f2elm_t Z; } point_proj; // Point representation in projective XZ Montgomery coordinates.
typedef struct {
f2elm_t X;
f2elm_t Z;
} point_proj; // Point representation in projective XZ Montgomery coordinates.
typedef point_proj point_proj_t[1];
/**************** Function prototypes ****************/
/************* Multiprecision functions **************/
@ -244,5 +242,4 @@ static void inv_3_way(f2elm_t z1, f2elm_t z2, f2elm_t z3);
// Given the x-coordinates of P, Q, and R, returns the value A corresponding to the Montgomery curve E_A: y^2=x^3+A*x^2+x such that R=Q-P on E_A.
static void get_A(const f2elm_t xP, const f2elm_t xQ, const f2elm_t xR, f2elm_t A);
#endif

1
src/kex_sidh_msr/P751/P751.c
View File

@ -64,7 +64,6 @@ static const uint64_t Montgomery_rprime[NWORDS64_ORDER] = { 0x48062A91D3AB563D,
// Value order_Bob/3 mod p751
static const uint64_t Border_div3[NWORDS_ORDER] = {0xEDCD718A828384F9, 0x733B35BFD4427A14, 0xF88229CF94D7CF38, 0x63C56C990C7C2AD6, 0xB858A87E8F4222C7, 0x0254C9C6B525EAF5};
// Fixed parameters for isogeny tree computation
static const unsigned int strat_Alice[MAX_Alice - 1] = {
80, 48, 27, 15, 8, 4, 2, 1, 1, 2, 1, 1, 4, 2, 1, 1, 2, 1, 1, 7, 4, 2, 1, 1, 2, 1,

5
src/kex_sidh_msr/P751/P751_api.h
View File

@ -9,7 +9,6 @@
#include <oqs/rand.h>
/*********************** Key encapsulation mechanism API ***********************/
#define CRYPTO_SECRETKEYBYTES 644 // MSG_BYTES + SECRETKEY_B_BYTES + CRYPTO_PUBLICKEYBYTES bytes
@ -38,7 +37,6 @@ int crypto_kem_enc_SIKEp751(unsigned char *ct, unsigned char *ss, const unsigned
// Outputs: shared secret ss (CRYPTO_BYTES = 24 bytes)
int crypto_kem_dec_SIKEp751(unsigned char *ss, const unsigned char *ct, const unsigned char *sk, OQS_RAND *rand);
// Encoding of keys for KEM-based isogeny system "SIKEp751" (wire format):
// ----------------------------------------------------------------------
// Elements over GF(p751) are encoded in 94 octets in little endian format (i.e., the least significant octet is located in the lowest memory address).
@ -50,7 +48,6 @@ int crypto_kem_dec_SIKEp751(unsigned char *ss, const unsigned char *ct, const un
// Ciphertexts ct consist of the concatenation of a public key value and a 32-byte value. In the SIKE API, ct is encoded in 564 + 32 = 596 octets.
// Shared keys ss consist of a value of 24 octets.
/*********************** Ephemeral key exchange API ***********************/
#define SIDH_SECRETKEYBYTES 48
@ -94,7 +91,6 @@ int EphemeralSecretAgreement_A_SIDHp751(const unsigned char* PrivateKeyA, const
// Output: a shared secret SharedSecretB that consists of one element in GF(p751^2) encoded in 188 bytes.
int EphemeralSecretAgreement_B_SIDHp751(const unsigned char *PrivateKeyB, const unsigned char *PublicKeyA, unsigned char *SharedSecretB);
// Encoding of keys for KEX-based isogeny system "SIDHp751" (wire format):
// ----------------------------------------------------------------------
// Elements over GF(p751) are encoded in 94 octets in little endian format (i.e., the least significant octet is located in the lowest memory address).
@ -105,5 +101,4 @@ int EphemeralSecretAgreement_B_SIDHp751(const unsigned char* PrivateKeyB, const
// Public keys PublicKeyA and PublicKeyB consist of 3 elements in GF(p751^2). In the SIDH API, they are encoded in 564 octets.
// Shared keys SharedSecretA and SharedSecretB consist of one element in GF(p751^2). In the SIDH API, they are encoded in 188 octets.
#endif

33
src/kex_sidh_msr/P751/generic/fp_generic.c
View File

@ -6,15 +6,12 @@
#include "../P751_internal.h"
// Global constants
extern const uint64_t p751[NWORDS_FIELD];
extern const uint64_t p751p1[NWORDS_FIELD];
extern const uint64_t p751x2[NWORDS_FIELD];
__inline void oqs_kex_sidh_msr_fpadd751(const digit_t* a, const digit_t* b, digit_t* c)
{ // Modular addition, c = a+b mod p751.
__inline void oqs_kex_sidh_msr_fpadd751(const digit_t *a, const digit_t *b, digit_t *c) { // Modular addition, c = a+b mod p751.
// Inputs: a, b in [0, 2*p751-1]
// Output: c in [0, 2*p751-1]
unsigned int i, carry = 0;
@ -36,9 +33,7 @@ __inline void oqs_kex_sidh_msr_fpadd751(const digit_t* a, const digit_t* b, digi
}
}
__inline void oqs_kex_sidh_msr_fpsub751(const digit_t* a, const digit_t* b, digit_t* c)
{ // Modular subtraction, c = a-b mod p751.
__inline void oqs_kex_sidh_msr_fpsub751(const digit_t *a, const digit_t *b, digit_t *c) { // Modular subtraction, c = a-b mod p751.
// Inputs: a, b in [0, 2*p751-1]
// Output: c in [0, 2*p751-1]
unsigned int i, borrow = 0;
@ -55,9 +50,7 @@ __inline void oqs_kex_sidh_msr_fpsub751(const digit_t* a, const digit_t* b, digi
}
}
__inline void oqs_kex_sidh_msr_fpneg751(digit_t* a)
{ // Modular negation, a = -a mod p751.
__inline void oqs_kex_sidh_msr_fpneg751(digit_t *a) { // Modular negation, a = -a mod p751.
// Input/output: a in [0, 2*p751-1]
unsigned int i, borrow = 0;
@ -66,9 +59,7 @@ __inline void oqs_kex_sidh_msr_fpneg751(digit_t* a)
}
}
void fpdiv2_751(const digit_t* a, digit_t* c)
{ // Modular division by two, c = a/2 mod p751.
void fpdiv2_751(const digit_t *a, digit_t *c) { // Modular division by two, c = a/2 mod p751.
// Input : a in [0, 2*p751-1]
// Output: c in [0, 2*p751-1]
unsigned int i, carry = 0;
@ -82,9 +73,7 @@ void fpdiv2_751(const digit_t* a, digit_t* c)
mp_shiftr1(c, NWORDS_FIELD);
}
void fpcorrection751(digit_t* a)
{ // Modular correction to reduce field element a in [0, 2*p751-1] to [0, p751-1].
void fpcorrection751(digit_t *a) { // Modular correction to reduce field element a in [0, 2*p751-1] to [0, p751-1].
unsigned int i, borrow = 0;
digit_t mask;
@ -99,9 +88,7 @@ void fpcorrection751(digit_t* a)
}
}
void digit_x_digit(const digit_t a, const digit_t b, digit_t* c)
{ // Digit multiplication, digit * digit -> 2-digit result
void digit_x_digit(const digit_t a, const digit_t b, digit_t *c) { // Digit multiplication, digit * digit -> 2-digit result
register digit_t al, ah, bl, bh, temp;
digit_t albl, albh, ahbl, ahbh, res1, res2, res3, carry;
digit_t mask_low = (digit_t)(-1) >> (sizeof(digit_t) * 4), mask_high = (digit_t)(-1) << (sizeof(digit_t) * 4);
@ -133,9 +120,7 @@ void digit_x_digit(const digit_t a, const digit_t b, digit_t* c)
c[1] ^= (ahbh & mask_high) + carry; // C11
}
void mp_mul(const digit_t* a, const digit_t* b, digit_t* c, const unsigned int nwords)
{ // Multiprecision comba multiply, c = a*b, where lng(a) = lng(b) = nwords.
void mp_mul(const digit_t *a, const digit_t *b, digit_t *c, const unsigned int nwords) { // Multiprecision comba multiply, c = a*b, where lng(a) = lng(b) = nwords.
unsigned int i, j;
digit_t t = 0, u = 0, v = 0, UV[2];
unsigned int carry = 0;
@ -168,9 +153,7 @@ void mp_mul(const digit_t* a, const digit_t* b, digit_t* c, const unsigned int n
c[2 * nwords - 1] = v;
}
void rdc_mont(const digit_t* ma, digit_t* mc)
{ // Efficient Montgomery reduction using comba and exploiting the special form of the prime p751.
void rdc_mont(const digit_t *ma, digit_t *mc) { // Efficient Montgomery reduction using comba and exploiting the special form of the prime p751.
// mc = ma*R^-1 mod p751x2, where R = 2^768.
// If ma < 2^768*p751, the output mc is in the range [0, 2*p751-1].
// ma is assumed to be in Montgomery representation.

96
src/kex_sidh_msr/sha3/fips202.c
View File

@ -18,9 +18,7 @@
#define NROUNDS 24
#define ROL(a, offset) ((a << offset) ^ (a >> (64 - offset)))
static uint64_t load64(const unsigned char *x)
{
static uint64_t load64(const unsigned char *x) {
unsigned long long r = 0, i;
for (i = 0; i < 8; ++i) {
@ -29,9 +27,7 @@ static uint64_t load64(const unsigned char *x)
return r;
}
static void store64(uint8_t *x, uint64_t u)
{
static void store64(uint8_t *x, uint64_t u) {
unsigned int i;
for (i = 0; i < 8; ++i) {
@ -40,7 +36,6 @@ static void store64(uint8_t *x, uint64_t u)
}
}
static const uint64_t KeccakF_RoundConstants[NROUNDS] =
{
(uint64_t) 0x0000000000000001ULL,
@ -66,12 +61,9 @@ static const uint64_t KeccakF_RoundConstants[NROUNDS] =
(uint64_t) 0x8000000080008081ULL,
(uint64_t) 0x8000000000008080ULL,
(uint64_t) 0x0000000080000001ULL,
(uint64_t)0x8000000080008008ULL
};
(uint64_t) 0x8000000080008008ULL};
void KeccakF1600_StatePermute(uint64_t * state)
{
void KeccakF1600_StatePermute(uint64_t *state) {
int round;
uint64_t Aba, Abe, Abi, Abo, Abu;
@ -114,8 +106,7 @@ void KeccakF1600_StatePermute(uint64_t * state)
Aso = state[23];
Asu = state[24];
for( round = 0; round < NROUNDS; round += 2 )
{
for (round = 0; round < NROUNDS; round += 2) {
// prepareTheta
BCa = Aba ^ Aga ^ Aka ^ Ama ^ Asa;
BCe = Abe ^ Age ^ Ake ^ Ame ^ Ase;
@ -340,14 +331,11 @@ void KeccakF1600_StatePermute(uint64_t * state)
#include <string.h>
#define MIN(a, b) ((a) < (b) ? (a) : (b))
static void keccak_absorb(uint64_t *s, unsigned int r, const unsigned char *m, unsigned long long int mlen, unsigned char p)
{
static void keccak_absorb(uint64_t *s, unsigned int r, const unsigned char *m, unsigned long long int mlen, unsigned char p) {
unsigned long long i;
unsigned char t[200];
while (mlen >= r)
{
while (mlen >= r) {
for (i = 0; i < r / 8; ++i)
s[i] ^= load64(m + 8 * i);
@ -366,16 +354,12 @@ static void keccak_absorb(uint64_t *s, unsigned int r, const unsigned char *m, u
s[i] ^= load64(t + 8 * i);
}
static void keccak_squeezeblocks(unsigned char *h, unsigned long long int nblocks, uint64_t *s, unsigned int r)
{
static void keccak_squeezeblocks(unsigned char *h, unsigned long long int nblocks, uint64_t *s, unsigned int r) {
unsigned int i;
while(nblocks > 0)
{
while (nblocks > 0) {
KeccakF1600_StatePermute(s);
for (i = 0; i < (r>>3); i++)
{
for (i = 0; i < (r >> 3); i++) {
store64(h + 8 * i, s[i]);
}
h += r;
@ -383,23 +367,17 @@ static void keccak_squeezeblocks(unsigned char *h, unsigned long long int nblock
}
}
/********** SHAKE128 ***********/
void shake128_absorb(uint64_t *s, const unsigned char *input, unsigned int inputByteLen)
{
void shake128_absorb(uint64_t *s, const unsigned char *input, unsigned int inputByteLen) {
keccak_absorb(s, SHAKE128_RATE, input, inputByteLen, 0x1F);
}
void shake128_squeezeblocks(unsigned char *output, unsigned long long nblocks, uint64_t *s)
{
void shake128_squeezeblocks(unsigned char *output, unsigned long long nblocks, uint64_t *s) {
keccak_squeezeblocks(output, nblocks, s, SHAKE128_RATE);
}
void shake128(unsigned char *output, unsigned long long outlen, const unsigned char *input, unsigned long long inlen)
{
void shake128(unsigned char *output, unsigned long long outlen, const unsigned char *input, unsigned long long inlen) {
uint64_t s[25] = {0};
unsigned char t[SHAKE128_RATE];
unsigned long long nblocks = outlen / SHAKE128_RATE;
@ -414,19 +392,16 @@ void shake128(unsigned char *output, unsigned long long outlen, const unsigned c
output += nblocks * SHAKE128_RATE;
outlen -= nblocks * SHAKE128_RATE;
if (outlen)
{
if (outlen) {
keccak_squeezeblocks(t, 1, s, SHAKE128_RATE);
for (i = 0; i < outlen; i++)
output[i] = t[i];
}
}
/********** cSHAKE128 ***********/
void cshake128_simple_absorb(uint64_t s[25], uint16_t cstm, const unsigned char *in, unsigned long long inlen)
{
void cshake128_simple_absorb(uint64_t s[25], uint16_t cstm, const unsigned char *in, unsigned long long inlen) {
unsigned char *sep = (unsigned char *) s;
unsigned int i;
@ -449,15 +424,11 @@ void cshake128_simple_absorb(uint64_t s[25], uint16_t cstm, const unsigned char
keccak_absorb(s, SHAKE128_RATE, in, inlen, 0x04);
}
void cshake128_simple_squeezeblocks(unsigned char *output, unsigned long long nblocks, uint64_t *s)
{
void cshake128_simple_squeezeblocks(unsigned char *output, unsigned long long nblocks, uint64_t *s) {
keccak_squeezeblocks(output, nblocks, s, SHAKE128_RATE);
}
void cshake128_simple(unsigned char *output, unsigned long long outlen, uint16_t cstm, const unsigned char *in, unsigned long long inlen)
{
void cshake128_simple(unsigned char *output, unsigned long long outlen, uint16_t cstm, const unsigned char *in, unsigned long long inlen) {
uint64_t s[25];
unsigned char t[SHAKE128_RATE];
unsigned int i;
@ -468,31 +439,24 @@ void cshake128_simple(unsigned char *output, unsigned long long outlen, uint16_t
keccak_squeezeblocks(output, outlen / SHAKE128_RATE, s, SHAKE128_RATE);
output += (outlen / SHAKE128_RATE) * SHAKE128_RATE;
if (outlen%SHAKE128_RATE)
{
if (outlen % SHAKE128_RATE) {
keccak_squeezeblocks(t, 1, s, SHAKE128_RATE);
for (i = 0; i < outlen % SHAKE128_RATE; i++)
output[i] = t[i];
}
}
/********** SHAKE256 ***********/
void shake256_absorb(uint64_t *s, const unsigned char *input, unsigned int inputByteLen)
{
void shake256_absorb(uint64_t *s, const unsigned char *input, unsigned int inputByteLen) {
keccak_absorb(s, SHAKE256_RATE, input, inputByteLen, 0x1F);
}
void shake256_squeezeblocks(unsigned char *output, unsigned long long nblocks, uint64_t *s)
{
void shake256_squeezeblocks(unsigned char *output, unsigned long long nblocks, uint64_t *s) {
keccak_squeezeblocks(output, nblocks, s, SHAKE256_RATE);
}
void shake256(unsigned char *output, unsigned long long outlen, const unsigned char *input, unsigned long long inlen)
{
void shake256(unsigned char *output, unsigned long long outlen, const unsigned char *input, unsigned long long inlen) {
uint64_t s[25];
unsigned char t[SHAKE256_RATE];
unsigned long long nblocks = outlen / SHAKE256_RATE;
@ -510,19 +474,16 @@ void shake256(unsigned char *output, unsigned long long outlen, const unsigned c
output += nblocks * SHAKE256_RATE;
outlen -= nblocks * SHAKE256_RATE;
if (outlen)
{
if (outlen) {
keccak_squeezeblocks(t, 1, s, SHAKE256_RATE);
for (i = 0; i < outlen; i++)
output[i] = t[i];
}
}
/********** cSHAKE256 ***********/
void cshake256_simple_absorb(uint64_t s[25], uint16_t cstm, const unsigned char *in, unsigned long long inlen)
{
void cshake256_simple_absorb(uint64_t s[25], uint16_t cstm, const unsigned char *in, unsigned long long inlen) {
unsigned char *sep = (unsigned char *) s;
unsigned int i;
@ -545,15 +506,11 @@ void cshake256_simple_absorb(uint64_t s[25], uint16_t cstm, const unsigned char
keccak_absorb(s, SHAKE256_RATE, in, inlen, 0x04);
}
void cshake256_simple_squeezeblocks(unsigned char *output, unsigned long long nblocks, uint64_t *s)
{
void cshake256_simple_squeezeblocks(unsigned char *output, unsigned long long nblocks, uint64_t *s) {
keccak_squeezeblocks(output, nblocks, s, SHAKE256_RATE);
}
void cshake256_simple(unsigned char *output, unsigned long long outlen, uint16_t cstm, const unsigned char *in, unsigned long long inlen)
{
void cshake256_simple(unsigned char *output, unsigned long long outlen, uint16_t cstm, const unsigned char *in, unsigned long long inlen) {
uint64_t s[25];
unsigned char t[SHAKE256_RATE];
unsigned int i;
@ -564,8 +521,7 @@ void cshake256_simple(unsigned char *output, unsigned long long outlen, uint16_t
keccak_squeezeblocks(output, outlen / SHAKE256_RATE, s, SHAKE256_RATE);
output += (outlen / SHAKE256_RATE) * SHAKE256_RATE;
if(outlen%SHAKE256_RATE)
{
if (outlen % SHAKE256_RATE) {
keccak_squeezeblocks(t, 1, s, SHAKE256_RATE);
for (i = 0; i < outlen % SHAKE256_RATE; i++)
output[i] = t[i];

2
src/kex_sidh_msr/sha3/fips202.h
View File

@ -3,7 +3,6 @@
#include <stdint.h>
#define SHAKE128_RATE 168
#define SHAKE256_RATE 136
@ -23,5 +22,4 @@ void cshake256_simple_absorb(uint64_t *s, uint16_t cstm, const unsigned char *in
void cshake256_simple_squeezeblocks(unsigned char *output, unsigned long long nblocks, uint64_t *s);
void cshake256_simple(unsigned char *output, unsigned long long outlen, uint16_t cstm, const unsigned char *in, unsigned long long inlen);
#endif

42
src/kex_sidh_msr/sidh.c
View File

@ -4,8 +4,7 @@
* Abstract: ephemeral supersingular isogeny Diffie-Hellman key exchange (SIDH)
*********************************************************************************************/
static void clear_words(void* mem, digit_t nwords)
{ // Clear digits from memory. "nwords" indicates the number of digits to be zeroed.
static void clear_words(void *mem, digit_t nwords) { // Clear digits from memory. "nwords" indicates the number of digits to be zeroed.
// This function uses the volatile type qualifier to inform the compiler not to optimize out the memory clearing.
unsigned int i;
volatile digit_t *v = mem;
@ -15,9 +14,7 @@ static void clear_words(void* mem, digit_t nwords)
}
}
static void init_basis(digit_t *gen, f2elm_t XP, f2elm_t XQ, f2elm_t XR)
{ // Initialization of basis points
static void init_basis(digit_t *gen, f2elm_t XP, f2elm_t XQ, f2elm_t XR) { // Initialization of basis points
fpcopy(gen, XP[0]);
fpcopy(gen + NWORDS_FIELD, XP[1]);
@ -27,9 +24,7 @@ static void init_basis(digit_t *gen, f2elm_t XP, f2elm_t XQ, f2elm_t XR)
fpcopy(gen + 4 * NWORDS_FIELD, XR[1]);
}
static void fp2_encode(const f2elm_t x, unsigned char *enc)
{ // Conversion of GF(p^2) element from Montgomery to standard representation, and encoding by removing leading 0 bytes
static void fp2_encode(const f2elm_t x, unsigned char *enc) { // Conversion of GF(p^2) element from Montgomery to standard representation, and encoding by removing leading 0 bytes
unsigned int i;
f2elm_t t;
@ -40,12 +35,11 @@ static void fp2_encode(const f2elm_t x, unsigned char *enc)
}
}
static void fp2_decode(const unsigned char *enc, f2elm_t x)
{ // Parse byte sequence back into GF(p^2) element, and conversion to Montgomery representation
static void fp2_decode(const unsigned char *enc, f2elm_t x) { // Parse byte sequence back into GF(p^2) element, and conversion to Montgomery representation
unsigned int i;
for (i = 0; i < 2*(MAXBITS_FIELD / 8); i++) ((unsigned char *)x)[i] = 0;
for (i = 0; i < 2 * (MAXBITS_FIELD / 8); i++)
((unsigned char *) x)[i] = 0;
for (i = 0; i < FP2_ENCODED_BYTES / 2; i++) {
((unsigned char *) x)[i] = enc[i];
((unsigned char *) x)[i + MAXBITS_FIELD / 8] = enc[i + FP2_ENCODED_BYTES / 2];
@ -53,9 +47,7 @@ static void fp2_decode(const unsigned char *enc, f2elm_t x)
to_fp2mont(x, x);
}
void random_mod_order_A(unsigned char* random_digits, OQS_RAND* rand)
{ // Generation of Alice's secret key
void random_mod_order_A(unsigned char *random_digits, OQS_RAND *rand) { // Generation of Alice's secret key
// Outputs random value in [0, 2^eA - 1]
unsigned long long nbytes = NBITS_TO_NBYTES(OALICE_BITS);
@ -64,9 +56,7 @@ void random_mod_order_A(unsigned char* random_digits, OQS_RAND* rand)
random_digits[nbytes - 1] &= MASK_ALICE; // Masking last byte
}
void random_mod_order_B(unsigned char* random_digits, OQS_RAND* rand)
{ // Generation of Bob's secret key
void random_mod_order_B(unsigned char *random_digits, OQS_RAND *rand) { // Generation of Bob's secret key
// Outputs random value in [0, 2^Floor(Log(2, oB)) - 1]
unsigned long long nbytes = NBITS_TO_NBYTES(OBOB_BITS - 1);
@ -75,9 +65,7 @@ void random_mod_order_B(unsigned char* random_digits, OQS_RAND* rand)
random_digits[nbytes - 1] &= MASK_BOB; // Masking last byte
}
int EphemeralKeyGeneration_A(const unsigned char* PrivateKeyA, unsigned char* PublicKeyA, OQS_RAND *rand)
{ // Alice's ephemeral public key generation
int EphemeralKeyGeneration_A(const unsigned char *PrivateKeyA, unsigned char *PublicKeyA, OQS_RAND *rand) { // Alice's ephemeral public key generation
// Input: a private key PrivateKeyA in the range [0, 2^eA - 1].
// Output: the public key PublicKeyA consisting of 3 elements in GF(p^2) which are encoded by removing leading 0 bytes.
point_proj_t R, phiP = {0}, phiQ = {0}, phiR = {0}, pts[MAX_INT_POINTS_ALICE];
@ -142,9 +130,7 @@ int EphemeralKeyGeneration_A(const unsigned char* PrivateKeyA, unsigned char* Pu
return 0;
}
int EphemeralKeyGeneration_B(const unsigned char* PrivateKeyB, unsigned char* PublicKeyB, OQS_RAND *rand)
{ // Bob's ephemeral public key generation
int EphemeralKeyGeneration_B(const unsigned char *PrivateKeyB, unsigned char *PublicKeyB, OQS_RAND *rand) { // Bob's ephemeral public key generation
// Input: a private key PrivateKeyB in the range [0, 2^Floor(Log(2,oB)) - 1].
// Output: the public key PublicKeyB consisting of 3 elements in GF(p^2) which are encoded by removing leading 0 bytes.
point_proj_t R, phiP = {0}, phiQ = {0}, phiR = {0}, pts[MAX_INT_POINTS_BOB];
@ -211,9 +197,7 @@ int EphemeralKeyGeneration_B(const unsigned char* PrivateKeyB, unsigned char* Pu
return 0;
}
int EphemeralSecretAgreement_A(const unsigned char* PrivateKeyA, const unsigned char* PublicKeyB, unsigned char* SharedSecretA)
{ // Alice's ephemeral shared secret computation
int EphemeralSecretAgreement_A(const unsigned char *PrivateKeyA, const unsigned char *PublicKeyB, unsigned char *SharedSecretA) { // Alice's ephemeral shared secret computation
// It produces a shared secret key SharedSecretA using her secret key PrivateKeyA and Bob's public key PublicKeyB
// Inputs: Alice's PrivateKeyA is an integer in the range [0, oA-1].
// Bob's PublicKeyB consists of 3 elements in GF(p^2) encoded by removing leading 0 bytes.
@ -270,9 +254,7 @@ int EphemeralSecretAgreement_A(const unsigned char* PrivateKeyA, const unsigned
return 0;
}
int EphemeralSecretAgreement_B(const unsigned char* PrivateKeyB, const unsigned char* PublicKeyA, unsigned char* SharedSecretB)
{ // Bob's ephemeral shared secret computation
int EphemeralSecretAgreement_B(const unsigned char *PrivateKeyB, const unsigned char *PublicKeyA, unsigned char *SharedSecretB) { // Bob's ephemeral shared secret computation
// It produces a shared secret key SharedSecretB using his secret key PrivateKeyB and Alice's public key PublicKeyA
// Inputs: Bob's PrivateKeyB is an integer in the range [0, 2^Floor(Log(2,oB)) - 1].
// Alice's PublicKeyA consists of 3 elements in GF(p^2) encoded by removing leading 0 bytes.

18
src/kex_sidh_msr/sike.c
View File

@ -7,9 +7,7 @@
#include <string.h>
#include "sha3/fips202.h"
int crypto_kem_keypair(unsigned char *pk, unsigned char *sk, OQS_RAND *rand)
{ // SIKE's key generation
int crypto_kem_keypair(unsigned char *pk, unsigned char *sk, OQS_RAND *rand) { // SIKE's key generation
// Outputs: secret key sk (CRYPTO_SECRETKEYBYTES = MSG_BYTES + SECRETKEY_B_BYTES + CRYPTO_PUBLICKEYBYTES bytes)
// public key pk (CRYPTO_PUBLICKEYBYTES bytes)
@ -26,9 +24,7 @@ int crypto_kem_keypair(unsigned char *pk, unsigned char *sk, OQS_RAND *rand)
return 0;
}
int crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk, OQS_RAND *rand)
{ // SIKE's encapsulation
int crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk, OQS_RAND *rand) { // SIKE's encapsulation
// Input: public key pk (CRYPTO_PUBLICKEYBYTES bytes)
// Outputs: shared secret ss (CRYPTO_BYTES bytes)
// ciphertext message ct (CRYPTO_CIPHERTEXTBYTES = CRYPTO_PUBLICKEYBYTES + MSG_BYTES bytes)
@ -51,7 +47,8 @@ int crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk
EphemeralKeyGeneration_A(ephemeralsk, ct, rand);
EphemeralSecretAgreement_A(ephemeralsk, pk, jinvariant);
cshake256_simple(h, MSG_BYTES, P, jinvariant, FP2_ENCODED_BYTES);
for (i = 0; i < MSG_BYTES; i++) ct[i + CRYPTO_PUBLICKEYBYTES] = temp[i] ^ h[i];
for (i = 0; i < MSG_BYTES; i++)
ct[i + CRYPTO_PUBLICKEYBYTES] = temp[i] ^ h[i];
// Generate shared secret ss <- H(m||ct)
memcpy(&temp[MSG_BYTES], ct, CRYPTO_CIPHERTEXTBYTES);
@ -60,9 +57,7 @@ int crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk
return 0;
}
int crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk, OQS_RAND *rand)
{ // SIKE's decapsulation
int crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk, OQS_RAND *rand) { // SIKE's decapsulation
// Input: secret key sk (CRYPTO_SECRETKEYBYTES = MSG_BYTES + SECRETKEY_B_BYTES + CRYPTO_PUBLICKEYBYTES bytes)
// ciphertext message ct (CRYPTO_CIPHERTEXTBYTES = CRYPTO_PUBLICKEYBYTES + MSG_BYTES bytes)
// Outputs: shared secret ss (CRYPTO_BYTES bytes)
@ -79,7 +74,8 @@ int crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned ch
// Decrypt
EphemeralSecretAgreement_B(sk + MSG_BYTES, ct, jinvariant_);
cshake256_simple(h_, MSG_BYTES, P, jinvariant_, FP2_ENCODED_BYTES);
for (i = 0; i < MSG_BYTES; i++) temp[i] = ct[i + CRYPTO_PUBLICKEYBYTES] ^ h_[i];
for (i = 0; i < MSG_BYTES; i++)
temp[i] = ct[i + CRYPTO_PUBLICKEYBYTES] ^ h_[i];
// Generate ephemeralsk_ <- G(m||pk) mod oA
memcpy(&temp[MSG_BYTES], &sk[MSG_BYTES + SECRETKEY_B_BYTES], CRYPTO_PUBLICKEYBYTES);