/src/botan/src/lib/pubkey/mce/mceliece_key.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * (C) Copyright Projet SECRET, INRIA, Rocquencourt |
3 | | * (C) Bhaskar Biswas and Nicolas Sendrier |
4 | | * |
5 | | * (C) 2014 cryptosource GmbH |
6 | | * (C) 2014 Falko Strenzke fstrenzke@cryptosource.de |
7 | | * (C) 2015 Jack Lloyd |
8 | | * |
9 | | * Botan is released under the Simplified BSD License (see license.txt) |
10 | | * |
11 | | */ |
12 | | |
13 | | #include <botan/mceliece.h> |
14 | | |
15 | | #include <botan/ber_dec.h> |
16 | | #include <botan/der_enc.h> |
17 | | #include <botan/rng.h> |
18 | | #include <botan/internal/bit_ops.h> |
19 | | #include <botan/internal/code_based_util.h> |
20 | | #include <botan/internal/loadstor.h> |
21 | | #include <botan/internal/mce_internal.h> |
22 | | #include <botan/internal/pk_ops_impl.h> |
23 | | #include <botan/internal/polyn_gf2m.h> |
24 | | #include <botan/internal/stl_util.h> |
25 | | |
26 | | namespace Botan { |
27 | | |
28 | 0 | McEliece_PrivateKey::McEliece_PrivateKey(const McEliece_PrivateKey&) = default; Unexecuted instantiation: Botan::McEliece_PrivateKey::McEliece_PrivateKey(Botan::McEliece_PrivateKey const&) Unexecuted instantiation: Botan::McEliece_PrivateKey::McEliece_PrivateKey(Botan::McEliece_PrivateKey const&) |
29 | 0 | McEliece_PrivateKey::McEliece_PrivateKey(McEliece_PrivateKey&&) noexcept = default; Unexecuted instantiation: Botan::McEliece_PrivateKey::McEliece_PrivateKey(Botan::McEliece_PrivateKey&&) Unexecuted instantiation: Botan::McEliece_PrivateKey::McEliece_PrivateKey(Botan::McEliece_PrivateKey&&) |
30 | 0 | McEliece_PrivateKey& McEliece_PrivateKey::operator=(const McEliece_PrivateKey&) = default; |
31 | 0 | McEliece_PrivateKey& McEliece_PrivateKey::operator=(McEliece_PrivateKey&&) noexcept = default; |
32 | 0 | McEliece_PrivateKey::~McEliece_PrivateKey() = default; |
33 | | |
34 | | McEliece_PrivateKey::McEliece_PrivateKey(const polyn_gf2m& goppa_polyn, |
35 | | const std::vector<uint32_t>& parity_check_matrix_coeffs, |
36 | | const std::vector<polyn_gf2m>& square_root_matrix, |
37 | | const std::vector<gf2m>& inverse_support, |
38 | | const std::vector<uint8_t>& public_matrix) : |
39 | 0 | McEliece_PublicKey(public_matrix, goppa_polyn.get_degree(), inverse_support.size()), |
40 | 0 | m_g{goppa_polyn}, |
41 | 0 | m_sqrtmod(square_root_matrix), |
42 | 0 | m_Linv(inverse_support), |
43 | 0 | m_coeffs(parity_check_matrix_coeffs), |
44 | 0 | m_codimension(static_cast<size_t>(ceil_log2(inverse_support.size())) * goppa_polyn.get_degree()), |
45 | 0 | m_dimension(inverse_support.size() - m_codimension) {}Unexecuted instantiation: Botan::McEliece_PrivateKey::McEliece_PrivateKey(Botan::polyn_gf2m const&, std::__1::vector<unsigned int, std::__1::allocator<unsigned int> > const&, std::__1::vector<Botan::polyn_gf2m, std::__1::allocator<Botan::polyn_gf2m> > const&, std::__1::vector<unsigned short, std::__1::allocator<unsigned short> > const&, std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&) Unexecuted instantiation: Botan::McEliece_PrivateKey::McEliece_PrivateKey(Botan::polyn_gf2m const&, std::__1::vector<unsigned int, std::__1::allocator<unsigned int> > const&, std::__1::vector<Botan::polyn_gf2m, std::__1::allocator<Botan::polyn_gf2m> > const&, std::__1::vector<unsigned short, std::__1::allocator<unsigned short> > const&, std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&) |
46 | | |
47 | 0 | McEliece_PrivateKey::McEliece_PrivateKey(RandomNumberGenerator& rng, size_t code_length, size_t t) { |
48 | 0 | uint32_t ext_deg = ceil_log2(code_length); |
49 | 0 | *this = generate_mceliece_key(rng, ext_deg, code_length, t); |
50 | 0 | } Unexecuted instantiation: Botan::McEliece_PrivateKey::McEliece_PrivateKey(Botan::RandomNumberGenerator&, unsigned long, unsigned long) Unexecuted instantiation: Botan::McEliece_PrivateKey::McEliece_PrivateKey(Botan::RandomNumberGenerator&, unsigned long, unsigned long) |
51 | | |
52 | 0 | const polyn_gf2m& McEliece_PrivateKey::get_goppa_polyn() const { |
53 | 0 | return m_g[0]; |
54 | 0 | } |
55 | | |
56 | 0 | size_t McEliece_PublicKey::get_message_word_bit_length() const { |
57 | 0 | size_t codimension = ceil_log2(m_code_length) * m_t; |
58 | 0 | return m_code_length - codimension; |
59 | 0 | } |
60 | | |
61 | 0 | secure_vector<uint8_t> McEliece_PublicKey::random_plaintext_element(RandomNumberGenerator& rng) const { |
62 | 0 | const size_t bits = get_message_word_bit_length(); |
63 | |
|
64 | 0 | secure_vector<uint8_t> plaintext((bits + 7) / 8); |
65 | 0 | rng.randomize(plaintext.data(), plaintext.size()); |
66 | | |
67 | | // unset unused bits in the last plaintext byte |
68 | 0 | if(uint32_t used = bits % 8) { |
69 | 0 | const uint8_t mask = (1 << used) - 1; |
70 | 0 | plaintext[plaintext.size() - 1] &= mask; |
71 | 0 | } |
72 | |
|
73 | 0 | return plaintext; |
74 | 0 | } |
75 | | |
76 | 0 | AlgorithmIdentifier McEliece_PublicKey::algorithm_identifier() const { |
77 | 0 | return AlgorithmIdentifier(object_identifier(), AlgorithmIdentifier::USE_EMPTY_PARAM); |
78 | 0 | } |
79 | | |
80 | 0 | std::vector<uint8_t> McEliece_PublicKey::raw_public_key_bits() const { |
81 | 0 | return m_public_matrix; |
82 | 0 | } |
83 | | |
84 | 0 | std::vector<uint8_t> McEliece_PublicKey::public_key_bits() const { |
85 | 0 | std::vector<uint8_t> output; |
86 | 0 | DER_Encoder(output) |
87 | 0 | .start_sequence() |
88 | 0 | .start_sequence() |
89 | 0 | .encode(get_code_length()) |
90 | 0 | .encode(get_t()) |
91 | 0 | .end_cons() |
92 | 0 | .encode(m_public_matrix, ASN1_Type::OctetString) |
93 | 0 | .end_cons(); |
94 | 0 | return output; |
95 | 0 | } |
96 | | |
97 | 0 | size_t McEliece_PublicKey::key_length() const { |
98 | 0 | return m_code_length; |
99 | 0 | } |
100 | | |
101 | 0 | size_t McEliece_PublicKey::estimated_strength() const { |
102 | 0 | return mceliece_work_factor(m_code_length, m_t); |
103 | 0 | } |
104 | | |
105 | 0 | McEliece_PublicKey::McEliece_PublicKey(std::span<const uint8_t> key_bits) { |
106 | 0 | BER_Decoder dec(key_bits); |
107 | 0 | size_t n; |
108 | 0 | size_t t; |
109 | 0 | dec.start_sequence() |
110 | 0 | .start_sequence() |
111 | 0 | .decode(n) |
112 | 0 | .decode(t) |
113 | 0 | .end_cons() |
114 | 0 | .decode(m_public_matrix, ASN1_Type::OctetString) |
115 | 0 | .end_cons(); |
116 | 0 | m_t = t; |
117 | 0 | m_code_length = n; |
118 | 0 | } Unexecuted instantiation: Botan::McEliece_PublicKey::McEliece_PublicKey(std::__1::span<unsigned char const, 18446744073709551615ul>) Unexecuted instantiation: Botan::McEliece_PublicKey::McEliece_PublicKey(std::__1::span<unsigned char const, 18446744073709551615ul>) |
119 | | |
120 | 0 | secure_vector<uint8_t> McEliece_PrivateKey::private_key_bits() const { |
121 | 0 | DER_Encoder enc; |
122 | 0 | enc.start_sequence() |
123 | 0 | .start_sequence() |
124 | 0 | .encode(get_code_length()) |
125 | 0 | .encode(get_t()) |
126 | 0 | .end_cons() |
127 | 0 | .encode(m_public_matrix, ASN1_Type::OctetString) |
128 | 0 | .encode(m_g[0].encode(), ASN1_Type::OctetString); // g as octet string |
129 | 0 | enc.start_sequence(); |
130 | 0 | for(size_t i = 0; i < m_sqrtmod.size(); i++) { |
131 | 0 | enc.encode(m_sqrtmod[i].encode(), ASN1_Type::OctetString); |
132 | 0 | } |
133 | 0 | enc.end_cons(); |
134 | 0 | secure_vector<uint8_t> enc_support; |
135 | |
|
136 | 0 | for(uint16_t Linv : m_Linv) { |
137 | 0 | enc_support.push_back(get_byte<0>(Linv)); |
138 | 0 | enc_support.push_back(get_byte<1>(Linv)); |
139 | 0 | } |
140 | 0 | enc.encode(enc_support, ASN1_Type::OctetString); |
141 | 0 | secure_vector<uint8_t> enc_H; |
142 | 0 | for(uint32_t coef : m_coeffs) { |
143 | 0 | enc_H.push_back(get_byte<0>(coef)); |
144 | 0 | enc_H.push_back(get_byte<1>(coef)); |
145 | 0 | enc_H.push_back(get_byte<2>(coef)); |
146 | 0 | enc_H.push_back(get_byte<3>(coef)); |
147 | 0 | } |
148 | 0 | enc.encode(enc_H, ASN1_Type::OctetString); |
149 | 0 | enc.end_cons(); |
150 | 0 | return enc.get_contents(); |
151 | 0 | } |
152 | | |
153 | 0 | bool McEliece_PrivateKey::check_key(RandomNumberGenerator& rng, bool /*unused*/) const { |
154 | 0 | const secure_vector<uint8_t> plaintext = this->random_plaintext_element(rng); |
155 | |
|
156 | 0 | secure_vector<uint8_t> ciphertext; |
157 | 0 | secure_vector<uint8_t> errors; |
158 | 0 | mceliece_encrypt(ciphertext, errors, plaintext, *this, rng); |
159 | |
|
160 | 0 | secure_vector<uint8_t> plaintext_out; |
161 | 0 | secure_vector<uint8_t> errors_out; |
162 | 0 | mceliece_decrypt(plaintext_out, errors_out, ciphertext, *this); |
163 | |
|
164 | 0 | if(errors != errors_out || plaintext != plaintext_out) { |
165 | 0 | return false; |
166 | 0 | } |
167 | | |
168 | 0 | return true; |
169 | 0 | } |
170 | | |
171 | 0 | McEliece_PrivateKey::McEliece_PrivateKey(std::span<const uint8_t> key_bits) { |
172 | 0 | size_t n, t; |
173 | 0 | secure_vector<uint8_t> enc_g; |
174 | 0 | BER_Decoder dec_base(key_bits); |
175 | 0 | BER_Decoder dec = dec_base.start_sequence() |
176 | 0 | .start_sequence() |
177 | 0 | .decode(n) |
178 | 0 | .decode(t) |
179 | 0 | .end_cons() |
180 | 0 | .decode(m_public_matrix, ASN1_Type::OctetString) |
181 | 0 | .decode(enc_g, ASN1_Type::OctetString); |
182 | |
|
183 | 0 | if(t == 0 || n == 0) { |
184 | 0 | throw Decoding_Error("invalid McEliece parameters"); |
185 | 0 | } |
186 | | |
187 | 0 | uint32_t ext_deg = ceil_log2(n); |
188 | 0 | m_code_length = n; |
189 | 0 | m_t = t; |
190 | 0 | m_codimension = (ext_deg * t); |
191 | 0 | m_dimension = (n - m_codimension); |
192 | |
|
193 | 0 | auto sp_field = std::make_shared<GF2m_Field>(ext_deg); |
194 | 0 | m_g = {polyn_gf2m(enc_g, sp_field)}; |
195 | 0 | if(m_g[0].get_degree() != static_cast<int>(t)) { |
196 | 0 | throw Decoding_Error("degree of decoded Goppa polynomial is incorrect"); |
197 | 0 | } |
198 | 0 | BER_Decoder dec2 = dec.start_sequence(); |
199 | 0 | for(uint32_t i = 0; i < t / 2; i++) { |
200 | 0 | secure_vector<uint8_t> sqrt_enc; |
201 | 0 | dec2.decode(sqrt_enc, ASN1_Type::OctetString); |
202 | 0 | while(sqrt_enc.size() < (t * 2)) { |
203 | | // ensure that the length is always t |
204 | 0 | sqrt_enc.push_back(0); |
205 | 0 | sqrt_enc.push_back(0); |
206 | 0 | } |
207 | 0 | if(sqrt_enc.size() != t * 2) { |
208 | 0 | throw Decoding_Error("length of square root polynomial entry is too large"); |
209 | 0 | } |
210 | 0 | m_sqrtmod.push_back(polyn_gf2m(sqrt_enc, sp_field)); |
211 | 0 | } |
212 | 0 | secure_vector<uint8_t> enc_support; |
213 | 0 | BER_Decoder dec3 = dec2.end_cons().decode(enc_support, ASN1_Type::OctetString); |
214 | 0 | if(enc_support.size() % 2) { |
215 | 0 | throw Decoding_Error("encoded support has odd length"); |
216 | 0 | } |
217 | 0 | if(enc_support.size() / 2 != n) { |
218 | 0 | throw Decoding_Error("encoded support has length different from code length"); |
219 | 0 | } |
220 | 0 | for(uint32_t i = 0; i < n * 2; i += 2) { |
221 | 0 | gf2m el = (enc_support[i] << 8) | enc_support[i + 1]; |
222 | 0 | m_Linv.push_back(el); |
223 | 0 | } |
224 | 0 | secure_vector<uint8_t> enc_H; |
225 | 0 | dec3.decode(enc_H, ASN1_Type::OctetString).end_cons(); |
226 | 0 | if(enc_H.size() % 4) { |
227 | 0 | throw Decoding_Error("encoded parity check matrix has length which is not a multiple of four"); |
228 | 0 | } |
229 | 0 | if(enc_H.size() / 4 != bit_size_to_32bit_size(m_codimension) * m_code_length) { |
230 | 0 | throw Decoding_Error("encoded parity check matrix has wrong length"); |
231 | 0 | } |
232 | | |
233 | 0 | for(uint32_t i = 0; i < enc_H.size(); i += 4) { |
234 | 0 | uint32_t coeff = (enc_H[i] << 24) | (enc_H[i + 1] << 16) | (enc_H[i + 2] << 8) | enc_H[i + 3]; |
235 | 0 | m_coeffs.push_back(coeff); |
236 | 0 | } |
237 | 0 | } Unexecuted instantiation: Botan::McEliece_PrivateKey::McEliece_PrivateKey(std::__1::span<unsigned char const, 18446744073709551615ul>) Unexecuted instantiation: Botan::McEliece_PrivateKey::McEliece_PrivateKey(std::__1::span<unsigned char const, 18446744073709551615ul>) |
238 | | |
239 | 0 | bool McEliece_PrivateKey::operator==(const McEliece_PrivateKey& other) const { |
240 | 0 | if(*static_cast<const McEliece_PublicKey*>(this) != *static_cast<const McEliece_PublicKey*>(&other)) { |
241 | 0 | return false; |
242 | 0 | } |
243 | 0 | if(m_g != other.m_g) { |
244 | 0 | return false; |
245 | 0 | } |
246 | | |
247 | 0 | if(m_sqrtmod != other.m_sqrtmod) { |
248 | 0 | return false; |
249 | 0 | } |
250 | 0 | if(m_Linv != other.m_Linv) { |
251 | 0 | return false; |
252 | 0 | } |
253 | 0 | if(m_coeffs != other.m_coeffs) { |
254 | 0 | return false; |
255 | 0 | } |
256 | | |
257 | 0 | if(m_codimension != other.m_codimension || m_dimension != other.m_dimension) { |
258 | 0 | return false; |
259 | 0 | } |
260 | | |
261 | 0 | return true; |
262 | 0 | } |
263 | | |
264 | 0 | std::unique_ptr<Public_Key> McEliece_PrivateKey::public_key() const { |
265 | 0 | return std::make_unique<McEliece_PublicKey>(get_public_matrix(), get_t(), get_code_length()); |
266 | 0 | } |
267 | | |
268 | 0 | bool McEliece_PublicKey::operator==(const McEliece_PublicKey& other) const { |
269 | 0 | if(m_public_matrix != other.m_public_matrix) { |
270 | 0 | return false; |
271 | 0 | } |
272 | 0 | if(m_t != other.m_t) { |
273 | 0 | return false; |
274 | 0 | } |
275 | 0 | if(m_code_length != other.m_code_length) { |
276 | 0 | return false; |
277 | 0 | } |
278 | 0 | return true; |
279 | 0 | } |
280 | | |
281 | | namespace { |
282 | | |
283 | | class MCE_KEM_Encryptor final : public PK_Ops::KEM_Encryption_with_KDF { |
284 | | public: |
285 | | MCE_KEM_Encryptor(const McEliece_PublicKey& key, std::string_view kdf) : |
286 | 0 | KEM_Encryption_with_KDF(kdf), m_key(key) {} |
287 | | |
288 | | private: |
289 | 0 | size_t raw_kem_shared_key_length() const override { |
290 | 0 | const size_t err_sz = (m_key.get_code_length() + 7) / 8; |
291 | 0 | const size_t ptext_sz = (m_key.get_message_word_bit_length() + 7) / 8; |
292 | 0 | return ptext_sz + err_sz; |
293 | 0 | } |
294 | | |
295 | 0 | size_t encapsulated_key_length() const override { return (m_key.get_code_length() + 7) / 8; } |
296 | | |
297 | | void raw_kem_encrypt(std::span<uint8_t> out_encapsulated_key, |
298 | | std::span<uint8_t> raw_shared_key, |
299 | 0 | RandomNumberGenerator& rng) override { |
300 | 0 | secure_vector<uint8_t> plaintext = m_key.random_plaintext_element(rng); |
301 | |
|
302 | 0 | secure_vector<uint8_t> ciphertext, error_mask; |
303 | 0 | mceliece_encrypt(ciphertext, error_mask, plaintext, m_key, rng); |
304 | | |
305 | | // TODO: Perhaps avoid the copies below |
306 | 0 | BOTAN_ASSERT_NOMSG(out_encapsulated_key.size() == ciphertext.size()); |
307 | 0 | std::copy(ciphertext.begin(), ciphertext.end(), out_encapsulated_key.begin()); |
308 | |
|
309 | 0 | BOTAN_ASSERT_NOMSG(raw_shared_key.size() == plaintext.size() + error_mask.size()); |
310 | 0 | BufferStuffer bs(raw_shared_key); |
311 | 0 | bs.append(plaintext); |
312 | 0 | bs.append(error_mask); |
313 | 0 | } |
314 | | |
315 | | const McEliece_PublicKey& m_key; |
316 | | }; |
317 | | |
318 | | class MCE_KEM_Decryptor final : public PK_Ops::KEM_Decryption_with_KDF { |
319 | | public: |
320 | | MCE_KEM_Decryptor(const McEliece_PrivateKey& key, std::string_view kdf) : |
321 | 0 | KEM_Decryption_with_KDF(kdf), m_key(key) {} |
322 | | |
323 | | private: |
324 | 0 | size_t raw_kem_shared_key_length() const override { |
325 | 0 | const size_t err_sz = (m_key.get_code_length() + 7) / 8; |
326 | 0 | const size_t ptext_sz = (m_key.get_message_word_bit_length() + 7) / 8; |
327 | 0 | return ptext_sz + err_sz; |
328 | 0 | } |
329 | | |
330 | 0 | size_t encapsulated_key_length() const override { return (m_key.get_code_length() + 7) / 8; } |
331 | | |
332 | 0 | void raw_kem_decrypt(std::span<uint8_t> out_shared_key, std::span<const uint8_t> encapsulated_key) override { |
333 | 0 | secure_vector<uint8_t> plaintext, error_mask; |
334 | 0 | mceliece_decrypt(plaintext, error_mask, encapsulated_key.data(), encapsulated_key.size(), m_key); |
335 | | |
336 | | // TODO: perhaps avoid the copies below |
337 | 0 | BOTAN_ASSERT_NOMSG(out_shared_key.size() == plaintext.size() + error_mask.size()); |
338 | 0 | BufferStuffer bs(out_shared_key); |
339 | 0 | bs.append(plaintext); |
340 | 0 | bs.append(error_mask); |
341 | 0 | } |
342 | | |
343 | | const McEliece_PrivateKey& m_key; |
344 | | }; |
345 | | |
346 | | } // namespace |
347 | | |
348 | 0 | std::unique_ptr<Private_Key> McEliece_PublicKey::generate_another(RandomNumberGenerator& rng) const { |
349 | 0 | return std::make_unique<McEliece_PrivateKey>(rng, get_code_length(), get_t()); |
350 | 0 | } |
351 | | |
352 | | std::unique_ptr<PK_Ops::KEM_Encryption> McEliece_PublicKey::create_kem_encryption_op(std::string_view params, |
353 | 0 | std::string_view provider) const { |
354 | 0 | if(provider == "base" || provider.empty()) { |
355 | 0 | return std::make_unique<MCE_KEM_Encryptor>(*this, params); |
356 | 0 | } |
357 | 0 | throw Provider_Not_Found(algo_name(), provider); |
358 | 0 | } |
359 | | |
360 | | std::unique_ptr<PK_Ops::KEM_Decryption> McEliece_PrivateKey::create_kem_decryption_op(RandomNumberGenerator& /*rng*/, |
361 | | std::string_view params, |
362 | 0 | std::string_view provider) const { |
363 | 0 | if(provider == "base" || provider.empty()) { |
364 | 0 | return std::make_unique<MCE_KEM_Decryptor>(*this, params); |
365 | 0 | } |
366 | 0 | throw Provider_Not_Found(algo_name(), provider); |
367 | 0 | } |
368 | | |
369 | | } // namespace Botan |