1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
/********************************************************************************************
* SIDH: an efficient supersingular isogeny cryptography library
*
* Abstract: supersingular isogeny key encapsulation (SIKE) protocol
*********************************************************************************************/
#include <string.h>
#include "../s2n_pq_random.h"
#include "fips202.h"
#include "utils/s2n_safety.h"
#include "tls/s2n_kem.h"
#include "pq-crypto/s2n_pq.h"
int SIKE_P434_r2_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) {
// SIKE's key generation
// Outputs: secret key sk (CRYPTO_SECRETKEYBYTES = MSG_BYTES + SECRETKEY_B_BYTES + CRYPTO_PUBLICKEYBYTES bytes)
// public key pk (CRYPTO_PUBLICKEYBYTES bytes)
ENSURE_POSIX(s2n_pq_is_enabled(), S2N_ERR_PQ_DISABLED);
digit_t _sk[(SECRETKEY_B_BYTES / sizeof(digit_t)) + 1];
// Generate lower portion of secret key sk <- s||SK
GUARD_AS_POSIX(s2n_get_random_bytes(sk, MSG_BYTES));
GUARD(random_mod_order_B((unsigned char *)_sk));
// Generate public key pk
EphemeralKeyGeneration_B(_sk, pk);
memcpy(sk + MSG_BYTES, _sk, SECRETKEY_B_BYTES);
// Append public key pk to secret key sk
memcpy(&sk[MSG_BYTES + SECRETKEY_B_BYTES], pk, CRYPTO_PUBLICKEYBYTES);
return 0;
}
int SIKE_P434_r2_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) {
// SIKE's encapsulation
// Input: public key pk (CRYPTO_PUBLICKEYBYTES bytes)
// Outputs: shared secret ss (CRYPTO_BYTES bytes)
// ciphertext message ct (CRYPTO_CIPHERTEXTBYTES = CRYPTO_PUBLICKEYBYTES + MSG_BYTES bytes)
ENSURE_POSIX(s2n_pq_is_enabled(), S2N_ERR_PQ_DISABLED);
union {
unsigned char b[SECRETKEY_A_BYTES];
digit_t d[SECRETKEY_A_BYTES/sizeof(digit_t)];
} ephemeralsk;
unsigned char jinvariant[FP2_ENCODED_BYTES];
unsigned char h[MSG_BYTES];
unsigned char temp[CRYPTO_CIPHERTEXTBYTES + MSG_BYTES];
// Generate ephemeralsk <- G(m||pk) mod oA
GUARD_AS_POSIX(s2n_get_random_bytes(temp, MSG_BYTES));
memcpy(&temp[MSG_BYTES], pk, CRYPTO_PUBLICKEYBYTES);
shake256(ephemeralsk.b, SECRETKEY_A_BYTES, temp, CRYPTO_PUBLICKEYBYTES + MSG_BYTES);
/* ephemeralsk is a union; the memory set here through .b will get accessed through the .d member later */
/* cppcheck-suppress unreadVariable */
/* cppcheck-suppress unmatchedSuppression */
ephemeralsk.b[SECRETKEY_A_BYTES - 1] &= MASK_ALICE;
// Encrypt
EphemeralKeyGeneration_A(ephemeralsk.d, ct);
EphemeralSecretAgreement_A(ephemeralsk.d, pk, jinvariant);
shake256(h, MSG_BYTES, jinvariant, FP2_ENCODED_BYTES);
for (int i = 0; i < MSG_BYTES; i++) {
ct[i + CRYPTO_PUBLICKEYBYTES] = temp[i] ^ h[i];
}
// Generate shared secret ss <- H(m||ct)
memcpy(&temp[MSG_BYTES], ct, CRYPTO_CIPHERTEXTBYTES);
shake256(ss, CRYPTO_BYTES, temp, CRYPTO_CIPHERTEXTBYTES + MSG_BYTES);
return 0;
}
int SIKE_P434_r2_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) {
// SIKE's decapsulation
// Input: secret key sk (CRYPTO_SECRETKEYBYTES = MSG_BYTES + SECRETKEY_B_BYTES + CRYPTO_PUBLICKEYBYTES bytes)
// ciphertext message ct (CRYPTO_CIPHERTEXTBYTES = CRYPTO_PUBLICKEYBYTES + MSG_BYTES bytes)
// Outputs: shared secret ss (CRYPTO_BYTES bytes)
ENSURE_POSIX(s2n_pq_is_enabled(), S2N_ERR_PQ_DISABLED);
union {
unsigned char b[SECRETKEY_A_BYTES];
digit_t d[SECRETKEY_A_BYTES/sizeof(digit_t)];
} ephemeralsk_;
unsigned char jinvariant_[FP2_ENCODED_BYTES];
unsigned char h_[MSG_BYTES];
unsigned char c0_[CRYPTO_PUBLICKEYBYTES];
unsigned char temp[CRYPTO_CIPHERTEXTBYTES + MSG_BYTES];
digit_t _sk[(SECRETKEY_B_BYTES / sizeof(digit_t)) + 1];
memcpy(_sk, sk + MSG_BYTES, SECRETKEY_B_BYTES);
// Decrypt
EphemeralSecretAgreement_B(_sk, ct, jinvariant_);
shake256(h_, MSG_BYTES, jinvariant_, FP2_ENCODED_BYTES);
for (int i = 0; i < MSG_BYTES; i++) {
temp[i] = ct[i + CRYPTO_PUBLICKEYBYTES] ^ h_[i];
}
// Generate ephemeralsk_ <- G(m||pk) mod oA
memcpy(&temp[MSG_BYTES], &sk[MSG_BYTES + SECRETKEY_B_BYTES], CRYPTO_PUBLICKEYBYTES);
shake256(ephemeralsk_.b, SECRETKEY_A_BYTES, temp, CRYPTO_PUBLICKEYBYTES + MSG_BYTES);
/* ephemeralsk_ is a union; the memory set here through .b will get accessed through the .d member later */
/* cppcheck-suppress unreadVariable */
/* cppcheck-suppress uninitvar */
/* cppcheck-suppress unmatchedSuppression */
ephemeralsk_.b[SECRETKEY_A_BYTES - 1] &= MASK_ALICE;
// Generate shared secret ss <- H(m||ct) or output ss <- H(s||ct)
EphemeralKeyGeneration_A(ephemeralsk_.d, c0_);
if (memcmp(c0_, ct, CRYPTO_PUBLICKEYBYTES) != 0) {
memcpy(temp, sk, MSG_BYTES);
}
memcpy(&temp[MSG_BYTES], ct, CRYPTO_CIPHERTEXTBYTES);
shake256(ss, CRYPTO_BYTES, temp, CRYPTO_CIPHERTEXTBYTES + MSG_BYTES);
return 0;
}
|
