Botan 3.7.1
Crypto and TLS for C&
cmce_matrix.cpp
Go to the documentation of this file.
1/*
2 * Classic McEliece Matrix Logic
3 * Based on the public domain reference implementation by the designers
4 * (https://classic.mceliece.org/impl.html - released in Oct 2022 for NISTPQC-R4)
5 *
6 *
7 * (C) 2023 Jack Lloyd
8 * 2023,2024 Fabian Albert, Amos Treiber - Rohde & Schwarz Cybersecurity
9 *
10 * Botan is released under the Simplified BSD License (see license.txt)
11 **/
12
13#include <botan/internal/cmce_matrix.h>
14
15#include <botan/strong_type.h>
16
17namespace Botan {
18
19namespace {
20
21// Strong types for matrix used internally by Classic_McEliece_Matrix
22using CmceMatrixRow = Strong<secure_bitvector, struct CmceMatrixRow_>;
23using CmceMatrix = Strong<std::vector<CmceMatrixRow>, struct CmceMatrix_>;
24
25} // Anonymous namespace
26
27namespace {
28
29CT::Mask<uint64_t> bit_at_mask(uint64_t val, size_t pos) {
30 return CT::Mask<uint64_t>::expand((static_cast<uint64_t>(1) << pos) & val);
31}
32
33/// Swaps bit i with bit j in val
34void swap_bits(uint64_t& val, size_t i, size_t j) {
35 uint64_t bit_i = (val >> i) & CT::value_barrier<uint64_t>(1);
36 uint64_t bit_j = (val >> j) & CT::value_barrier<uint64_t>(1);
37 uint64_t xor_sum = bit_i ^ bit_j;
38 val ^= (xor_sum << i);
39 val ^= (xor_sum << j);
40}
41
42size_t count_lsb_zeros(uint64_t n) {
43 size_t res = 0;
44 auto found_only_zeros = Botan::CT::Mask<uint64_t>::set();
45 for(size_t bit_pos = 0; bit_pos < sizeof(uint64_t) * 8; ++bit_pos) {
46 auto bit_set_mask = bit_at_mask(n, bit_pos);
47 found_only_zeros &= ~bit_set_mask;
48 res += static_cast<size_t>(found_only_zeros.if_set_return(1));
49 }
50
51 return res;
52}
53
54CmceMatrix init_matrix_with_alphas(const Classic_McEliece_Parameters& params,
55 const Classic_McEliece_Field_Ordering& field_ordering,
56 const Classic_McEliece_Minimal_Polynomial& g) {
57 auto alphas = field_ordering.alphas(params.n());
58 std::vector<Classic_McEliece_GF> inv_g_of_alpha;
59 inv_g_of_alpha.reserve(params.n());
60 for(const auto& alpha : alphas) {
61 inv_g_of_alpha.push_back(g(alpha).inv());
62 }
63 CmceMatrix mat(std::vector<CmceMatrixRow>(params.pk_no_rows(), CmceMatrixRow(params.n())));
64
65 for(size_t i = 0; i < params.t(); ++i) {
66 for(size_t j = 0; j < params.n(); ++j) {
67 for(size_t alpha_i_j_bit = 0; alpha_i_j_bit < params.m(); ++alpha_i_j_bit) {
68 mat[i * params.m() + alpha_i_j_bit][j] = (uint16_t(1) << alpha_i_j_bit) & inv_g_of_alpha[j].elem().get();
69 }
70 }
71 // Update for the next i so that:
72 // inv_g_of_alpha[j] = h_i_j = alpha_j^i/g(alpha_j)
73 for(size_t j = 0; j < params.n(); ++j) {
74 inv_g_of_alpha.at(j) *= alphas.at(j);
75 }
76 }
77
78 return mat;
79}
80
81std::optional<CmceColumnSelection> move_columns(CmceMatrix& mat, const Classic_McEliece_Parameters& params) {
82 BOTAN_ASSERT(mat.size() == params.pk_no_rows(), "Matrix has incorrect number of rows");
83 BOTAN_ASSERT(mat.get().at(0).size() == params.n(), "Matrix has incorrect number of columns");
84 static_assert(Classic_McEliece_Parameters::nu() == 64, "nu needs to be 64");
85
86 const size_t pos_offset = params.pk_no_rows() - Classic_McEliece_Parameters::mu();
87
88 // Get the area of the matrix that needs to be (potentially) swapped.
89 // Its the sub m*t x nu matrix at column m*t - mu. For const time reasons,
90 // the sub-matrix is represented as an array of uint64_ts, where the 1st
91 // bit is the least significant bit
92 std::vector<uint64_t> matrix_swap_area;
93 matrix_swap_area.reserve(params.pk_no_rows());
94 for(size_t i = 0; i < params.pk_no_rows(); ++i) {
95 matrix_swap_area.push_back(mat[i].subvector<uint64_t>(pos_offset));
96 }
97
98 // To find which columns need to be swapped to allow for a systematic matrix form, we need to
99 // investigate how a gauss algorithm affects the last mu rows of the swap area.
100 std::array<uint64_t, Classic_McEliece_Parameters::mu()> sub_mat;
101
102 // Extract the bottom mu x nu matrix at offset pos_offset
103 for(size_t i = 0; i < Classic_McEliece_Parameters::mu(); i++) {
104 sub_mat[i] = matrix_swap_area[pos_offset + i];
105 }
106
107 std::array<size_t, Classic_McEliece_Parameters::mu()> pivot_indices = {0}; // ctz_list
108
109 // Identify the pivot indices, i.e., the indices of the leading ones for all rows
110 // when transforming the matrix into semi-systematic form. This algorithm is a modified
111 // Gauss algorithm.
112 for(size_t row_idx = 0; row_idx < Classic_McEliece_Parameters::mu(); ++row_idx) {
113 // Identify pivots (index of first 1) by OR-ing all subsequent rows into row_acc
114 auto row_acc = sub_mat.at(row_idx);
115 for(size_t next_row = row_idx + 1; next_row < Classic_McEliece_Parameters::mu(); ++next_row) {
116 row_acc |= sub_mat.at(next_row);
117 }
118
119 auto semi_systematic_form_failed = CT::Mask<uint64_t>::is_zero(row_acc);
120 if(semi_systematic_form_failed.as_choice().as_bool()) {
121 // If the current row and all subsequent rows are zero
122 // we cannot create a semi-systematic matrix
123 return std::nullopt;
124 }
125
126 // Using the row accumulator we can predict the index of the pivot
127 // bit for the current row, i.e., the first index where we can set
128 // the bit to one row by adding any subsequent row
129 size_t current_pivot_idx = count_lsb_zeros(row_acc);
130 pivot_indices.at(row_idx) = current_pivot_idx;
131
132 // Add subsequent rows to the current row, until the pivot
133 // bit is set.
134 for(size_t next_row = row_idx + 1; next_row < Classic_McEliece_Parameters::mu(); ++next_row) {
135 // Add next row if the pivot bit is still zero
136 auto add_next_row_mask = ~bit_at_mask(sub_mat.at(row_idx), current_pivot_idx);
137 sub_mat.at(row_idx) ^= add_next_row_mask.if_set_return(sub_mat.at(next_row));
138 }
139
140 // Add the (new) current row to all subsequent rows, where the leading
141 // bit of the current bit is one. Therefore, the column of the leading
142 // bit becomes zero.
143 // Note: In normal gauss, we would also add the current row to rows
144 // above the current one. However, here we only need to identify
145 // the columns to swap. Therefore, we can ignore the upper rows.
146 for(size_t next_row = row_idx + 1; next_row < Classic_McEliece_Parameters::mu(); ++next_row) {
147 // Add the current row to next_row if the pivot bit of next_row is set
148 auto add_to_next_row_mask = bit_at_mask(sub_mat.at(next_row), current_pivot_idx);
149 sub_mat.at(next_row) ^= add_to_next_row_mask.if_set_return(sub_mat.at(row_idx));
150 }
151 }
152
153 // Create pivot bitvector from the pivot index vector
154 CmceColumnSelection pivots(Classic_McEliece_Parameters::nu());
155 for(auto pivot_idx : pivot_indices) {
156 for(size_t i = 0; i < Classic_McEliece_Parameters::nu(); ++i) {
157 auto mask_is_at_current_idx = Botan::CT::Mask<size_t>::is_equal(i, pivot_idx);
158 pivots.at(i) = mask_is_at_current_idx.select(1, pivots.at(i).as<size_t>());
159 }
160 }
161
162 // Swap the rows so the matrix can be transformed into systematic form
163 for(size_t mat_row = 0; mat_row < params.pk_no_rows(); ++mat_row) {
164 for(size_t col = 0; col < Classic_McEliece_Parameters::mu(); ++col) {
165 swap_bits(matrix_swap_area.at(mat_row), col, pivot_indices.at(col));
166 }
167 }
168
169 // Reinsert the swapped columns into the matrix
170 for(size_t row = 0; row < params.pk_no_rows(); ++row) {
171 mat[row].subvector_replace(pos_offset, matrix_swap_area[row]);
172 }
173
174 return pivots;
175}
176
177std::optional<CmceColumnSelection> apply_gauss(const Classic_McEliece_Parameters& params, CmceMatrix& mat) {
178 BOTAN_ASSERT(mat.size() == params.pk_no_rows(), "Matrix has incorrect number of rows");
179 BOTAN_ASSERT(mat.get().at(0).size() == params.n(), "Matrix has incorrect number of columns");
180 // Initialized for systematic form instances
181 // Is overridden for semi systematic instances
182 auto pivots = CmceColumnSelection({0xFF, 0xFF, 0xFF, 0xFF, 0, 0, 0, 0});
183
184 // Gaussian Elimination
185 for(size_t diag_pos = 0; diag_pos < params.pk_no_rows(); ++diag_pos) {
186 if(params.is_f() && diag_pos == params.pk_no_rows() - params.mu()) {
187 auto ret_pivots = move_columns(mat, params);
188 bool move_columns_failed = !ret_pivots.has_value();
189 CT::unpoison(move_columns_failed);
190 if(move_columns_failed) {
191 return std::nullopt;
192 } else {
193 pivots = std::move(ret_pivots.value());
194 }
195 }
196
197 // Iterates over all rows next_row under row diag_pos. If the bit at column
198 // diag_pos differs between row diag_pos and row next_row, row next_row is added to row diag_pos.
199 // This achieves that the respective bit at the diagonal becomes 1
200 // (if mat is systematic)
201 for(size_t next_row = diag_pos + 1; next_row < params.pk_no_rows(); ++next_row) {
202 mat[diag_pos].get().ct_conditional_xor(!mat[diag_pos].at(diag_pos).as_choice(), mat[next_row].get());
203 }
204
205 // If the current bit on the diagonal is not set at this point
206 // the matrix is not systematic. We abort the computation in this case.
207 bool diag_bit_zero = !mat[diag_pos].at(diag_pos);
208 CT::unpoison(diag_bit_zero);
209 if(diag_bit_zero) {
210 return std::nullopt;
211 }
212
213 // Now the new row is added to all other rows, where the
214 // bit in the column of the current postion on the diagonal
215 // is still one
216 for(size_t row = 0; row < params.pk_no_rows(); ++row) {
217 if(row != diag_pos) {
218 mat[row].get().ct_conditional_xor(mat[row].at(diag_pos).as_choice(), mat[diag_pos].get());
219 }
220 }
221 }
222
223 return pivots;
224}
225
226std::vector<uint8_t> extract_pk_bytes_from_matrix(const Classic_McEliece_Parameters& params, const CmceMatrix& mat) {
227 // Store T of the matrix (I_mt|T) as a linear vector to represent the
228 // public key as defined in McEliece ISO 9.2.7
229 std::vector<uint8_t> big_t(params.pk_size_bytes());
230 auto big_t_stuffer = BufferStuffer(big_t);
231
232 for(size_t row = 0; row < params.pk_no_rows(); ++row) {
233 mat[row].subvector(params.pk_no_rows()).to_bytes(big_t_stuffer.next(params.pk_row_size_bytes()));
234 }
235
236 BOTAN_ASSERT_NOMSG(big_t_stuffer.full());
237
238 return big_t;
239}
240
241} // namespace
242
243std::optional<std::pair<Classic_McEliece_Matrix, CmceColumnSelection>> Classic_McEliece_Matrix::create_matrix(
244 const Classic_McEliece_Parameters& params,
245 const Classic_McEliece_Field_Ordering& field_ordering,
246 const Classic_McEliece_Minimal_Polynomial& g) {
247 auto mat = init_matrix_with_alphas(params, field_ordering, g);
248 auto pivots = apply_gauss(params, mat);
249
250 auto gauss_failed = !pivots.has_value();
251 CT::unpoison(gauss_failed);
252 if(gauss_failed) {
253 return std::nullopt;
254 }
255
256 auto pk_mat_bytes = extract_pk_bytes_from_matrix(params, mat);
257 return std::make_pair(Classic_McEliece_Matrix(params, std::move(pk_mat_bytes)), pivots.value());
258}
259
260std::optional<std::pair<Classic_McEliece_Matrix, CmceColumnSelection>>
261Classic_McEliece_Matrix::create_matrix_and_apply_pivots(const Classic_McEliece_Parameters& params,
262 Classic_McEliece_Field_Ordering& field_ordering,
263 const Classic_McEliece_Minimal_Polynomial& g) {
264 auto pk_matrix_and_pivots = create_matrix(params, field_ordering, g);
265
266 bool matrix_creation_failed = !pk_matrix_and_pivots.has_value();
267 CT::unpoison(matrix_creation_failed);
268 if(matrix_creation_failed) {
269 return std::nullopt;
270 }
271
272 auto& [_, pivots] = pk_matrix_and_pivots.value();
273
274 if(params.is_f()) {
275 field_ordering.permute_with_pivots(params, pivots);
276 }
277
278 return pk_matrix_and_pivots;
279}
280
281CmceCodeWord Classic_McEliece_Matrix::mul(const Classic_McEliece_Parameters& params, const CmceErrorVector& e) const {
282 auto s = e.subvector<CmceCodeWord>(0, params.pk_no_rows());
283 auto e_T = e.subvector(params.pk_no_rows());
284 auto pk_slicer = BufferSlicer(m_mat_bytes);
285
286 for(size_t i = 0; i < params.pk_no_rows(); ++i) {
287 auto pk_current_bytes = pk_slicer.take(params.pk_row_size_bytes());
288 auto row = secure_bitvector(pk_current_bytes, params.n() - params.pk_no_rows());
289 row &= e_T;
290 s[i] ^= row.has_odd_hamming_weight().as_bool();
291 }
292
293 BOTAN_ASSERT_NOMSG(pk_slicer.empty());
294 return s;
295}
296} // namespace Botan
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:59
BOTAN_ASSERT
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:50
Botan::CT::Mask::set
static constexpr Mask< T > set()
Definition ct_utils.h:398
Botan::CT::Mask::is_equal
static constexpr Mask< T > is_equal(T x, T y)
Definition ct_utils.h:453
Botan::Classic_McEliece_Field_Ordering
Represents a field ordering for the Classic McEliece cryptosystem.
Definition cmce_field_ordering.h:25
Botan::Classic_McEliece_Field_Ordering::permute_with_pivots
void permute_with_pivots(const Classic_McEliece_Parameters &params, const CmceColumnSelection &pivots)
Permute the field ordering with the given pivots.
Definition cmce_field_ordering.cpp:316
Botan::Classic_McEliece_Matrix::create_matrix
static std::optional< std::pair< Classic_McEliece_Matrix, CmceColumnSelection > > create_matrix(const Classic_McEliece_Parameters &params, const Classic_McEliece_Field_Ordering &field_ordering, const Classic_McEliece_Minimal_Polynomial &g)
Create the matrix H for a Classic McEliece instance given its parameters, field ordering and minimal ...
Definition cmce_matrix.cpp:243
Botan::Classic_McEliece_Matrix::mul
CmceCodeWord mul(const Classic_McEliece_Parameters &params, const CmceErrorVector &e) const
Multiply the Classic McEliece matrix H with a bitvector e.
Definition cmce_matrix.cpp:281
Botan::Classic_McEliece_Matrix::create_matrix_and_apply_pivots
static std::optional< std::pair< Classic_McEliece_Matrix, CmceColumnSelection > > create_matrix_and_apply_pivots(const Classic_McEliece_Parameters &params, Classic_McEliece_Field_Ordering &field_ordering, const Classic_McEliece_Minimal_Polynomial &g)
Create the matrix H for a Classic McEliece instance given its parameters, field ordering and minimal ...
Definition cmce_matrix.cpp:261
Botan::Classic_McEliece_Matrix::Classic_McEliece_Matrix
Classic_McEliece_Matrix(const Classic_McEliece_Parameters &params, std::vector< uint8_t > mat_bytes)
Create a Classic_McEliece_Matrix from bytes.
Definition cmce_matrix.h:84
Botan::Classic_McEliece_Minimal_Polynomial
Representation of a minimal polynomial in GF(q)[y].
Definition cmce_poly.h:81
Botan::Classic_McEliece_Parameters
Definition cmce_parameters.h:29
Botan::Classic_McEliece_Parameters::pk_no_rows
size_t pk_no_rows() const
The number of rows in the public key's matrix.
Definition cmce_parameters.h:191
Botan::Classic_McEliece_Parameters::pk_row_size_bytes
size_t pk_row_size_bytes() const
The number of bytes for each row in the public key's matrix.
Definition cmce_parameters.h:205
Botan::Classic_McEliece_Parameters::n
size_t n() const
The code length of the Classic McEliece instance.
Definition cmce_parameters.h:100
Botan::Classic_McEliece_Parameters::is_f
bool is_f() const
Definition cmce_parameters.h:72
Botan::detail::Strong_Adapter< T >::subvector
auto subvector(size_type pos, std::optional< size_type > length=std::nullopt) const
Definition bitvector.h:1383
Botan::CT::unpoison
constexpr void unpoison(const T *p, size_t n)
Definition ct_utils.h:64
Botan::secure_bitvector
bitvector_base< secure_allocator > secure_bitvector
Definition bitvector.h:1297
Botan::CmceColumnSelection
Strong< secure_bitvector, struct CmceColumnSelection_ > CmceColumnSelection
Represents c of private key.
Definition cmce_types.h:46
Botan::swap_bits
constexpr void swap_bits(T &x, T &y, T mask, size_t shift)
Definition bit_ops.h:197
Generated by doxygen 1.12.0