diff --git a/docs/algorithms/kem_sike.md b/docs/algorithms/kem_sike.md index 4bc45029c..6b6ade813 100644 --- a/docs/algorithms/kem_sike.md +++ b/docs/algorithms/kem_sike.md @@ -30,7 +30,7 @@ Implementation -------------- - **Source of implementation:** https://github.com/Microsoft/PQCrypto-SIDH -- **Implementation version:** v3.2 (https://github.com/microsoft/PQCrypto-SIDH/tree/v3.2) +- **Implementation version:** v3.2 (https://github.com/microsoft/PQCrypto-SIDH/commit/ebd1c80a8ac35e9ca2ef9680291a8a43b95a3bfa) - **License:** MIT License - **Language:** C - **Constant-time:** Yes diff --git a/src/kem/sike/P503/P503_internal.h b/src/kem/sike/P503/P503_internal.h index a3802af48..ebaf11c02 100644 --- a/src/kem/sike/P503/P503_internal.h +++ b/src/kem/sike/P503/P503_internal.h @@ -84,7 +84,7 @@ // SIDH's basic element definitions and point representations typedef digit_t felm_t[NWORDS_FIELD]; // Datatype for representing 503-bit field elements (512-bit max.) -typedef digit_t dfelm_t[2 * NWORDS_FIELD]; // Datatype for representing double-precision 2x503-bit field elements (512-bit max.) +typedef digit_t dfelm_t[2 * NWORDS_FIELD]; // Datatype for representing double-precision 2x503-bit field elements (2x512-bit max.) typedef felm_t f2elm_t[2]; // Datatype for representing quadratic extension field elements GF(p503^2) typedef struct { diff --git a/src/kem/sike/compression/sidh_compressed.c b/src/kem/sike/compression/sidh_compressed.c index 80efc0943..7fa72867d 100644 --- a/src/kem/sike/compression/sidh_compressed.c +++ b/src/kem/sike/compression/sidh_compressed.c @@ -4,6 +4,8 @@ * Abstract: ephemeral supersingular isogeny Diffie-Hellman key exchange (SIDH) using compression **************************************************************************************************/ +#include + static void init_basis(digit_t *gen, f2elm_t XP, f2elm_t XQ, f2elm_t XR) { // Initialization of basis points fpcopy(gen, XP[0]); @@ -474,6 +476,7 @@ static void FullIsogeny_A_dual(const unsigned char *PrivateKeyA, f2elm_t As[][5] point_proj_t R, pts[MAX_INT_POINTS_ALICE]; f2elm_t XPA, XQA, XRA, coeff[5], A24 = {0}, C24 = {0}, A = {0}; unsigned int i, row, m, index = 0, pts_index[MAX_INT_POINTS_ALICE], npts = 0, ii = 0; + digit_t SecretKeyA[NWORDS_ORDER] = {0}; // Initialize basis points init_basis((digit_t *) A_gen, XPA, XQA, XRA); @@ -486,7 +489,8 @@ static void FullIsogeny_A_dual(const unsigned char *PrivateKeyA, f2elm_t As[][5] fp2add(C24, C24, A24); // Retrieve kernel point - LADDER3PT(XPA, XQA, XRA, (digit_t *) PrivateKeyA, ALICE, R, A); + memcpy((unsigned char*)SecretKeyA, PrivateKeyA, SECRETKEY_A_BYTES); + LADDER3PT(XPA, XQA, XRA, SecretKeyA, ALICE, R, A); #if (OALICE_BITS % 2 == 1) point_proj_t S; @@ -848,6 +852,7 @@ static void FullIsogeny_B_dual(const unsigned char *PrivateKeyB, f2elm_t Ds[][2] point_proj_t R, Q3 = {0}, pts[MAX_INT_POINTS_BOB]; f2elm_t XPB, XQB, XRB, coeff[3], A24plus = {0}, A24minus = {0}; unsigned int i, row, m, index = 0, pts_index[MAX_INT_POINTS_BOB], npts = 0, ii = 0; + digit_t SecretKeyB[NWORDS_ORDER] = {0}; // Initialize basis points init_basis((digit_t *) B_gen, XPB, XQB, XRB); @@ -863,7 +868,8 @@ static void FullIsogeny_B_dual(const unsigned char *PrivateKeyB, f2elm_t Ds[][2] fp2add(A24minus, A24minus, A24plus); // Retrieve kernel point - LADDER3PT(XPB, XQB, XRB, (digit_t *) PrivateKeyB, BOB, R, A); + memcpy((unsigned char*)SecretKeyB, PrivateKeyB, SECRETKEY_B_BYTES); + LADDER3PT(XPB, XQB, XRB, SecretKeyB, BOB, R, A); // Traverse tree index = 0; @@ -1046,8 +1052,7 @@ static void Compress_PKB_dual(digit_t *d0, digit_t *c0, digit_t *d1, digit_t *c1 int EphemeralKeyGeneration_B(const unsigned char *PrivateKeyB, unsigned char *CompressedPKB) { // Bob's ephemeral public key generation using compression unsigned char qnr, ind; int D[DLEN_2]; - digit_t c0[NWORDS_ORDER] = {0}, d0[NWORDS_ORDER] = {0}, - c1[NWORDS_ORDER] = {0}, d1[NWORDS_ORDER] = {0}; + digit_t c0[NWORDS_ORDER] = {0}, d0[NWORDS_ORDER] = {0}, c1[NWORDS_ORDER] = {0}, d1[NWORDS_ORDER] = {0}; f2elm_t Ds[MAX_Bob][2], f[4], A = {0}; point_full_proj_t Rs[2]; point_t Pw, Qw; diff --git a/src/kem/sike/ec_isogeny.c b/src/kem/sike/ec_isogeny.c index 493e61f84..f6bf9f388 100644 --- a/src/kem/sike/ec_isogeny.c +++ b/src/kem/sike/ec_isogeny.c @@ -90,7 +90,7 @@ static void eval_4_isog(point_proj_t P, f2elm_t *coeff) { // Evaluates the isoge fp2mul_mont(t0, coeff[1], P->X); // X = (X+Z)*coeff[1] fp2mul_mont(t1, coeff[2], P->Z); // Z = (X-Z)*coeff[2] fp2mul_mont(t0, t1, t0); // t0 = (X+Z)*(X-Z) - fp2mul_mont(t0, coeff[0], t0); // t0 = coeff[0]*(X+Z)*(X-Z) + fp2mul_mont(coeff[0], t0, t0); // t0 = coeff[0]*(X+Z)*(X-Z) fp2add(P->X, P->Z, t1); // t1 = (X-Z)*coeff[2] + (X+Z)*coeff[1] fp2sub(P->X, P->Z, P->Z); // Z = (X-Z)*coeff[2] - (X+Z)*coeff[1] fp2sqr_mont(t1, t1); // t1 = [(X-Z)*coeff[2] + (X+Z)*coeff[1]]^2 @@ -115,17 +115,17 @@ static void xTPL(const point_proj_t P, point_proj_t Q, const f2elm_t A24minus, c fp2sqr_mont(t4, t1); // t1 = 4*X^2 fp2sub(t1, t3, t1); // t1 = 4*X^2 - (X+Z)^2 fp2sub(t1, t2, t1); // t1 = 4*X^2 - (X+Z)^2 - (X-Z)^2 - fp2mul_mont(t3, A24plus, t5); // t5 = A24plus*(X+Z)^2 - fp2mul_mont(t3, t5, t3); // t3 = A24plus*(X+Z)^3 + fp2mul_mont(A24plus, t3, t5); // t5 = A24plus*(X+Z)^2 + fp2mul_mont(t3, t5, t3); // t3 = A24plus*(X+Z)^4 fp2mul_mont(A24minus, t2, t6); // t6 = A24minus*(X-Z)^2 - fp2mul_mont(t2, t6, t2); // t2 = A24minus*(X-Z)^3 - fp2sub(t2, t3, t3); // t3 = A24minus*(X-Z)^3 - coeff*(X+Z)^3 + fp2mul_mont(t2, t6, t2); // t2 = A24minus*(X-Z)^4 + fp2sub(t2, t3, t3); // t3 = A24minus*(X-Z)^4 - A24plus*(X+Z)^4 fp2sub(t5, t6, t2); // t2 = A24plus*(X+Z)^2 - A24minus*(X-Z)^2 fp2mul_mont(t1, t2, t1); // t1 = [4*X^2 - (X+Z)^2 - (X-Z)^2]*[A24plus*(X+Z)^2 - A24minus*(X-Z)^2] - fp2add(t3, t1, t2); // t2 = [4*X^2 - (X+Z)^2 - (X-Z)^2]*[A24plus*(X+Z)^2 - A24minus*(X-Z)^2] + A24minus*(X-Z)^3 - coeff*(X+Z)^3 + fp2add(t3, t1, t2); // t2 = [4*X^2 - (X+Z)^2 - (X-Z)^2]*[A24plus*(X+Z)^2 - A24minus*(X-Z)^2] + A24minus*(X-Z)^4 - A24plus*(X+Z)^4 fp2sqr_mont(t2, t2); // t2 = t2^2 fp2mul_mont(t4, t2, Q->X); // X3 = 2*X*t2 - fp2sub(t3, t1, t1); // t1 = A24minus*(X-Z)^3 - A24plus*(X+Z)^3 - [4*X^2 - (X+Z)^2 - (X-Z)^2]*[A24plus*(X+Z)^2 - A24minus*(X-Z)^2] + fp2sub(t3, t1, t1); // t1 = A24minus*(X-Z)^4 - A24plus*(X+Z)^4 - [4*X^2 - (X+Z)^2 - (X-Z)^2]*[A24plus*(X+Z)^2 - A24minus*(X-Z)^2] fp2sqr_mont(t1, t1); // t1 = t1^2 fp2mul_mont(t0, t1, Q->Z); // Z3 = 2*Z*t1 } @@ -151,12 +151,10 @@ static void get_3_isog(const point_proj_t P, f2elm_t A24minus, f2elm_t A24plus, fp2sqr_mont(coeff[0], t0); // t0 = (X-Z)^2 fp2add(P->X, P->Z, coeff[1]); // coeff1 = X+Z fp2sqr_mont(coeff[1], t1); // t1 = (X+Z)^2 - fp2add(t0, t1, t2); // t2 = (X+Z)^2 + (X-Z)^2 - fp2add(coeff[0], coeff[1], t3); // t3 = 2*X + fp2add(P->X, P->X, t3); // t3 = 2*X fp2sqr_mont(t3, t3); // t3 = 4*X^2 - fp2sub(t3, t2, t3); // t3 = 4*X^2 - (X+Z)^2 - (X-Z)^2 - fp2add(t1, t3, t2); // t2 = 4*X^2 - (X-Z)^2 - fp2add(t3, t0, t3); // t3 = 4*X^2 - (X+Z)^2 + fp2sub(t3, t0, t2); // t2 = 4*X^2 - (X-Z)^2 + fp2sub(t3, t1, t3); // t3 = 4*X^2 - (X+Z)^2 fp2add(t0, t3, t4); // t4 = 4*X^2 - (X+Z)^2 + (X-Z)^2 fp2add(t4, t4, t4); // t4 = 2(4*X^2 - (X+Z)^2 + (X-Z)^2) fp2add(t1, t4, t4); // t4 = 8*X^2 - (X+Z)^2 + 2*(X-Z)^2 @@ -175,8 +173,8 @@ static void eval_3_isog(point_proj_t Q, const f2elm_t *coeff) { // Computes the fp2add(Q->X, Q->Z, t0); // t0 = X+Z fp2sub(Q->X, Q->Z, t1); // t1 = X-Z - fp2mul_mont(t0, coeff[0], t0); // t0 = coeff0*(X+Z) - fp2mul_mont(t1, coeff[1], t1); // t1 = coeff1*(X-Z) + fp2mul_mont(coeff[0], t0, t0); // t0 = coeff0*(X+Z) + fp2mul_mont(coeff[1], t1, t1); // t1 = coeff1*(X-Z) fp2add(t0, t1, t2); // t2 = coeff0*(X+Z) + coeff1*(X-Z) fp2sub(t1, t0, t0); // t0 = coeff1*(X-Z) - coeff0*(X+Z) fp2sqr_mont(t2, t2); // t2 = [coeff0*(X+Z) + coeff1*(X-Z)]^2 @@ -253,14 +251,13 @@ static void xDBLADD(point_proj_t P, point_proj_t Q, const f2elm_t xPQ, const f2e fp2sub(P->X, P->Z, t1); // t1 = XP-ZP fp2sqr_mont(t0, P->X); // XP = (XP+ZP)^2 fp2sub(Q->X, Q->Z, t2); // t2 = XQ-ZQ - fp2correction(t2); fp2add(Q->X, Q->Z, Q->X); // XQ = XQ+ZQ fp2mul_mont(t0, t2, t0); // t0 = (XP+ZP)*(XQ-ZQ) fp2sqr_mont(t1, P->Z); // ZP = (XP-ZP)^2 fp2mul_mont(t1, Q->X, t1); // t1 = (XP-ZP)*(XQ+ZQ) fp2sub(P->X, P->Z, t2); // t2 = (XP+ZP)^2-(XP-ZP)^2 fp2mul_mont(P->X, P->Z, P->X); // XP = (XP+ZP)^2*(XP-ZP)^2 - fp2mul_mont(t2, A24, Q->X); // XQ = A24*[(XP+ZP)^2-(XP-ZP)^2] + fp2mul_mont(A24, t2, Q->X); // XQ = A24*[(XP+ZP)^2-(XP-ZP)^2] fp2sub(t0, t1, Q->Z); // ZQ = (XP+ZP)*(XQ-ZQ)-(XP-ZP)*(XQ+ZQ) fp2add(Q->X, P->Z, P->Z); // ZP = A24*[(XP+ZP)^2-(XP-ZP)^2]+(XP-ZP)^2 fp2add(t0, t1, Q->X); // XQ = (XP+ZP)*(XQ-ZQ)+(XP-ZP)*(XQ+ZQ) @@ -279,12 +276,12 @@ static void swap_points(point_proj_t P, point_proj_t Q, const digit_t option) { temp = option & (P->X[0][i] ^ Q->X[0][i]); P->X[0][i] = temp ^ P->X[0][i]; Q->X[0][i] = temp ^ Q->X[0][i]; - temp = option & (P->Z[0][i] ^ Q->Z[0][i]); - P->Z[0][i] = temp ^ P->Z[0][i]; - Q->Z[0][i] = temp ^ Q->Z[0][i]; temp = option & (P->X[1][i] ^ Q->X[1][i]); P->X[1][i] = temp ^ P->X[1][i]; Q->X[1][i] = temp ^ Q->X[1][i]; + temp = option & (P->Z[0][i] ^ Q->Z[0][i]); + P->Z[0][i] = temp ^ P->Z[0][i]; + Q->Z[0][i] = temp ^ Q->Z[0][i]; temp = option & (P->Z[1][i] ^ Q->Z[1][i]); P->Z[1][i] = temp ^ P->Z[1][i]; Q->Z[1][i] = temp ^ Q->Z[1][i]; diff --git a/src/kem/sike/fpx.c b/src/kem/sike/fpx.c index 27f75ce2c..2589d5f19 100644 --- a/src/kem/sike/fpx.c +++ b/src/kem/sike/fpx.c @@ -900,13 +900,14 @@ static __inline unsigned int is_felm_zero(const felm_t x) { // Is x = 0? return static void mul3(unsigned char *a) { // Computes a = 3*a // The input is assumed to be OBOB_BITS-2 bits long and stored in SECRETKEY_B_BYTES - unsigned char temp1[NWORDS_ORDER * RADIX / 8] = {0}; - - memcpy(temp1, a, SECRETKEY_B_BYTES); - mp_shiftl1((digit_t *) temp1, NWORDS_ORDER); // temp1 = 2*a - mp_add((digit_t *) a, (digit_t *) temp1, (digit_t *) a, NWORDS_ORDER); // a <- 2*a + a + digit_t temp1[NWORDS_ORDER] = {0}, temp2[NWORDS_ORDER] = {0}; + memcpy((unsigned char*)temp1, a, SECRETKEY_B_BYTES); + mp_add(temp1, temp1, temp2, NWORDS_ORDER); // temp2 = 2*a + mp_add(temp1, temp2, temp1, NWORDS_ORDER); // temp1 = 3*a + memcpy(a, (unsigned char*)temp1, SECRETKEY_B_BYTES); clear_words((void *) temp1, NWORDS_ORDER); + clear_words((void*) temp2, NWORDS_ORDER); } static unsigned int mod3(digit_t *a) { // Computes the input modulo 3 diff --git a/src/kem/sike/kem_sike.c b/src/kem/sike/kem_sike.c index fff83f4a7..d8452da47 100644 --- a/src/kem/sike/kem_sike.c +++ b/src/kem/sike/kem_sike.c @@ -13,7 +13,7 @@ OQS_KEM *OQS_KEM_sike_p434_new() { return NULL; } kem->method_name = OQS_KEM_alg_sike_p434; - kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/tree/v3.2"; + kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/commit/ebd1c80a8ac35e9ca2ef9680291a8a43b95a3bfa"; kem->claimed_nist_level = 1; kem->ind_cca = true; @@ -53,7 +53,7 @@ OQS_KEM *OQS_KEM_sike_p434_compressed_new() { return NULL; } kem->method_name = OQS_KEM_alg_sike_p434_compressed; - kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/tree/v3.2"; + kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/commit/ebd1c80a8ac35e9ca2ef9680291a8a43b95a3bfa"; kem->claimed_nist_level = 1; kem->ind_cca = true; @@ -93,7 +93,7 @@ OQS_KEM *OQS_KEM_sike_p503_new() { return NULL; } kem->method_name = OQS_KEM_alg_sike_p503; - kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/tree/v3.2"; + kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/commit/ebd1c80a8ac35e9ca2ef9680291a8a43b95a3bfa"; kem->claimed_nist_level = 2; kem->ind_cca = true; @@ -133,7 +133,7 @@ OQS_KEM *OQS_KEM_sike_p503_compressed_new() { return NULL; } kem->method_name = OQS_KEM_alg_sike_p503_compressed; - kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/tree/v3.2"; + kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/commit/ebd1c80a8ac35e9ca2ef9680291a8a43b95a3bfa"; kem->claimed_nist_level = 2; kem->ind_cca = true; @@ -173,7 +173,7 @@ OQS_KEM *OQS_KEM_sike_p610_new() { return NULL; } kem->method_name = OQS_KEM_alg_sike_p610; - kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/tree/v3.2"; + kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/commit/ebd1c80a8ac35e9ca2ef9680291a8a43b95a3bfa"; kem->claimed_nist_level = 3; kem->ind_cca = true; @@ -213,7 +213,7 @@ OQS_KEM *OQS_KEM_sike_p610_compressed_new() { return NULL; } kem->method_name = OQS_KEM_alg_sike_p610_compressed; - kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/tree/v3.2"; + kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/commit/ebd1c80a8ac35e9ca2ef9680291a8a43b95a3bfa"; kem->claimed_nist_level = 3; kem->ind_cca = true; @@ -253,7 +253,7 @@ OQS_KEM *OQS_KEM_sike_p751_new() { return NULL; } kem->method_name = OQS_KEM_alg_sike_p751; - kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/tree/v3.2"; + kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/commit/ebd1c80a8ac35e9ca2ef9680291a8a43b95a3bfa"; kem->claimed_nist_level = 5; kem->ind_cca = true; @@ -293,7 +293,7 @@ OQS_KEM *OQS_KEM_sike_p751_compressed_new() { return NULL; } kem->method_name = OQS_KEM_alg_sike_p751_compressed; - kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/tree/v3.2"; + kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/commit/ebd1c80a8ac35e9ca2ef9680291a8a43b95a3bfa"; kem->claimed_nist_level = 5; kem->ind_cca = true; @@ -333,7 +333,7 @@ OQS_KEM *OQS_KEM_sidh_p434_new() { return NULL; } kem->method_name = OQS_KEM_alg_sidh_p434; - kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/tree/v3.2"; + kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/commit/ebd1c80a8ac35e9ca2ef9680291a8a43b95a3bfa"; kem->claimed_nist_level = 1; kem->ind_cca = false; @@ -413,7 +413,7 @@ OQS_KEM *OQS_KEM_sidh_p434_compressed_new() { return NULL; } kem->method_name = OQS_KEM_alg_sidh_p434_compressed; - kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/tree/v3.2"; + kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/commit/ebd1c80a8ac35e9ca2ef9680291a8a43b95a3bfa"; kem->claimed_nist_level = 1; kem->ind_cca = false; @@ -493,7 +493,7 @@ OQS_KEM *OQS_KEM_sidh_p503_new() { return NULL; } kem->method_name = OQS_KEM_alg_sidh_p503; - kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/tree/v3.2"; + kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/commit/ebd1c80a8ac35e9ca2ef9680291a8a43b95a3bfa"; kem->claimed_nist_level = 2; kem->ind_cca = false; @@ -573,7 +573,7 @@ OQS_KEM *OQS_KEM_sidh_p503_compressed_new() { return NULL; } kem->method_name = OQS_KEM_alg_sidh_p503_compressed; - kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/tree/v3.2"; + kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/commit/ebd1c80a8ac35e9ca2ef9680291a8a43b95a3bfa"; kem->claimed_nist_level = 2; kem->ind_cca = false; @@ -653,7 +653,7 @@ OQS_KEM *OQS_KEM_sidh_p610_new() { return NULL; } kem->method_name = OQS_KEM_alg_sidh_p610; - kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/tree/v3.2"; + kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/commit/ebd1c80a8ac35e9ca2ef9680291a8a43b95a3bfa"; kem->claimed_nist_level = 3; kem->ind_cca = false; @@ -733,7 +733,7 @@ OQS_KEM *OQS_KEM_sidh_p610_compressed_new() { return NULL; } kem->method_name = OQS_KEM_alg_sidh_p610_compressed; - kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/tree/v3.2"; + kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/commit/ebd1c80a8ac35e9ca2ef9680291a8a43b95a3bfa"; kem->claimed_nist_level = 3; kem->ind_cca = false; @@ -813,7 +813,7 @@ OQS_KEM *OQS_KEM_sidh_p751_new() { return NULL; } kem->method_name = OQS_KEM_alg_sidh_p751; - kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/tree/v3.2"; + kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/commit/ebd1c80a8ac35e9ca2ef9680291a8a43b95a3bfa"; kem->claimed_nist_level = 5; kem->ind_cca = false; @@ -893,7 +893,7 @@ OQS_KEM *OQS_KEM_sidh_p751_compressed_new() { return NULL; } kem->method_name = OQS_KEM_alg_sidh_p751_compressed; - kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/tree/v3.2"; + kem->alg_version = "https://github.com/microsoft/PQCrypto-SIDH/commit/ebd1c80a8ac35e9ca2ef9680291a8a43b95a3bfa"; kem->claimed_nist_level = 5; kem->ind_cca = false; diff --git a/src/kem/sike/sidh.c b/src/kem/sike/sidh.c index 47041b6d7..fcd0f7197 100644 --- a/src/kem/sike/sidh.c +++ b/src/kem/sike/sidh.c @@ -4,6 +4,8 @@ * Abstract: ephemeral supersingular isogeny Diffie-Hellman key exchange (SIDH) *********************************************************************************************/ +#include + static void init_basis(digit_t *gen, f2elm_t XP, f2elm_t XQ, f2elm_t XR) { // Initialization of basis points fpcopy(gen, XP[0]); @@ -32,6 +34,7 @@ int EphemeralKeyGeneration_A(const unsigned char *PrivateKeyA, unsigned char *Pu point_proj_t R, phiP = {0}, phiQ = {0}, phiR = {0}, pts[MAX_INT_POINTS_ALICE]; f2elm_t XPA, XQA, XRA, coeff[3], A24plus = {0}, C24 = {0}, A = {0}; unsigned int i, row, m, index = 0, pts_index[MAX_INT_POINTS_ALICE], npts = 0, ii = 0; + digit_t SecretKeyA[NWORDS_ORDER] = {0}; // Initialize basis points init_basis((digit_t *) A_gen, XPA, XQA, XRA); @@ -48,7 +51,8 @@ int EphemeralKeyGeneration_A(const unsigned char *PrivateKeyA, unsigned char *Pu fp2add(C24, C24, A24plus); // Retrieve kernel point - LADDER3PT(XPA, XQA, XRA, (digit_t *) PrivateKeyA, ALICE, R, A); + memcpy((unsigned char*)SecretKeyA, PrivateKeyA, SECRETKEY_A_BYTES); + LADDER3PT(XPA, XQA, XRA, SecretKeyA, ALICE, R, A); #if (OALICE_BITS % 2 == 1) point_proj_t S; @@ -111,6 +115,7 @@ int EphemeralKeyGeneration_B(const unsigned char *PrivateKeyB, unsigned char *Pu point_proj_t R, phiP = {0}, phiQ = {0}, phiR = {0}, pts[MAX_INT_POINTS_BOB]; f2elm_t XPB, XQB, XRB, coeff[3], A24plus = {0}, A24minus = {0}, A = {0}; unsigned int i, row, m, index = 0, pts_index[MAX_INT_POINTS_BOB], npts = 0, ii = 0; + digit_t SecretKeyB[NWORDS_ORDER] = {0}; // Initialize basis points init_basis((digit_t *) B_gen, XPB, XQB, XRB); @@ -127,7 +132,8 @@ int EphemeralKeyGeneration_B(const unsigned char *PrivateKeyB, unsigned char *Pu fp2add(A24minus, A24minus, A24plus); // Retrieve kernel point - LADDER3PT(XPB, XQB, XRB, (digit_t *) PrivateKeyB, BOB, R, A); + memcpy((unsigned char*)SecretKeyB, PrivateKeyB, SECRETKEY_B_BYTES); + LADDER3PT(XPB, XQB, XRB, SecretKeyB, BOB, R, A); // Traverse tree index = 0; @@ -182,6 +188,7 @@ int EphemeralSecretAgreement_A(const unsigned char *PrivateKeyA, const unsigned f2elm_t coeff[3], PKB[3], jinv; f2elm_t A24plus = {0}, C24 = {0}, A = {0}; unsigned int i, row, m, index = 0, pts_index[MAX_INT_POINTS_ALICE], npts = 0, ii = 0; + digit_t SecretKeyA[NWORDS_ORDER] = {0}; // Initialize images of Bob's basis fp2_decode(PublicKeyB, PKB[0]); @@ -195,7 +202,8 @@ int EphemeralSecretAgreement_A(const unsigned char *PrivateKeyA, const unsigned fpadd(C24[0], C24[0], C24[0]); // Retrieve kernel point - LADDER3PT(PKB[0], PKB[1], PKB[2], (digit_t *) PrivateKeyA, ALICE, R, A); + memcpy((unsigned char*)SecretKeyA, PrivateKeyA, SECRETKEY_A_BYTES); + LADDER3PT(PKB[0], PKB[1], PKB[2], SecretKeyA, ALICE, R, A); #if (OALICE_BITS % 2 == 1) point_proj_t S; @@ -247,6 +255,7 @@ int EphemeralSecretAgreement_B(const unsigned char *PrivateKeyB, const unsigned f2elm_t coeff[3], PKB[3], jinv; f2elm_t A24plus = {0}, A24minus = {0}, A = {0}; unsigned int i, row, m, index = 0, pts_index[MAX_INT_POINTS_BOB], npts = 0, ii = 0; + digit_t SecretKeyB[NWORDS_ORDER] = {0}; // Initialize images of Alice's basis fp2_decode(PublicKeyA, PKB[0]); @@ -260,7 +269,8 @@ int EphemeralSecretAgreement_B(const unsigned char *PrivateKeyB, const unsigned fp2sub(A, A24minus, A24minus); // Retrieve kernel point - LADDER3PT(PKB[0], PKB[1], PKB[2], (digit_t *) PrivateKeyB, BOB, R, A); + memcpy((unsigned char*)SecretKeyB, PrivateKeyB, SECRETKEY_B_BYTES); + LADDER3PT(PKB[0], PKB[1], PKB[2], SecretKeyB, BOB, R, A); // Traverse tree index = 0;