package sidh import ( "crypto/subtle" "errors" "io" "github.com/cloudflare/circl/dh/sidh/internal/common" "github.com/cloudflare/circl/internal/sha3" ) // SIKE KEM interface. // // Deprecated: not cryptographically secure. type KEM struct { allocated bool rng io.Reader msg []byte secretBytes []byte params *common.SidhParams shake sha3.State } // NewSike434 instantiates SIKE/p434 KEM. // // Deprecated: not cryptographically secure. func NewSike434(rng io.Reader) *KEM { var c KEM c.Allocate(Fp434, rng) return &c } // NewSike503 instantiates SIKE/p503 KEM. // // Deprecated: not cryptographically secure. func NewSike503(rng io.Reader) *KEM { var c KEM c.Allocate(Fp503, rng) return &c } // NewSike751 instantiates SIKE/p751 KEM. // // Deprecated: not cryptographically secure. func NewSike751(rng io.Reader) *KEM { var c KEM c.Allocate(Fp751, rng) return &c } // Allocate allocates KEM object for multiple SIKE operations. The rng // must be cryptographically secure PRNG. func (c *KEM) Allocate(id uint8, rng io.Reader) { c.rng = rng c.params = common.Params(id) c.msg = make([]byte, c.params.MsgLen) c.secretBytes = make([]byte, c.params.A.SecretByteLen) c.shake = sha3.NewShake256() c.allocated = true } // Encapsulate receives the public key and generates SIKE ciphertext and shared secret. // The generated ciphertext is used for authentication. // Error is returned in case PRNG fails. Function panics in case wrongly formatted // input was provided. func (c *KEM) Encapsulate(ciphertext, secret []byte, pub *PublicKey) error { if !c.allocated { panic("KEM unallocated") } if KeyVariantSike != pub.keyVariant { panic("Wrong type of public key") } if len(secret) < c.SharedSecretSize() { panic("shared secret buffer to small") } if len(ciphertext) < c.CiphertextSize() { panic("ciphertext buffer to small") } // Generate ephemeral value _, err := io.ReadFull(c.rng, c.msg[:]) if err != nil { return err } var buf [3 * common.MaxSharedSecretBsz]byte skA := PrivateKey{ key: key{ params: c.params, keyVariant: KeyVariantSidhA, }, Scalar: c.secretBytes, } pkA := NewPublicKey(c.params.ID, KeyVariantSidhA) pub.Export(buf[:]) c.shake.Reset() _, _ = c.shake.Write(c.msg) _, _ = c.shake.Write(buf[:3*c.params.SharedSecretSize]) _, _ = c.shake.Read(skA.Scalar) // Ensure bitlength is not bigger then to 2^e2-1 skA.Scalar[len(skA.Scalar)-1] &= (1 << (c.params.A.SecretBitLen % 8)) - 1 skA.GeneratePublicKey(pkA) c.generateCiphertext(ciphertext, &skA, pkA, pub, c.msg[:]) // K = H(msg||(c0||c1)) c.shake.Reset() _, _ = c.shake.Write(c.msg) _, _ = c.shake.Write(ciphertext) _, _ = c.shake.Read(secret[:c.SharedSecretSize()]) return nil } // Decapsulate given the keypair and ciphertext as inputs, Decapsulate outputs a shared // secret if plaintext verifies correctly, otherwise function outputs random value. // Decapsulation may panic in case input is wrongly formatted, in particular, size of // the 'ciphertext' must be exactly equal to c.CiphertextSize(). func (c *KEM) Decapsulate(secret []byte, prv *PrivateKey, pub *PublicKey, ciphertext []byte) error { if !c.allocated { panic("KEM unallocated") } if KeyVariantSike != pub.keyVariant { panic("Wrong type of public key") } if pub.keyVariant != prv.keyVariant { panic("Public and private key are of different type") } if len(secret) < c.SharedSecretSize() { panic("shared secret buffer to small") } if len(ciphertext) != c.CiphertextSize() { panic("ciphertext buffer to small") } var m [common.MaxMsgBsz]byte var r [common.MaxSidhPrivateKeyBsz]byte var pkBytes [3 * common.MaxSharedSecretBsz]byte skA := PrivateKey{ key: key{ params: c.params, keyVariant: KeyVariantSidhA, }, Scalar: c.secretBytes, } pkA := NewPublicKey(c.params.ID, KeyVariantSidhA) c1Len, err := c.decrypt(m[:], prv, ciphertext) if err != nil { return err } // r' = G(m'||pub) pub.Export(pkBytes[:]) c.shake.Reset() _, _ = c.shake.Write(m[:c1Len]) _, _ = c.shake.Write(pkBytes[:3*c.params.SharedSecretSize]) _, _ = c.shake.Read(r[:c.params.A.SecretByteLen]) // Ensure bitlength is not bigger than 2^e2-1 r[c.params.A.SecretByteLen-1] &= (1 << (c.params.A.SecretBitLen % 8)) - 1 err = skA.Import(r[:c.params.A.SecretByteLen]) if err != nil { return err } skA.GeneratePublicKey(pkA) pkA.Export(pkBytes[:]) // S is chosen at random when generating a key and unknown to other party. It is // important that S is unpredictable to the other party. Without this check, would // be possible to recover a secret, by providing series of invalid ciphertexts. // // See more details in "On the security of supersingular isogeny cryptosystems" // (S. Galbraith, et al., 2016, ePrint #859). mask := subtle.ConstantTimeCompare(pkBytes[:c.params.PublicKeySize], ciphertext[:pub.params.PublicKeySize]) common.Cpick(mask, m[:c1Len], m[:c1Len], prv.S) c.shake.Reset() _, _ = c.shake.Write(m[:c1Len]) _, _ = c.shake.Write(ciphertext) _, _ = c.shake.Read(secret[:c.SharedSecretSize()]) return nil } // Resets internal state of KEM. Function should be used // after Allocate and between subsequent calls to Encapsulate // and/or Decapsulate. func (c *KEM) Reset() { for i := range c.msg { c.msg[i] = 0 } for i := range c.secretBytes { c.secretBytes[i] = 0 } } // Returns size of resulting ciphertext. func (c *KEM) CiphertextSize() int { return c.params.CiphertextSize } // Returns size of resulting shared secret. func (c *KEM) SharedSecretSize() int { return c.params.KemSize } // PublicKeySize returns size of the public key in bytes. func (c *KEM) PublicKeySize() int { return c.params.PublicKeySize } // Size returns size of the private key in bytes. func (c *KEM) PrivateKeySize() int { return int(c.params.B.SecretByteLen) + c.params.MsgLen } func (c *KEM) generateCiphertext(ctext []byte, skA *PrivateKey, pkA, pkB *PublicKey, ptext []byte) { var n [common.MaxMsgBsz]byte var j [common.MaxSharedSecretBsz]byte ptextLen := skA.params.MsgLen skA.DeriveSecret(j[:], pkB) c.shake.Reset() _, _ = c.shake.Write(j[:skA.params.SharedSecretSize]) _, _ = c.shake.Read(n[:ptextLen]) for i := range ptext { n[i] ^= ptext[i] } pkA.Export(ctext) copy(ctext[pkA.Size():], n[:ptextLen]) } // encrypt uses SIKE public key to encrypt plaintext. Requires cryptographically secure // PRNG. Returns ciphertext in case encryption succeeds. Returns error in case PRNG fails // or wrongly formated input was provided. func (c *KEM) encrypt(ctext []byte, rng io.Reader, pub *PublicKey, ptext []byte) error { ptextLen := len(ptext) // c1 must be security level + 64 bits (see [SIKE] 1.4 and 4.3.3) if ptextLen != pub.params.KemSize { return errors.New("unsupported message length") } skA := NewPrivateKey(pub.params.ID, KeyVariantSidhA) pkA := NewPublicKey(pub.params.ID, KeyVariantSidhA) err := skA.Generate(rng) if err != nil { return err } skA.GeneratePublicKey(pkA) c.generateCiphertext(ctext, skA, pkA, pub, ptext) return nil } // decrypt uses SIKE private key to decrypt ciphertext. Returns plaintext in case // decryption succeeds or error in case unexpected input was provided. // Constant time. func (c *KEM) decrypt(n []byte, prv *PrivateKey, ctext []byte) (int, error) { var c1Len int var j [common.MaxSharedSecretBsz]byte pkLen := prv.params.PublicKeySize // ctext is a concatenation of (ciphertext = pubkey_A || c1) // it must be security level + 64 bits (see [SIKE] 1.4 and 4.3.3) // Lengths has been already checked by Decapsulate() c1Len = len(ctext) - pkLen c0 := NewPublicKey(prv.params.ID, KeyVariantSidhA) err := c0.Import(ctext[:pkLen]) prv.DeriveSecret(j[:], c0) c.shake.Reset() _, _ = c.shake.Write(j[:prv.params.SharedSecretSize]) _, _ = c.shake.Read(n[:c1Len]) for i := range n[:c1Len] { n[i] ^= ctext[pkLen+i] } return c1Len, err }