Botan::Classic_McEliece_PrivateKeyInternal Class Reference

Representation of a Classic McEliece private key. More...

#include <cmce_keys_internal.h>

Public Member Functions
constexpr void	_const_time_poison () const
constexpr void	_const_time_unpoison () const
const CmceColumnSelection &	c () const
	The column selection pivot vector c as defined in Classic McEliece ISO Section 9.2.11.
bool	check_key () const
	Checks the private key for consistency with the first component delta, i.e., recomputes s as a hash of delta and checks equivalence with sk.s, checks the weight of c, and checks the control bits. It also recomputes beta based on delta and recomputes g based on beta, checking that g is equal to the value sk.s.
	Classic_McEliece_PrivateKeyInternal (const Classic_McEliece_Parameters &params, CmceKeyGenSeed delta, CmceColumnSelection c, Classic_McEliece_Minimal_Polynomial g, Classic_McEliece_Field_Ordering alpha, CmceRejectionSeed s)
	Construct a Classic McEliece private key.
const CmceKeyGenSeed &	delta () const
	The seed delta that was used to create the private key.
const Classic_McEliece_Field_Ordering &	field_ordering () const
	The field ordering alpha.
const Classic_McEliece_Minimal_Polynomial &	g () const
	The minimal polynomial g.
const Classic_McEliece_Parameters &	params () const
	The Classic McEliece parameters.
const CmceRejectionSeed &	s () const
	The seed s for implicit rejection on decryption failure.
secure_vector< uint8_t >	serialize () const
	Serializes the Classic McEliece private key as defined in Classic McEliece ISO Section 9.2.12.

Static Public Member Functions
static Classic_McEliece_PrivateKeyInternal	from_bytes (const Classic_McEliece_Parameters &params, std::span< const uint8_t > sk_bytes)
	Parses a Classic McEliece private key from a byte sequence.

Detailed Description

Representation of a Classic McEliece private key.

This class represents a Classic McEliece private key. It is used internally by the Classic McEliece private key class and contains the following data (see Classic McEliece ISO Section 9.2.12):

• The Classic McEliece parameters
• The seed delta
• The column selection pivot vector c
• The minimal polynomial g
• The field ordering alpha
• The seed s for implicit rejection

Definition at line 89 of file cmce_keys_internal.h.

Constructor & Destructor Documentation

Classic_McEliece_PrivateKeyInternal()

Botan::Classic_McEliece_PrivateKeyInternal::Classic_McEliece_PrivateKeyInternal ( const Classic_McEliece_Parameters & params, CmceKeyGenSeed delta, CmceColumnSelection c, Classic_McEliece_Minimal_Polynomial g, Classic_McEliece_Field_Ordering alpha, CmceRejectionSeed s )

inline

Construct a Classic McEliece private key.

Parameters

params	The Classic McEliece parameters
delta	The seed delta
c	The column selection pivot vector c
g	The minimal polynomial g
alpha	The field ordering alpha
s	The seed s for implicit rejection

Definition at line 101 of file cmce_keys_internal.h.

                                                               :
            m_params(params),
            m_delta(std::move(delta)),
            m_c(std::move(c)),
            m_g(std::move(g)),
            m_field_ordering(std::move(alpha)),
            m_s(std::move(s)) {}

Referenced by from_bytes().

Member Function Documentation

_const_time_poison()

void Botan::Classic_McEliece_PrivateKeyInternal::_const_time_poison ( ) const

inlineconstexpr

Definition at line 173 of file cmce_keys_internal.h.

{ CT::poison_all(m_delta, m_c, m_g, m_field_ordering, m_s); }

_const_time_unpoison()

void Botan::Classic_McEliece_PrivateKeyInternal::_const_time_unpoison ( ) const

inlineconstexpr

Definition at line 175 of file cmce_keys_internal.h.

{ CT::unpoison_all(m_delta, m_c, m_g, m_field_ordering, m_s); }

c()

const CmceColumnSelection & Botan::Classic_McEliece_PrivateKeyInternal::c ( ) const

inline

The column selection pivot vector c as defined in Classic McEliece ISO Section 9.2.11.

Definition at line 141 of file cmce_keys_internal.h.

{ return m_c; }

Referenced by check_key(), and from_bytes().

check_key()

bool Botan::Classic_McEliece_PrivateKeyInternal::check_key

(

)

const

Checks the private key for consistency with the first component delta, i.e., recomputes s as a hash of delta and checks equivalence with sk.s, checks the weight of c, and checks the control bits. It also recomputes beta based on delta and recomputes g based on beta, checking that g is equal to the value sk.s.

See NIST Impl. guide 6.3 Double-Checks on Private Keys.

Definition at line 100 of file cmce_keys_internal.cpp.

                                                          {
   auto prg = m_params.prg(m_delta);
 
   const auto s = prg->output<CmceRejectionSeed>(m_params.n() / 8);
   const auto ordering_bits = prg->output<CmceOrderingBits>((m_params.sigma2() * m_params.q()) / 8);
   const auto irreducible_bits = prg->output<CmceIrreducibleBits>((m_params.sigma1() * m_params.t()) / 8);
 
   // Recomputing s as hash of delta
   auto ret = CT::Mask<size_t>::expand(CT::is_equal<uint8_t>(s.data(), m_s.data(), m_params.n() / 8));
 
   // Checking weight of c
   ret &= CT::Mask<size_t>::is_equal(c().hamming_weight(), 32);
 
   if(auto g = m_params.poly_ring().compute_minimal_polynomial(irreducible_bits)) {
      for(size_t i = 0; i < g->degree() - 1; ++i) {
         ret &= CT::Mask<size_t>::expand(GF_Mask::is_equal(g->coef_at(i), m_g.coef_at(i)).elem_mask());
      }
   } else {
      ret = CT::Mask<size_t>::cleared();
   }
 
   // Check alpha control bits
   if(auto field_ord_from_seed = Classic_McEliece_Field_Ordering::create_field_ordering(m_params, ordering_bits)) {
      field_ord_from_seed->permute_with_pivots(m_params, c());
      ret &= CT::Mask<size_t>::expand(field_ord_from_seed->ct_is_equal(field_ordering()));
   } else {
      ret = CT::Mask<size_t>::cleared();
   }
 
   return ret.as_bool();
}

References c(), Botan::CT::Mask< T >::cleared(), Botan::Classic_McEliece_Polynomial::coef_at(), Botan::Classic_McEliece_Polynomial_Ring::compute_minimal_polynomial(), Botan::Classic_McEliece_Field_Ordering::create_field_ordering(), Botan::Classic_McEliece_Polynomial::degree(), Botan::GF_Mask::elem_mask(), Botan::CT::Mask< T >::expand(), field_ordering(), g(), Botan::CT::is_equal(), Botan::CT::Mask< T >::is_equal(), Botan::GF_Mask::is_equal(), Botan::Classic_McEliece_Parameters::n(), Botan::Classic_McEliece_Parameters::poly_ring(), Botan::Classic_McEliece_Parameters::prg(), Botan::Classic_McEliece_Parameters::q(), s(), Botan::Classic_McEliece_Parameters::sigma1(), Botan::Classic_McEliece_Parameters::sigma2(), and Botan::Classic_McEliece_Parameters::t().

delta()

const CmceKeyGenSeed & Botan::Classic_McEliece_PrivateKeyInternal::delta ( ) const

inline

The seed delta that was used to create the private key.

Definition at line 136 of file cmce_keys_internal.h.

{ return m_delta; }

Referenced by from_bytes().

field_ordering()

const Classic_McEliece_Field_Ordering & Botan::Classic_McEliece_PrivateKeyInternal::field_ordering ( ) const

inline

The field ordering alpha.

Definition at line 151 of file cmce_keys_internal.h.

{ return m_field_ordering; }

Referenced by check_key(), Botan::Classic_McEliece_PublicKeyInternal::create_from_private_key(), and from_bytes().

from_bytes()

Classic_McEliece_PrivateKeyInternal Botan::Classic_McEliece_PrivateKeyInternal::from_bytes ( const Classic_McEliece_Parameters & params, std::span< const uint8_t > sk_bytes )

static

Parses a Classic McEliece private key from a byte sequence.

It also creates the field ordering from the control bits in sk_bytes.

Parameters

params	The Classic McEliece parameters
sk_bytes	The secret key byte sequence

Returns

the Classic McEliece private key

Definition at line 65 of file cmce_keys_internal.cpp.

                                                                               {
   BOTAN_ASSERT(sk_bytes.size() == params.sk_size_bytes(), "Valid private key size");
   BufferSlicer sk_slicer(sk_bytes);
 
   auto delta = sk_slicer.copy<CmceKeyGenSeed>(params.seed_len());
   auto c = CmceColumnSelection(sk_slicer.take(params.sk_c_bytes()));
   auto g = Classic_McEliece_Minimal_Polynomial::from_bytes(sk_slicer.take(params.sk_poly_g_bytes()), params.poly_f());
   auto field_ordering = Classic_McEliece_Field_Ordering::create_from_control_bits(
      params, secure_bitvector(sk_slicer.take(params.sk_alpha_control_bytes())));
   auto s = sk_slicer.copy<CmceRejectionSeed>(params.sk_s_bytes());
   BOTAN_ASSERT_NOMSG(sk_slicer.empty());
 
   return Classic_McEliece_PrivateKeyInternal(
      params, std::move(delta), std::move(c), std::move(g), std::move(field_ordering), std::move(s));
}

References BOTAN_ASSERT, BOTAN_ASSERT_NOMSG, c(), Classic_McEliece_PrivateKeyInternal(), Botan::BufferSlicer::copy(), Botan::Classic_McEliece_Field_Ordering::create_from_control_bits(), delta(), Botan::BufferSlicer::empty(), field_ordering(), Botan::Classic_McEliece_Minimal_Polynomial::from_bytes(), g(), params(), Botan::Classic_McEliece_Parameters::poly_f(), s(), Botan::Classic_McEliece_Parameters::seed_len(), Botan::Classic_McEliece_Parameters::sk_alpha_control_bytes(), Botan::Classic_McEliece_Parameters::sk_c_bytes(), Botan::Classic_McEliece_Parameters::sk_poly_g_bytes(), Botan::Classic_McEliece_Parameters::sk_s_bytes(), Botan::Classic_McEliece_Parameters::sk_size_bytes(), and Botan::BufferSlicer::take().

Referenced by Botan::Classic_McEliece_PrivateKey::Classic_McEliece_PrivateKey().

g()

const Classic_McEliece_Minimal_Polynomial & Botan::Classic_McEliece_PrivateKeyInternal::g ( ) const

inline

The minimal polynomial g.

Definition at line 146 of file cmce_keys_internal.h.

{ return m_g; }

Referenced by check_key(), Botan::Classic_McEliece_PublicKeyInternal::create_from_private_key(), and from_bytes().

params()

const Classic_McEliece_Parameters & Botan::Classic_McEliece_PrivateKeyInternal::params ( ) const

inline

The Classic McEliece parameters.

Definition at line 161 of file cmce_keys_internal.h.

{ return m_params; }

Referenced by Botan::Classic_McEliece_PublicKeyInternal::create_from_private_key(), and from_bytes().

s()

const CmceRejectionSeed & Botan::Classic_McEliece_PrivateKeyInternal::s ( ) const

inline

The seed s for implicit rejection on decryption failure.

Definition at line 156 of file cmce_keys_internal.h.

{ return m_s; }

Referenced by check_key(), and from_bytes().

serialize()

secure_vector< uint8_t > Botan::Classic_McEliece_PrivateKeyInternal::serialize

(

)

const

Serializes the Classic McEliece private key as defined in Classic McEliece ISO Section 9.2.12.

Returns

the serialized Classic McEliece private key

Definition at line 82 of file cmce_keys_internal.cpp.

                                                                            {
   auto control_bits = m_field_ordering.alphas_control_bits();
 
   /* NIST Impl. guide 6.1 Control-Bit Gen:
    *     As low-cost protection against faults in the control-bit computation, implementors are advised
    *     to check after the computation that applying the Benes network produces pi, and to
    *     restart key generation if this test fails; applying the Benes network is very fast.
    *
    * Here, we just assert that applying the Benes network produces pi.
    */
   BOTAN_ASSERT(Classic_McEliece_Field_Ordering::create_from_control_bits(m_params, control_bits)
                   .ct_is_equal(m_field_ordering)
                   .as_bool(),
                "Control Bit Computation Check");
 
   return concat(m_delta.get(), m_c.get().to_bytes(), m_g.serialize(), control_bits.to_bytes(), m_s);
}

References Botan::Classic_McEliece_Field_Ordering::alphas_control_bits(), BOTAN_ASSERT, Botan::concat(), Botan::Classic_McEliece_Field_Ordering::create_from_control_bits(), Botan::detail::Strong_Base< T >::get(), Botan::Classic_McEliece_Minimal_Polynomial::serialize(), and Botan::bitvector_base< AllocatorT >::to_bytes().

---

The documentation for this class was generated from the following files:

• src/lib/pubkey/classic_mceliece/cmce_keys_internal.h
• src/lib/pubkey/classic_mceliece/cmce_keys_internal.cpp