sharpetronics/liboqs
1
0
Fork 0
mirror of https://github.com/open-quantum-safe/liboqs.git synced 2025-12-24 00:04:05 -05:00
Code Issues Projects Releases Wiki Activity

Integrated recent changes in SIKE lib (from Nov 26th, 33a4bf commit), including a security patch.

Browse Source
This commit is contained in:
Christian Paquin 2019-12-06 12:57:42 -05:00
parent b4b262281c
commit bc448e43b2
7 changed files with 63 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/algorithms/kem_sike.md
View File

@ -30,7 +30,7 @@ Implementation
--------------
- **Source of implementation:** https://github.com/Microsoft/PQCrypto-SIDH
- **Implementation version:** v3.2 (https://github.com/microsoft/PQCrypto-SIDH/tree/v3.2)
- **Implementation version:** v3.2 (https://github.com/microsoft/PQCrypto-SIDH/commit/ebd1c80a8ac35e9ca2ef9680291a8a43b95a3bfa)
- **License:** MIT License
- **Language:** C
- **Constant-time:** Yes

2
src/kem/sike/P503/P503_internal.h
View File

@ -84,7 +84,7 @@
// SIDH's basic element definitions and point representations
typedef digit_t felm_t[NWORDS_FIELD]; // Datatype for representing 503-bit field elements (512-bit max.)
typedef digit_t dfelm_t[2 * NWORDS_FIELD]; // Datatype for representing double-precision 2x503-bit field elements (512-bit max.)
typedef digit_t dfelm_t[2 * NWORDS_FIELD]; // Datatype for representing double-precision 2x503-bit field elements (2x512-bit max.)
typedef felm_t f2elm_t[2]; // Datatype for representing quadratic extension field elements GF(p503^2)
typedef struct {

13
src/kem/sike/compression/sidh_compressed.c
View File

@ -4,6 +4,8 @@
* Abstract: ephemeral supersingular isogeny Diffie-Hellman key exchange (SIDH) using compression
**************************************************************************************************/
#include <string.h>
static void init_basis(digit_t *gen, f2elm_t XP, f2elm_t XQ, f2elm_t XR) { // Initialization of basis points
fpcopy(gen, XP[0]);
@ -474,6 +476,7 @@ static void FullIsogeny_A_dual(const unsigned char *PrivateKeyA, f2elm_t As[][5]
point_proj_t R, pts[MAX_INT_POINTS_ALICE];
f2elm_t XPA, XQA, XRA, coeff[5], A24 = {0}, C24 = {0}, A = {0};
unsigned int i, row, m, index = 0, pts_index[MAX_INT_POINTS_ALICE], npts = 0, ii = 0;
digit_t SecretKeyA[NWORDS_ORDER] = {0};
// Initialize basis points
init_basis((digit_t *) A_gen, XPA, XQA, XRA);
@ -486,7 +489,8 @@ static void FullIsogeny_A_dual(const unsigned char *PrivateKeyA, f2elm_t As[][5]
fp2add(C24, C24, A24);
// Retrieve kernel point
LADDER3PT(XPA, XQA, XRA, (digit_t *) PrivateKeyA, ALICE, R, A);
memcpy((unsigned char*)SecretKeyA, PrivateKeyA, SECRETKEY_A_BYTES);
LADDER3PT(XPA, XQA, XRA, SecretKeyA, ALICE, R, A);
#if (OALICE_BITS % 2 == 1)
point_proj_t S;
@ -848,6 +852,7 @@ static void FullIsogeny_B_dual(const unsigned char *PrivateKeyB, f2elm_t Ds[][2]
point_proj_t R, Q3 = {0}, pts[MAX_INT_POINTS_BOB];
f2elm_t XPB, XQB, XRB, coeff[3], A24plus = {0}, A24minus = {0};
unsigned int i, row, m, index = 0, pts_index[MAX_INT_POINTS_BOB], npts = 0, ii = 0;
digit_t SecretKeyB[NWORDS_ORDER] = {0};
// Initialize basis points
init_basis((digit_t *) B_gen, XPB, XQB, XRB);
@ -863,7 +868,8 @@ static void FullIsogeny_B_dual(const unsigned char *PrivateKeyB, f2elm_t Ds[][2]
fp2add(A24minus, A24minus, A24plus);
// Retrieve kernel point
LADDER3PT(XPB, XQB, XRB, (digit_t *) PrivateKeyB, BOB, R, A);
memcpy((unsigned char*)SecretKeyB, PrivateKeyB, SECRETKEY_B_BYTES);
LADDER3PT(XPB, XQB, XRB, SecretKeyB, BOB, R, A);
// Traverse tree
index = 0;
@ -1046,8 +1052,7 @@ static void Compress_PKB_dual(digit_t *d0, digit_t *c0, digit_t *d1, digit_t *c1
int EphemeralKeyGeneration_B(const unsigned char *PrivateKeyB, unsigned char *CompressedPKB) { // Bob's ephemeral public key generation using compression
unsigned char qnr, ind;
int D[DLEN_2];
digit_t c0[NWORDS_ORDER] = {0}, d0[NWORDS_ORDER] = {0},
c1[NWORDS_ORDER] = {0}, d1[NWORDS_ORDER] = {0};
digit_t c0[NWORDS_ORDER] = {0}, d0[NWORDS_ORDER] = {0}, c1[NWORDS_ORDER] = {0}, d1[NWORDS_ORDER] = {0};
f2elm_t Ds[MAX_Bob][2], f[4], A = {0};
point_full_proj_t Rs[2];
point_t Pw, Qw;

35
src/kem/sike/ec_isogeny.c
View File

@ -90,7 +90,7 @@ static void eval_4_isog(point_proj_t P, f2elm_t *coeff) { // Evaluates the isoge
fp2mul_mont(t0, coeff[1], P->X); // X = (X+Z)*coeff[1]
fp2mul_mont(t1, coeff[2], P->Z); // Z = (X-Z)*coeff[2]
fp2mul_mont(t0, t1, t0); // t0 = (X+Z)*(X-Z)
fp2mul_mont(t0, coeff[0], t0); // t0 = coeff[0]*(X+Z)*(X-Z)
fp2mul_mont(coeff[0], t0, t0); // t0 = coeff[0]*(X+Z)*(X-Z)
fp2add(P->X, P->Z, t1); // t1 = (X-Z)*coeff[2] + (X+Z)*coeff[1]
fp2sub(P->X, P->Z, P->Z); // Z = (X-Z)*coeff[2] - (X+Z)*coeff[1]
fp2sqr_mont(t1, t1); // t1 = [(X-Z)*coeff[2] + (X+Z)*coeff[1]]^2
@ -115,17 +115,17 @@ static void xTPL(const point_proj_t P, point_proj_t Q, const f2elm_t A24minus, c
fp2sqr_mont(t4, t1); // t1 = 4*X^2
fp2sub(t1, t3, t1); // t1 = 4*X^2 - (X+Z)^2
fp2sub(t1, t2, t1); // t1 = 4*X^2 - (X+Z)^2 - (X-Z)^2
fp2mul_mont(t3, A24plus, t5); // t5 = A24plus*(X+Z)^2
fp2mul_mont(t3, t5, t3); // t3 = A24plus*(X+Z)^3
fp2mul_mont(A24plus, t3, t5); // t5 = A24plus*(X+Z)^2
fp2mul_mont(t3, t5, t3); // t3 = A24plus*(X+Z)^4
fp2mul_mont(A24minus, t2, t6); // t6 = A24minus*(X-Z)^2
fp2mul_mont(t2, t6, t2); // t2 = A24minus*(X-Z)^3
fp2sub(t2, t3, t3); // t3 = A24minus*(X-Z)^3 - coeff*(X+Z)^3
fp2mul_mont(t2, t6, t2); // t2 = A24minus*(X-Z)^4
fp2sub(t2, t3, t3); // t3 = A24minus*(X-Z)^4 - A24plus*(X+Z)^4
fp2sub(t5, t6, t2); // t2 = A24plus*(X+Z)^2 - A24minus*(X-Z)^2
fp2mul_mont(t1, t2, t1); // t1 = [4*X^2 - (X+Z)^2 - (X-Z)^2]*[A24plus*(X+Z)^2 - A24minus*(X-Z)^2]
fp2add(t3, t1, t2); // t2 = [4*X^2 - (X+Z)^2 - (X-Z)^2]*[A24plus*(X+Z)^2 - A24minus*(X-Z)^2] + A24minus*(X-Z)^3 - coeff*(X+Z)^3
fp2add(t3, t1, t2); // t2 = [4*X^2 - (X+Z)^2 - (X-Z)^2]*[A24plus*(X+Z)^2 - A24minus*(X-Z)^2] + A24minus*(X-Z)^4 - A24plus*(X+Z)^4
fp2sqr_mont(t2, t2); // t2 = t2^2
fp2mul_mont(t4, t2, Q->X); // X3 = 2*X*t2
fp2sub(t3, t1, t1); // t1 = A24minus*(X-Z)^3 - A24plus*(X+Z)^3 - [4*X^2 - (X+Z)^2 - (X-Z)^2]*[A24plus*(X+Z)^2 - A24minus*(X-Z)^2]
fp2sub(t3, t1, t1); // t1 = A24minus*(X-Z)^4 - A24plus*(X+Z)^4 - [4*X^2 - (X+Z)^2 - (X-Z)^2]*[A24plus*(X+Z)^2 - A24minus*(X-Z)^2]
fp2sqr_mont(t1, t1); // t1 = t1^2
fp2mul_mont(t0, t1, Q->Z); // Z3 = 2*Z*t1
}
@ -151,12 +151,10 @@ static void get_3_isog(const point_proj_t P, f2elm_t A24minus, f2elm_t A24plus,
fp2sqr_mont(coeff[0], t0); // t0 = (X-Z)^2
fp2add(P->X, P->Z, coeff[1]); // coeff1 = X+Z
fp2sqr_mont(coeff[1], t1); // t1 = (X+Z)^2
fp2add(t0, t1, t2); // t2 = (X+Z)^2 + (X-Z)^2
fp2add(coeff[0], coeff[1], t3); // t3 = 2*X
fp2add(P->X, P->X, t3); // t3 = 2*X
fp2sqr_mont(t3, t3); // t3 = 4*X^2
fp2sub(t3, t2, t3); // t3 = 4*X^2 - (X+Z)^2 - (X-Z)^2
fp2add(t1, t3, t2); // t2 = 4*X^2 - (X-Z)^2
fp2add(t3, t0, t3); // t3 = 4*X^2 - (X+Z)^2
fp2sub(t3, t0, t2); // t2 = 4*X^2 - (X-Z)^2
fp2sub(t3, t1, t3); // t3 = 4*X^2 - (X+Z)^2
fp2add(t0, t3, t4); // t4 = 4*X^2 - (X+Z)^2 + (X-Z)^2
fp2add(t4, t4, t4); // t4 = 2(4*X^2 - (X+Z)^2 + (X-Z)^2)
fp2add(t1, t4, t4); // t4 = 8*X^2 - (X+Z)^2 + 2*(X-Z)^2
@ -175,8 +173,8 @@ static void eval_3_isog(point_proj_t Q, const f2elm_t *coeff) { // Computes the
fp2add(Q->X, Q->Z, t0); // t0 = X+Z
fp2sub(Q->X, Q->Z, t1); // t1 = X-Z
fp2mul_mont(t0, coeff[0], t0); // t0 = coeff0*(X+Z)
fp2mul_mont(t1, coeff[1], t1); // t1 = coeff1*(X-Z)
fp2mul_mont(coeff[0], t0, t0); // t0 = coeff0*(X+Z)
fp2mul_mont(coeff[1], t1, t1); // t1 = coeff1*(X-Z)
fp2add(t0, t1, t2); // t2 = coeff0*(X+Z) + coeff1*(X-Z)
fp2sub(t1, t0, t0); // t0 = coeff1*(X-Z) - coeff0*(X+Z)
fp2sqr_mont(t2, t2); // t2 = [coeff0*(X+Z) + coeff1*(X-Z)]^2
@ -253,14 +251,13 @@ static void xDBLADD(point_proj_t P, point_proj_t Q, const f2elm_t xPQ, const f2e
fp2sub(P->X, P->Z, t1); // t1 = XP-ZP
fp2sqr_mont(t0, P->X); // XP = (XP+ZP)^2
fp2sub(Q->X, Q->Z, t2); // t2 = XQ-ZQ
fp2correction(t2);
fp2add(Q->X, Q->Z, Q->X); // XQ = XQ+ZQ
fp2mul_mont(t0, t2, t0); // t0 = (XP+ZP)*(XQ-ZQ)
fp2sqr_mont(t1, P->Z); // ZP = (XP-ZP)^2
fp2mul_mont(t1, Q->X, t1); // t1 = (XP-ZP)*(XQ+ZQ)
fp2sub(P->X, P->Z, t2); // t2 = (XP+ZP)^2-(XP-ZP)^2
fp2mul_mont(P->X, P->Z, P->X); // XP = (XP+ZP)^2*(XP-ZP)^2
fp2mul_mont(t2, A24, Q->X); // XQ = A24*[(XP+ZP)^2-(XP-ZP)^2]
fp2mul_mont(A24, t2, Q->X); // XQ = A24*[(XP+ZP)^2-(XP-ZP)^2]
fp2sub(t0, t1, Q->Z); // ZQ = (XP+ZP)*(XQ-ZQ)-(XP-ZP)*(XQ+ZQ)
fp2add(Q->X, P->Z, P->Z); // ZP = A24*[(XP+ZP)^2-(XP-ZP)^2]+(XP-ZP)^2
fp2add(t0, t1, Q->X); // XQ = (XP+ZP)*(XQ-ZQ)+(XP-ZP)*(XQ+ZQ)
@ -279,12 +276,12 @@ static void swap_points(point_proj_t P, point_proj_t Q, const digit_t option) {
temp = option & (P->X[0][i] ^ Q->X[0][i]);
P->X[0][i] = temp ^ P->X[0][i];
Q->X[0][i] = temp ^ Q->X[0][i];
temp = option & (P->Z[0][i] ^ Q->Z[0][i]);
P->Z[0][i] = temp ^ P->Z[0][i];
Q->Z[0][i] = temp ^ Q->Z[0][i];
temp = option & (P->X[1][i] ^ Q->X[1][i]);
P->X[1][i] = temp ^ P->X[1][i];
Q->X[1][i] = temp ^ Q->X[1][i];
temp = option & (P->Z[0][i] ^ Q->Z[0][i]);
P->Z[0][i] = temp ^ P->Z[0][i];
Q->Z[0][i] = temp ^ Q->Z[0][i];
temp = option & (P->Z[1][i] ^ Q->Z[1][i]);
P->Z[1][i] = temp ^ P->Z[1][i];
Q->Z[1][i] = temp ^ Q->Z[1][i];

11
src/kem/sike/fpx.c
View File

@ -900,13 +900,14 @@ static __inline unsigned int is_felm_zero(const felm_t x) { // Is x = 0? return
static void mul3(unsigned char *a) { // Computes a = 3*a
// The input is assumed to be OBOB_BITS-2 bits long and stored in SECRETKEY_B_BYTES
unsigned char temp1[NWORDS_ORDER * RADIX / 8] = {0};
memcpy(temp1, a, SECRETKEY_B_BYTES);
mp_shiftl1((digit_t *) temp1, NWORDS_ORDER); // temp1 = 2*a
mp_add((digit_t *) a, (digit_t *) temp1, (digit_t *) a, NWORDS_ORDER); // a <- 2*a + a
digit_t temp1[NWORDS_ORDER] = {0}, temp2[NWORDS_ORDER] = {0};
memcpy((unsigned char*)temp1, a, SECRETKEY_B_BYTES);
mp_add(temp1, temp1, temp2, NWORDS_ORDER); // temp2 = 2*a
mp_add(temp1, temp2, temp1, NWORDS_ORDER); // temp1 = 3*a
memcpy(a, (unsigned char*)temp1, SECRETKEY_B_BYTES);
clear_words((void *) temp1, NWORDS_ORDER);
clear_words((void*) temp2, NWORDS_ORDER);
}
static unsigned int mod3(digit_t *a) { // Computes the input modulo 3

32
src/kem/sike/kem_sike.c
View File

@ -13,7 +13,7 @@ OQS_KEM *OQS_KEM_sike_p434_new() {
return NULL;
}
kem->method_name = OQS_KEM_alg_sike_p434;
kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/tree/v3.2";
kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/commit/ebd1c80a8ac35e9ca2ef9680291a8a43b95a3bfa";
kem->claimed_nist_level = 1;
kem->ind_cca = true;
@ -53,7 +53,7 @@ OQS_KEM *OQS_KEM_sike_p434_compressed_new() {
return NULL;
}
kem->method_name = OQS_KEM_alg_sike_p434_compressed;
kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/tree/v3.2";
kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/commit/ebd1c80a8ac35e9ca2ef9680291a8a43b95a3bfa";
kem->claimed_nist_level = 1;
kem->ind_cca = true;
@ -93,7 +93,7 @@ OQS_KEM *OQS_KEM_sike_p503_new() {
return NULL;
}
kem->method_name = OQS_KEM_alg_sike_p503;
kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/tree/v3.2";
kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/commit/ebd1c80a8ac35e9ca2ef9680291a8a43b95a3bfa";
kem->claimed_nist_level = 2;
kem->ind_cca = true;
@ -133,7 +133,7 @@ OQS_KEM *OQS_KEM_sike_p503_compressed_new() {
return NULL;
}
kem->method_name = OQS_KEM_alg_sike_p503_compressed;
kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/tree/v3.2";
kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/commit/ebd1c80a8ac35e9ca2ef9680291a8a43b95a3bfa";
kem->claimed_nist_level = 2;
kem->ind_cca = true;
@ -173,7 +173,7 @@ OQS_KEM *OQS_KEM_sike_p610_new() {
return NULL;
}
kem->method_name = OQS_KEM_alg_sike_p610;
kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/tree/v3.2";
kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/commit/ebd1c80a8ac35e9ca2ef9680291a8a43b95a3bfa";
kem->claimed_nist_level = 3;
kem->ind_cca = true;
@ -213,7 +213,7 @@ OQS_KEM *OQS_KEM_sike_p610_compressed_new() {
return NULL;
}
kem->method_name = OQS_KEM_alg_sike_p610_compressed;
kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/tree/v3.2";
kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/commit/ebd1c80a8ac35e9ca2ef9680291a8a43b95a3bfa";
kem->claimed_nist_level = 3;
kem->ind_cca = true;
@ -253,7 +253,7 @@ OQS_KEM *OQS_KEM_sike_p751_new() {
return NULL;
}
kem->method_name = OQS_KEM_alg_sike_p751;
kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/tree/v3.2";
kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/commit/ebd1c80a8ac35e9ca2ef9680291a8a43b95a3bfa";
kem->claimed_nist_level = 5;
kem->ind_cca = true;
@ -293,7 +293,7 @@ OQS_KEM *OQS_KEM_sike_p751_compressed_new() {
return NULL;
}
kem->method_name = OQS_KEM_alg_sike_p751_compressed;
kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/tree/v3.2";
kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/commit/ebd1c80a8ac35e9ca2ef9680291a8a43b95a3bfa";
kem->claimed_nist_level = 5;
kem->ind_cca = true;
@ -333,7 +333,7 @@ OQS_KEM *OQS_KEM_sidh_p434_new() {
return NULL;
}
kem->method_name = OQS_KEM_alg_sidh_p434;
kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/tree/v3.2";
kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/commit/ebd1c80a8ac35e9ca2ef9680291a8a43b95a3bfa";
kem->claimed_nist_level = 1;
kem->ind_cca = false;
@ -413,7 +413,7 @@ OQS_KEM *OQS_KEM_sidh_p434_compressed_new() {
return NULL;
}
kem->method_name = OQS_KEM_alg_sidh_p434_compressed;
kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/tree/v3.2";
kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/commit/ebd1c80a8ac35e9ca2ef9680291a8a43b95a3bfa";
kem->claimed_nist_level = 1;
kem->ind_cca = false;
@ -493,7 +493,7 @@ OQS_KEM *OQS_KEM_sidh_p503_new() {
return NULL;
}
kem->method_name = OQS_KEM_alg_sidh_p503;
kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/tree/v3.2";
kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/commit/ebd1c80a8ac35e9ca2ef9680291a8a43b95a3bfa";
kem->claimed_nist_level = 2;
kem->ind_cca = false;
@ -573,7 +573,7 @@ OQS_KEM *OQS_KEM_sidh_p503_compressed_new() {
return NULL;
}
kem->method_name = OQS_KEM_alg_sidh_p503_compressed;
kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/tree/v3.2";
kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/commit/ebd1c80a8ac35e9ca2ef9680291a8a43b95a3bfa";
kem->claimed_nist_level = 2;
kem->ind_cca = false;
@ -653,7 +653,7 @@ OQS_KEM *OQS_KEM_sidh_p610_new() {
return NULL;
}
kem->method_name = OQS_KEM_alg_sidh_p610;
kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/tree/v3.2";
kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/commit/ebd1c80a8ac35e9ca2ef9680291a8a43b95a3bfa";
kem->claimed_nist_level = 3;
kem->ind_cca = false;
@ -733,7 +733,7 @@ OQS_KEM *OQS_KEM_sidh_p610_compressed_new() {
return NULL;
}
kem->method_name = OQS_KEM_alg_sidh_p610_compressed;
kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/tree/v3.2";
kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/commit/ebd1c80a8ac35e9ca2ef9680291a8a43b95a3bfa";
kem->claimed_nist_level = 3;
kem->ind_cca = false;
@ -813,7 +813,7 @@ OQS_KEM *OQS_KEM_sidh_p751_new() {
return NULL;
}
kem->method_name = OQS_KEM_alg_sidh_p751;
kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/tree/v3.2";
kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/commit/ebd1c80a8ac35e9ca2ef9680291a8a43b95a3bfa";
kem->claimed_nist_level = 5;
kem->ind_cca = false;
@ -893,7 +893,7 @@ OQS_KEM *OQS_KEM_sidh_p751_compressed_new() {
return NULL;
}
kem->method_name = OQS_KEM_alg_sidh_p751_compressed;
kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/tree/v3.2";
kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/commit/ebd1c80a8ac35e9ca2ef9680291a8a43b95a3bfa";
kem->claimed_nist_level = 5;
kem->ind_cca = false;

18
src/kem/sike/sidh.c
View File

@ -4,6 +4,8 @@
* Abstract: ephemeral supersingular isogeny Diffie-Hellman key exchange (SIDH)
*********************************************************************************************/
#include <string.h>
static void init_basis(digit_t *gen, f2elm_t XP, f2elm_t XQ, f2elm_t XR) { // Initialization of basis points
fpcopy(gen, XP[0]);
@ -32,6 +34,7 @@ int EphemeralKeyGeneration_A(const unsigned char *PrivateKeyA, unsigned char *Pu
point_proj_t R, phiP = {0}, phiQ = {0}, phiR = {0}, pts[MAX_INT_POINTS_ALICE];
f2elm_t XPA, XQA, XRA, coeff[3], A24plus = {0}, C24 = {0}, A = {0};
unsigned int i, row, m, index = 0, pts_index[MAX_INT_POINTS_ALICE], npts = 0, ii = 0;
digit_t SecretKeyA[NWORDS_ORDER] = {0};
// Initialize basis points
init_basis((digit_t *) A_gen, XPA, XQA, XRA);
@ -48,7 +51,8 @@ int EphemeralKeyGeneration_A(const unsigned char *PrivateKeyA, unsigned char *Pu
fp2add(C24, C24, A24plus);
// Retrieve kernel point
LADDER3PT(XPA, XQA, XRA, (digit_t *) PrivateKeyA, ALICE, R, A);
memcpy((unsigned char*)SecretKeyA, PrivateKeyA, SECRETKEY_A_BYTES);
LADDER3PT(XPA, XQA, XRA, SecretKeyA, ALICE, R, A);
#if (OALICE_BITS % 2 == 1)
point_proj_t S;
@ -111,6 +115,7 @@ int EphemeralKeyGeneration_B(const unsigned char *PrivateKeyB, unsigned char *Pu
point_proj_t R, phiP = {0}, phiQ = {0}, phiR = {0}, pts[MAX_INT_POINTS_BOB];
f2elm_t XPB, XQB, XRB, coeff[3], A24plus = {0}, A24minus = {0}, A = {0};
unsigned int i, row, m, index = 0, pts_index[MAX_INT_POINTS_BOB], npts = 0, ii = 0;
digit_t SecretKeyB[NWORDS_ORDER] = {0};
// Initialize basis points
init_basis((digit_t *) B_gen, XPB, XQB, XRB);
@ -127,7 +132,8 @@ int EphemeralKeyGeneration_B(const unsigned char *PrivateKeyB, unsigned char *Pu
fp2add(A24minus, A24minus, A24plus);
// Retrieve kernel point
LADDER3PT(XPB, XQB, XRB, (digit_t *) PrivateKeyB, BOB, R, A);
memcpy((unsigned char*)SecretKeyB, PrivateKeyB, SECRETKEY_B_BYTES);
LADDER3PT(XPB, XQB, XRB, SecretKeyB, BOB, R, A);
// Traverse tree
index = 0;
@ -182,6 +188,7 @@ int EphemeralSecretAgreement_A(const unsigned char *PrivateKeyA, const unsigned
f2elm_t coeff[3], PKB[3], jinv;
f2elm_t A24plus = {0}, C24 = {0}, A = {0};
unsigned int i, row, m, index = 0, pts_index[MAX_INT_POINTS_ALICE], npts = 0, ii = 0;
digit_t SecretKeyA[NWORDS_ORDER] = {0};
// Initialize images of Bob's basis
fp2_decode(PublicKeyB, PKB[0]);
@ -195,7 +202,8 @@ int EphemeralSecretAgreement_A(const unsigned char *PrivateKeyA, const unsigned
fpadd(C24[0], C24[0], C24[0]);
// Retrieve kernel point
LADDER3PT(PKB[0], PKB[1], PKB[2], (digit_t *) PrivateKeyA, ALICE, R, A);
memcpy((unsigned char*)SecretKeyA, PrivateKeyA, SECRETKEY_A_BYTES);
LADDER3PT(PKB[0], PKB[1], PKB[2], SecretKeyA, ALICE, R, A);
#if (OALICE_BITS % 2 == 1)
point_proj_t S;
@ -247,6 +255,7 @@ int EphemeralSecretAgreement_B(const unsigned char *PrivateKeyB, const unsigned
f2elm_t coeff[3], PKB[3], jinv;
f2elm_t A24plus = {0}, A24minus = {0}, A = {0};
unsigned int i, row, m, index = 0, pts_index[MAX_INT_POINTS_BOB], npts = 0, ii = 0;
digit_t SecretKeyB[NWORDS_ORDER] = {0};
// Initialize images of Alice's basis
fp2_decode(PublicKeyA, PKB[0]);
@ -260,7 +269,8 @@ int EphemeralSecretAgreement_B(const unsigned char *PrivateKeyB, const unsigned
fp2sub(A, A24minus, A24minus);
// Retrieve kernel point
LADDER3PT(PKB[0], PKB[1], PKB[2], (digit_t *) PrivateKeyB, BOB, R, A);
memcpy((unsigned char*)SecretKeyB, PrivateKeyB, SECRETKEY_B_BYTES);
LADDER3PT(PKB[0], PKB[1], PKB[2], SecretKeyB, BOB, R, A);
// Traverse tree
index = 0;