Botan 3.4.0
Crypto and TLS for C&
dilithium_symmetric_primitives.h
Go to the documentation of this file.
1/*
2* Asymmetric primitives for dilithium
3* (C) 2022-2023 Jack Lloyd
4* (C) 2022-2023 Michael Boric, René Meusel - Rohde & Schwarz Cybersecurity
5* (C) 2022 Manuel Glaser - Rohde & Schwarz Cybersecurity
6*
7* Botan is released under the Simplified BSD License (see license.txt)
8*/
9
10#ifndef BOTAN_DILITHIUM_ASYM_PRIMITIVES_H_
11#define BOTAN_DILITHIUM_ASYM_PRIMITIVES_H_
12
13#include <botan/dilithium.h>
14
15#include <botan/xof.h>
16#include <botan/internal/shake.h>
17
18#include <memory>
19#include <span>
20#include <vector>
21
22namespace Botan {
23
24/**
25* Adapter class that uses polymorphy to distinguish
26* Dilithium "common" from Dilithium "AES" modes.
27*/
28class Dilithium_Symmetric_Primitives {
29 public:
30 enum class XofType { k128, k256 };
31
32 public:
33 static std::unique_ptr<Dilithium_Symmetric_Primitives> create(DilithiumMode mode);
34
35 virtual ~Dilithium_Symmetric_Primitives() = default;
36
37 // H is same for all modes
38 secure_vector<uint8_t> H(std::span<const uint8_t> seed, size_t out_len) const {
39 return SHAKE_256(out_len * 8).process(seed.data(), seed.size());
40 }
41
42 // CRH is same for all modes
43 secure_vector<uint8_t> CRH(std::span<const uint8_t> in, size_t out_len) const {
44 return SHAKE_256(out_len * 8).process(in.data(), in.size());
45 }
46
47 // ExpandMatrix always uses the 256 version of the XOF
48 secure_vector<uint8_t> ExpandMask(std::span<const uint8_t> seed, uint16_t nonce, size_t out_len) const {
49 return XOF(XofType::k256, seed, nonce)->output(out_len);
50 }
51
52 // Mode dependent function
53 virtual std::unique_ptr<Botan::XOF> XOF(XofType type, std::span<const uint8_t> seed, uint16_t nonce) const = 0;
54};
55
56enum DilithiumEta : uint32_t { Eta2 = 2, Eta4 = 4 };
57
58// Constants and mode dependent values
59class DilithiumModeConstants {
60 public:
61 static constexpr int32_t SEEDBYTES = 32;
62 static constexpr int32_t CRHBYTES = 64;
63 static constexpr int32_t N = 256;
64 static constexpr int32_t Q = 8380417;
65 static constexpr int32_t D = 13;
66 static constexpr int32_t ROOT_OF_UNITY = 1753;
67 static constexpr int32_t POLYT1_PACKEDBYTES = 320;
68 static constexpr int32_t POLYT0_PACKEDBYTES = 416;
69 static constexpr int32_t SHAKE128_RATE = 168;
70 static constexpr int32_t SHAKE256_RATE = 136;
71 static constexpr int32_t SHA3_256_RATE = 136;
72 static constexpr int32_t SHA3_512_RATE = 72;
73 static constexpr int32_t AES256CTR_BLOCKBYTES = 64;
74 static constexpr int32_t QINV = 58728449;
75 static constexpr int32_t ZETAS[DilithiumModeConstants::N] = {
76 0, 25847, -2608894, -518909, 237124, -777960, -876248, 466468, 1826347, 2353451, -359251,
77 -2091905, 3119733, -2884855, 3111497, 2680103, 2725464, 1024112, -1079900, 3585928, -549488, -1119584,
78 2619752, -2108549, -2118186, -3859737, -1399561, -3277672, 1757237, -19422, 4010497, 280005, 2706023,
79 95776, 3077325, 3530437, -1661693, -3592148, -2537516, 3915439, -3861115, -3043716, 3574422, -2867647,
80 3539968, -300467, 2348700, -539299, -1699267, -1643818, 3505694, -3821735, 3507263, -2140649, -1600420,
81 3699596, 811944, 531354, 954230, 3881043, 3900724, -2556880, 2071892, -2797779, -3930395, -1528703,
82 -3677745, -3041255, -1452451, 3475950, 2176455, -1585221, -1257611, 1939314, -4083598, -1000202, -3190144,
83 -3157330, -3632928, 126922, 3412210, -983419, 2147896, 2715295, -2967645, -3693493, -411027, -2477047,
84 -671102, -1228525, -22981, -1308169, -381987, 1349076, 1852771, -1430430, -3343383, 264944, 508951,
85 3097992, 44288, -1100098, 904516, 3958618, -3724342, -8578, 1653064, -3249728, 2389356, -210977,
86 759969, -1316856, 189548, -3553272, 3159746, -1851402, -2409325, -177440, 1315589, 1341330, 1285669,
87 -1584928, -812732, -1439742, -3019102, -3881060, -3628969, 3839961, 2091667, 3407706, 2316500, 3817976,
88 -3342478, 2244091, -2446433, -3562462, 266997, 2434439, -1235728, 3513181, -3520352, -3759364, -1197226,
89 -3193378, 900702, 1859098, 909542, 819034, 495491, -1613174, -43260, -522500, -655327, -3122442,
90 2031748, 3207046, -3556995, -525098, -768622, -3595838, 342297, 286988, -2437823, 4108315, 3437287,
91 -3342277, 1735879, 203044, 2842341, 2691481, -2590150, 1265009, 4055324, 1247620, 2486353, 1595974,
92 -3767016, 1250494, 2635921, -3548272, -2994039, 1869119, 1903435, -1050970, -1333058, 1237275, -3318210,
93 -1430225, -451100, 1312455, 3306115, -1962642, -1279661, 1917081, -2546312, -1374803, 1500165, 777191,
94 2235880, 3406031, -542412, -2831860, -1671176, -1846953, -2584293, -3724270, 594136, -3776993, -2013608,
95 2432395, 2454455, -164721, 1957272, 3369112, 185531, -1207385, -3183426, 162844, 1616392, 3014001,
96 810149, 1652634, -3694233, -1799107, -3038916, 3523897, 3866901, 269760, 2213111, -975884, 1717735,
97 472078, -426683, 1723600, -1803090, 1910376, -1667432, -1104333, -260646, -3833893, -2939036, -2235985,
98 -420899, -2286327, 183443, -976891, 1612842, -3545687, -554416, 3919660, -48306, -1362209, 3937738,
99 1400424, -846154, 1976782};
100 static constexpr int32_t kSerializedPolynomialByteLength = DilithiumModeConstants::N / 2 * 3;
101
102 DilithiumModeConstants(DilithiumMode dimension);
103
104 DilithiumModeConstants(const DilithiumModeConstants& other) : DilithiumModeConstants(other.m_mode) {}
105
106 DilithiumModeConstants(DilithiumModeConstants&& other) = default;
107 DilithiumModeConstants& operator=(const DilithiumModeConstants& other) = delete;
108 DilithiumModeConstants& operator=(DilithiumModeConstants&& other) = default;
109
110 // Getter
111 uint8_t k() const { return m_k; }
112
113 uint8_t l() const { return m_l; }
114
115 DilithiumEta eta() const { return m_eta; }
116
117 size_t tau() const { return m_tau; }
118
119 size_t poly_uniform_gamma1_nblocks() const { return m_poly_uniform_gamma1_nblocks; }
120
121 size_t stream256_blockbytes() const { return m_stream256_blockbytes; }
122
123 size_t stream128_blockbytes() const { return m_stream128_blockbytes; }
124
125 size_t polyw1_packedbytes() const { return m_polyw1_packedbytes; }
126
127 size_t omega() const { return m_omega; }
128
129 size_t polyz_packedbytes() const { return m_polyz_packedbytes; }
130
131 size_t gamma2() const { return m_gamma2; }
132
133 size_t gamma1() const { return m_gamma1; }
134
135 size_t beta() const { return m_beta; }
136
137 size_t poly_uniform_eta_nblocks() const { return m_poly_uniform_eta_nblocks; }
138
139 size_t poly_uniform_nblocks() const { return m_poly_uniform_nblocks; }
140
141 size_t polyeta_packedbytes() const { return m_polyeta_packedbytes; }
142
143 size_t public_key_bytes() const { return m_public_key_bytes; }
144
145 size_t crypto_bytes() const { return m_crypto_bytes; }
146
147 OID oid() const { return m_mode.object_identifier(); }
148
149 DilithiumMode mode() const { return m_mode; }
150
151 size_t private_key_bytes() const { return m_private_key_bytes; }
152
153 size_t nist_security_strength() const { return m_nist_security_strength; }
154
155 // Wrapper
156 decltype(auto) H(std::span<const uint8_t> seed, size_t out_len) const {
157 return m_symmetric_primitives->H(seed, out_len);
158 }
159
160 secure_vector<uint8_t> CRH(const std::span<const uint8_t> in) const {
161 return m_symmetric_primitives->CRH(in, DilithiumModeConstants::CRHBYTES);
162 }
163
164 std::unique_ptr<Botan::XOF> XOF_128(std::span<const uint8_t> seed, uint16_t nonce) const {
165 return this->m_symmetric_primitives->XOF(Dilithium_Symmetric_Primitives::XofType::k128, seed, nonce);
166 }
167
168 std::unique_ptr<Botan::XOF> XOF_256(std::span<const uint8_t> seed, uint16_t nonce) const {
169 return this->m_symmetric_primitives->XOF(Dilithium_Symmetric_Primitives::XofType::k256, seed, nonce);
170 }
171
172 secure_vector<uint8_t> ExpandMask(const secure_vector<uint8_t>& seed, uint16_t nonce) const {
173 return this->m_symmetric_primitives->ExpandMask(
174 seed, nonce, poly_uniform_gamma1_nblocks() * stream256_blockbytes());
175 }
176
177 private:
178 DilithiumMode m_mode;
179
180 uint16_t m_nist_security_strength;
181
182 // generated matrix dimension is m_k x m_l
183 uint8_t m_k;
184 uint8_t m_l;
185 DilithiumEta m_eta;
186 int32_t m_tau;
187 int32_t m_beta;
188 int32_t m_gamma1;
189 int32_t m_gamma2;
190 int32_t m_omega;
191 int32_t m_stream128_blockbytes;
192 int32_t m_stream256_blockbytes;
193 int32_t m_poly_uniform_nblocks;
194 int32_t m_poly_uniform_eta_nblocks;
195 int32_t m_poly_uniform_gamma1_nblocks;
196 int32_t m_polyvech_packedbytes;
197 int32_t m_polyz_packedbytes;
198 int32_t m_polyw1_packedbytes;
199 int32_t m_polyeta_packedbytes;
200 int32_t m_private_key_bytes;
201 int32_t m_public_key_bytes;
202 int32_t m_crypto_bytes;
203
204 // Mode dependent primitives
205 std::unique_ptr<Dilithium_Symmetric_Primitives> m_symmetric_primitives;
206};
207} // namespace Botan
208
209#endif
Botan::Buffered_Computation::process
T process(const uint8_t in[], size_t length)
Definition buf_comp.h:105
Botan::DilithiumModeConstants::operator=
DilithiumModeConstants & operator=(const DilithiumModeConstants &other)=delete
Botan::DilithiumModeConstants::kSerializedPolynomialByteLength
static constexpr int32_t kSerializedPolynomialByteLength
Definition dilithium_symmetric_primitives.h:100
Botan::DilithiumModeConstants::CRH
secure_vector< uint8_t > CRH(const std::span< const uint8_t > in) const
Definition dilithium_symmetric_primitives.h:160
Botan::DilithiumModeConstants::XOF_128
std::unique_ptr< Botan::XOF > XOF_128(std::span< const uint8_t > seed, uint16_t nonce) const
Definition dilithium_symmetric_primitives.h:164
Botan::DilithiumModeConstants::XOF_256
std::unique_ptr< Botan::XOF > XOF_256(std::span< const uint8_t > seed, uint16_t nonce) const
Definition dilithium_symmetric_primitives.h:168
Botan::DilithiumModeConstants::operator=
DilithiumModeConstants & operator=(DilithiumModeConstants &&other)=default
Botan::DilithiumModeConstants::DilithiumModeConstants
DilithiumModeConstants(const DilithiumModeConstants &other)
Definition dilithium_symmetric_primitives.h:104
Botan::DilithiumModeConstants::ExpandMask
secure_vector< uint8_t > ExpandMask(const secure_vector< uint8_t > &seed, uint16_t nonce) const
Definition dilithium_symmetric_primitives.h:172
Botan::DilithiumModeConstants::ZETAS
static constexpr int32_t ZETAS[DilithiumModeConstants::N]
Definition dilithium_symmetric_primitives.h:75
Botan::DilithiumModeConstants::H
decltype(auto) H(std::span< const uint8_t > seed, size_t out_len) const
Definition dilithium_symmetric_primitives.h:156
Botan::DilithiumModeConstants::DilithiumModeConstants
DilithiumModeConstants(DilithiumModeConstants &&other)=default
Botan::DilithiumMode::object_identifier
OID object_identifier() const
Definition dilithium.cpp:92
Botan::Dilithium_Symmetric_Primitives
Definition dilithium_symmetric_primitives.h:28
Botan::Dilithium_Symmetric_Primitives::CRH
secure_vector< uint8_t > CRH(std::span< const uint8_t > in, size_t out_len) const
Definition dilithium_symmetric_primitives.h:43
Botan::Dilithium_Symmetric_Primitives::XOF
virtual std::unique_ptr< Botan::XOF > XOF(XofType type, std::span< const uint8_t > seed, uint16_t nonce) const =0
Botan::Dilithium_Symmetric_Primitives::ExpandMask
secure_vector< uint8_t > ExpandMask(std::span< const uint8_t > seed, uint16_t nonce, size_t out_len) const
Definition dilithium_symmetric_primitives.h:48
Botan::Dilithium_Symmetric_Primitives::H
secure_vector< uint8_t > H(std::span< const uint8_t > seed, size_t out_len) const
Definition dilithium_symmetric_primitives.h:38
Botan::Dilithium_Symmetric_Primitives::XofType
XofType
Definition dilithium_symmetric_primitives.h:30
Botan::Dilithium_Symmetric_Primitives::XofType::k128
@ k128
Botan::Dilithium_Symmetric_Primitives::XofType::k256
@ k256
Botan::Dilithium_Symmetric_Primitives::create
static std::unique_ptr< Dilithium_Symmetric_Primitives > create(DilithiumMode mode)
Definition dilithium_symmetric_primitives.cpp:22
Botan::Dilithium_Symmetric_Primitives::~Dilithium_Symmetric_Primitives
virtual ~Dilithium_Symmetric_Primitives()=default
Botan::SHAKE_256
Definition shake.h:52
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61
Generated by doxygen 1.10.0