From deb62ad63c170abb6059e493cdc13eac2dde11f9 Mon Sep 17 00:00:00 2001 From: dkostic Date: Thu, 25 Apr 2024 15:47:22 -0700 Subject: [PATCH 1/4] Implement derand API for Kyber keygen --- .../pqcrystals_kyber_ref_common/indcpa.c | 12 +++--- .../pqcrystals_kyber_ref_common/indcpa.h | 7 ++-- .../kyber/pqcrystals_kyber_ref_common/kem.c | 39 +++++++++++++++---- .../kyber/pqcrystals_kyber_ref_common/kem.h | 3 ++ 4 files changed, 46 insertions(+), 15 deletions(-) diff --git a/crypto/kyber/pqcrystals_kyber_ref_common/indcpa.c b/crypto/kyber/pqcrystals_kyber_ref_common/indcpa.c index c406cef20f..07befaf6c4 100644 --- a/crypto/kyber/pqcrystals_kyber_ref_common/indcpa.c +++ b/crypto/kyber/pqcrystals_kyber_ref_common/indcpa.c @@ -200,10 +200,13 @@ void gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed) * Arguments: - uint8_t *pk: pointer to output public key * (of length KYBER_INDCPA_PUBLICKEYBYTES bytes) * - uint8_t *sk: pointer to output private key - (of length KYBER_INDCPA_SECRETKEYBYTES bytes) +* (of length KYBER_INDCPA_SECRETKEYBYTES bytes) +* - const uint8_t *coins: pointer to input randomness +* (of length KYBER_SYMBYTES bytes) **************************************************/ -void indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]) +void indcpa_keypair_derand(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], + uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES], + const uint8_t coins[KYBER_SYMBYTES]) { unsigned int i; uint8_t buf[2*KYBER_SYMBYTES]; @@ -212,8 +215,7 @@ void indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], uint8_t nonce = 0; polyvec a[KYBER_K], e, pkpv, skpv; - pq_custom_randombytes(buf, KYBER_SYMBYTES); - hash_g(buf, buf, KYBER_SYMBYTES); + hash_g(buf, coins, KYBER_SYMBYTES); gen_a(a, publicseed); diff --git a/crypto/kyber/pqcrystals_kyber_ref_common/indcpa.h b/crypto/kyber/pqcrystals_kyber_ref_common/indcpa.h index 57bd5ead3a..de808e26ed 100644 --- a/crypto/kyber/pqcrystals_kyber_ref_common/indcpa.h +++ b/crypto/kyber/pqcrystals_kyber_ref_common/indcpa.h @@ -7,9 +7,10 @@ #define gen_matrix KYBER_NAMESPACE(gen_matrix) void gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed); -#define indcpa_keypair KYBER_NAMESPACE(indcpa_keypair) -void indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); +#define indcpa_keypair_derand KYBER_NAMESPACE(indcpa_keypair_derand) +void indcpa_keypair_derand(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], + uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES], + const uint8_t coins[KYBER_SYMBYTES]); #define indcpa_enc KYBER_NAMESPACE(indcpa_enc) void indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], diff --git a/crypto/kyber/pqcrystals_kyber_ref_common/kem.c b/crypto/kyber/pqcrystals_kyber_ref_common/kem.c index 1e19e0add7..f9e5c3d71a 100644 --- a/crypto/kyber/pqcrystals_kyber_ref_common/kem.c +++ b/crypto/kyber/pqcrystals_kyber_ref_common/kem.c @@ -1,12 +1,40 @@ #include "kem.h" #include #include +#include #include "indcpa.h" #include "params.h" #include "symmetric.h" #include "verify.h" #include "../../rand_extra/pq_custom_randombytes.h" +/************************************************* +* Name: crypto_kem_keypair_derand +* +* Description: Generates public and private key +* for CCA-secure Kyber key encapsulation mechanism +* +* Arguments: - uint8_t *pk: pointer to output public key +* (an already allocated array of KYBER_PUBLICKEYBYTES bytes) +* - uint8_t *sk: pointer to output private key +* (an already allocated array of KYBER_SECRETKEYBYTES bytes) +* - uint8_t *coins: pointer to input randomness +* (an already allocated array filled with 2*KYBER_SYMBYTES random bytes) +** +* Returns 0 (success) +**************************************************/ +int crypto_kem_keypair_derand(uint8_t *pk, + uint8_t *sk, + const uint8_t *coins) +{ + indcpa_keypair_derand(pk, sk, coins); + memcpy(sk+KYBER_INDCPA_SECRETKEYBYTES, pk, KYBER_PUBLICKEYBYTES); + hash_h(sk+KYBER_SECRETKEYBYTES-2*KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); + /* Value z for pseudo-random output on reject */ + memcpy(sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES, coins+KYBER_SYMBYTES, KYBER_SYMBYTES); + return 0; +} + /************************************************* * Name: crypto_kem_keypair * @@ -23,13 +51,10 @@ int crypto_kem_keypair(uint8_t *pk, uint8_t *sk) { - size_t i; - indcpa_keypair(pk, sk); - for(i=0;i Date: Thu, 25 Apr 2024 16:11:20 -0700 Subject: [PATCH 2/4] Implement derand API for Kyber encaps --- .../kyber/pqcrystals_kyber_ref_common/kem.c | 39 ++++++++++++++++--- .../kyber/pqcrystals_kyber_ref_common/kem.h | 3 ++ 2 files changed, 36 insertions(+), 6 deletions(-) diff --git a/crypto/kyber/pqcrystals_kyber_ref_common/kem.c b/crypto/kyber/pqcrystals_kyber_ref_common/kem.c index f9e5c3d71a..95b58b332a 100644 --- a/crypto/kyber/pqcrystals_kyber_ref_common/kem.c +++ b/crypto/kyber/pqcrystals_kyber_ref_common/kem.c @@ -59,7 +59,7 @@ int crypto_kem_keypair(uint8_t *pk, } /************************************************* -* Name: crypto_kem_enc +* Name: crypto_kem_enc_derand * * Description: Generates cipher text and shared * secret for given public key @@ -70,20 +70,22 @@ int crypto_kem_keypair(uint8_t *pk, * (an already allocated array of KYBER_SSBYTES bytes) * - const uint8_t *pk: pointer to input public key * (an already allocated array of KYBER_PUBLICKEYBYTES bytes) +* - const uint8_t *coins: pointer to input randomness +* (an already allocated array filled with KYBER_SYMBYTES random bytes) * * Returns 0 (success) **************************************************/ -int crypto_kem_enc(uint8_t *ct, - uint8_t *ss, - const uint8_t *pk) +int crypto_kem_enc_derand(uint8_t *ct, + uint8_t *ss, + const uint8_t *pk, + const uint8_t *coins) { uint8_t buf[2*KYBER_SYMBYTES]; /* Will contain key, coins */ uint8_t kr[2*KYBER_SYMBYTES]; - pq_custom_randombytes(buf, KYBER_SYMBYTES); /* Don't release system RNG output */ - hash_h(buf, buf, KYBER_SYMBYTES); + hash_h(buf, coins, KYBER_SYMBYTES); /* Multitarget countermeasure for coins + contributory KEM */ hash_h(buf+KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); @@ -99,6 +101,31 @@ int crypto_kem_enc(uint8_t *ct, return 0; } +/************************************************* +* Name: crypto_kem_enc +* +* Description: Generates cipher text and shared +* secret for given public key +* +* Arguments: - uint8_t *ct: pointer to output cipher text +* (an already allocated array of KYBER_CIPHERTEXTBYTES bytes) +* - uint8_t *ss: pointer to output shared secret +* (an already allocated array of KYBER_SSBYTES bytes) +* - const uint8_t *pk: pointer to input public key +* (an already allocated array of KYBER_PUBLICKEYBYTES bytes) +* +* Returns 0 (success) +**************************************************/ +int crypto_kem_enc(uint8_t *ct, + uint8_t *ss, + const uint8_t *pk) +{ + uint8_t coins[KYBER_SYMBYTES]; + pq_custom_randombytes(coins, KYBER_SYMBYTES); + crypto_kem_enc_derand(ct, ss, pk, coins); + return 0; +} + /************************************************* * Name: crypto_kem_dec * diff --git a/crypto/kyber/pqcrystals_kyber_ref_common/kem.h b/crypto/kyber/pqcrystals_kyber_ref_common/kem.h index 6cdfd4e42f..519db06fa8 100644 --- a/crypto/kyber/pqcrystals_kyber_ref_common/kem.h +++ b/crypto/kyber/pqcrystals_kyber_ref_common/kem.h @@ -35,6 +35,9 @@ int crypto_kem_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins); #define crypto_kem_keypair KYBER_NAMESPACE(keypair) int crypto_kem_keypair(uint8_t *pk, uint8_t *sk); +#define crypto_kem_enc_derand KYBER_NAMESPACE(enc_derand) +int crypto_kem_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins); + #define crypto_kem_enc KYBER_NAMESPACE(enc) int crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); From 3e88a86e6fc0334bf3d5551a2b55cf959d1c231c Mon Sep 17 00:00:00 2001 From: dkostic Date: Fri, 26 Apr 2024 07:45:54 -0700 Subject: [PATCH 3/4] addressing CR --- crypto/kyber/pqcrystals_kyber_ref_common/kem.c | 4 ++-- crypto/kyber/pqcrystals_kyber_ref_common/kem.h | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/crypto/kyber/pqcrystals_kyber_ref_common/kem.c b/crypto/kyber/pqcrystals_kyber_ref_common/kem.c index 95b58b332a..217a4c9cff 100644 --- a/crypto/kyber/pqcrystals_kyber_ref_common/kem.c +++ b/crypto/kyber/pqcrystals_kyber_ref_common/kem.c @@ -31,7 +31,7 @@ int crypto_kem_keypair_derand(uint8_t *pk, memcpy(sk+KYBER_INDCPA_SECRETKEYBYTES, pk, KYBER_PUBLICKEYBYTES); hash_h(sk+KYBER_SECRETKEYBYTES-2*KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); /* Value z for pseudo-random output on reject */ - memcpy(sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES, coins+KYBER_SYMBYTES, KYBER_SYMBYTES); + memcpy(sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, coins + KYBER_SYMBYTES, KYBER_SYMBYTES); return 0; } @@ -78,7 +78,7 @@ int crypto_kem_keypair(uint8_t *pk, int crypto_kem_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, - const uint8_t *coins) + const uint8_t coins[KYBER_SYMBYTES]) { uint8_t buf[2*KYBER_SYMBYTES]; /* Will contain key, coins */ diff --git a/crypto/kyber/pqcrystals_kyber_ref_common/kem.h b/crypto/kyber/pqcrystals_kyber_ref_common/kem.h index 519db06fa8..4896548b2b 100644 --- a/crypto/kyber/pqcrystals_kyber_ref_common/kem.h +++ b/crypto/kyber/pqcrystals_kyber_ref_common/kem.h @@ -30,13 +30,13 @@ #endif #define crypto_kem_keypair_derand KYBER_NAMESPACE(keypair_derand) -int crypto_kem_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins); +int crypto_kem_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t coins[KYBER_SYMBYTES]); #define crypto_kem_keypair KYBER_NAMESPACE(keypair) int crypto_kem_keypair(uint8_t *pk, uint8_t *sk); #define crypto_kem_enc_derand KYBER_NAMESPACE(enc_derand) -int crypto_kem_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins); +int crypto_kem_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t coins[KYBER_SYMBYTES]); #define crypto_kem_enc KYBER_NAMESPACE(enc) int crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); From 9f0fe407d017382fbcdeca20daefcc2e1718ca46 Mon Sep 17 00:00:00 2001 From: dkostic Date: Fri, 26 Apr 2024 10:07:52 -0700 Subject: [PATCH 4/4] forgot to git add --- crypto/kyber/pqcrystals_kyber_ref_common/kem.c | 4 ++-- crypto/kyber/pqcrystals_kyber_ref_common/kem.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/crypto/kyber/pqcrystals_kyber_ref_common/kem.c b/crypto/kyber/pqcrystals_kyber_ref_common/kem.c index 217a4c9cff..d07cf46fac 100644 --- a/crypto/kyber/pqcrystals_kyber_ref_common/kem.c +++ b/crypto/kyber/pqcrystals_kyber_ref_common/kem.c @@ -25,7 +25,7 @@ **************************************************/ int crypto_kem_keypair_derand(uint8_t *pk, uint8_t *sk, - const uint8_t *coins) + const uint8_t coins[2*KYBER_SYMBYTES]) { indcpa_keypair_derand(pk, sk, coins); memcpy(sk+KYBER_INDCPA_SECRETKEYBYTES, pk, KYBER_PUBLICKEYBYTES); @@ -53,7 +53,7 @@ int crypto_kem_keypair(uint8_t *pk, { uint8_t coins[2*KYBER_SYMBYTES]; pq_custom_randombytes(coins, KYBER_SYMBYTES); - pq_custom_randombytes(coins+KYBER_SYMBYTES, KYBER_SYMBYTES); + pq_custom_randombytes(coins + KYBER_SYMBYTES, KYBER_SYMBYTES); crypto_kem_keypair_derand(pk, sk, coins); return 0; } diff --git a/crypto/kyber/pqcrystals_kyber_ref_common/kem.h b/crypto/kyber/pqcrystals_kyber_ref_common/kem.h index 4896548b2b..5d09eca05d 100644 --- a/crypto/kyber/pqcrystals_kyber_ref_common/kem.h +++ b/crypto/kyber/pqcrystals_kyber_ref_common/kem.h @@ -30,7 +30,7 @@ #endif #define crypto_kem_keypair_derand KYBER_NAMESPACE(keypair_derand) -int crypto_kem_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t coins[KYBER_SYMBYTES]); +int crypto_kem_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t coins[2*KYBER_SYMBYTES]); #define crypto_kem_keypair KYBER_NAMESPACE(keypair) int crypto_kem_keypair(uint8_t *pk, uint8_t *sk);