doxygen/goppa__code_8cpp_source.html

/*

 * (C) Copyright Projet SECRET, INRIA, Rocquencourt

 * (C) Bhaskar Biswas and  Nicolas Sendrier

 *

 * (C) 2014 cryptosource GmbH

 * (C) 2014 Falko Strenzke fstrenzke@cryptosource.de

 *

 * Botan is released under the Simplified BSD License (see license.txt)

 *

 */


#include <botan/internal/mce_internal.h>

#include <botan/internal/code_based_util.h>


namespace Botan {


namespace {


void matrix_arr_mul(std::vector<uint32_t> matrix,

                    size_t numo_rows,

                    size_t words_per_row,

                    const uint8_t input_vec[],

                    uint32_t output_vec[],

                    size_t output_vec_len)

   {

   for(size_t j = 0; j < numo_rows; j++)

      {

      if((input_vec[j / 8] >> (j % 8)) & 1)

         {

         for(size_t i = 0; i < output_vec_len; i++)

            {

            output_vec[i] ^= matrix[j * (words_per_row) + i];

            }

         }

      }

   }


/**

* returns the error vector to the syndrome

*/

secure_vector<gf2m> goppa_decode(const polyn_gf2m & syndrom_polyn,

                                 const polyn_gf2m & g,

                                 const std::vector<polyn_gf2m> & sqrtmod,

                                 const std::vector<gf2m> & Linv)

   {

   const size_t code_length = Linv.size();

   gf2m a;

   uint32_t t = g.get_degree();


   std::shared_ptr<GF2m_Field> sp_field = g.get_sp_field();


   std::pair<polyn_gf2m, polyn_gf2m> h_aux = polyn_gf2m::eea_with_coefficients( syndrom_polyn, g, 1);

   polyn_gf2m & h = h_aux.first;

   polyn_gf2m & aux = h_aux.second;

   a = sp_field->gf_inv(aux.get_coef(0));

   gf2m log_a = sp_field->gf_log(a);

   for(int i = 0; i <= h.get_degree(); ++i)

      {

      h.set_coef(i,sp_field->gf_mul_zrz(log_a,h.get_coef(i)));

      }


   //  compute h(z) += z

   h.add_to_coef( 1, 1);

   // compute S square root of h (using sqrtmod)

   polyn_gf2m S(t - 1, g.get_sp_field());


   for(uint32_t i=0;i<t;i++)

      {

      a = sp_field->gf_sqrt(h.get_coef(i));


      if(i & 1)

         {

         for(uint32_t j=0;j<t;j++)

            {

            S.add_to_coef( j, sp_field->gf_mul(a, sqrtmod[i/2].get_coef(j)));

            }

         }

      else

         {

         S.add_to_coef( i/2, a);

         }

      } /* end for loop (i) */


   S.get_degree();


   std::pair<polyn_gf2m, polyn_gf2m> v_u = polyn_gf2m::eea_with_coefficients(S, g, t/2+1);

   polyn_gf2m & u = v_u.second;

   polyn_gf2m & v = v_u.first;


   // sigma = u^2+z*v^2

   polyn_gf2m sigma ( t , g.get_sp_field());


   const int u_deg = u.get_degree();

   BOTAN_ASSERT(u_deg >= 0, "Valid degree");

   for(int i = 0; i <= u_deg; ++i)

      {

      sigma.set_coef(2*i, sp_field->gf_square(u.get_coef(i)));

      }


   const int v_deg = v.get_degree();

   BOTAN_ASSERT(v_deg >= 0, "Valid degree");

   for(int i = 0; i <= v_deg; ++i)

      {

      sigma.set_coef(2*i+1, sp_field->gf_square(v.get_coef(i)));

      }


   secure_vector<gf2m> res = find_roots_gf2m_decomp(sigma, code_length);

   size_t d = res.size();


   secure_vector<gf2m> result(d);

   for(uint32_t i = 0; i < d; ++i)

      {

      gf2m current = res[i];


      gf2m tmp;

      tmp = gray_to_lex(current);

      /// XXX double assignment, possible bug?

      if(tmp >= code_length) /* invalid root */

         {

         result[i] = static_cast<gf2m>(i);

         }

      result[i] = Linv[tmp];

      }


   return result;

   }

}


void mceliece_decrypt(secure_vector<uint8_t>& plaintext_out,

                      secure_vector<uint8_t>& error_mask_out,

                      const secure_vector<uint8_t>& ciphertext,

                      const McEliece_PrivateKey& key)

   {

   mceliece_decrypt(plaintext_out, error_mask_out, ciphertext.data(), ciphertext.size(), key);

   }


void mceliece_decrypt(

   secure_vector<uint8_t>& plaintext,

   secure_vector<uint8_t> & error_mask,

   const uint8_t ciphertext[],

   size_t ciphertext_len,

   const McEliece_PrivateKey & key)

   {

   secure_vector<gf2m> error_pos;

   plaintext = mceliece_decrypt(error_pos, ciphertext, ciphertext_len, key);


   const size_t code_length = key.get_code_length();

   secure_vector<uint8_t> result((code_length+7)/8);

   for(auto&& pos : error_pos)

      {

      if(pos > code_length)

         {

         throw Invalid_Argument("error position larger than code size");

         }

      result[pos / 8] |= (1 << (pos % 8));

      }


   error_mask = result;

   }


/**

* @p p_err_pos_len must point to the available length of @p error_pos on input, the

* function will set it to the actual number of errors returned in the @p error_pos

* array */

secure_vector<uint8_t> mceliece_decrypt(

   secure_vector<gf2m> & error_pos,

   const uint8_t *ciphertext, size_t ciphertext_len,

   const McEliece_PrivateKey & key)

   {


   const size_t dimension = key.get_dimension();

   const size_t codimension = key.get_codimension();

   const uint32_t t = key.get_goppa_polyn().get_degree();

   polyn_gf2m syndrome_polyn(key.get_goppa_polyn().get_sp_field()); // init as zero polyn

   const unsigned unused_pt_bits = dimension % 8;

   const uint8_t unused_pt_bits_mask = (1 << unused_pt_bits) - 1;


   if(ciphertext_len != (key.get_code_length()+7)/8)

      {

      throw Invalid_Argument("wrong size of McEliece ciphertext");

      }

   const size_t cleartext_len = (key.get_message_word_bit_length()+7)/8;


   if(cleartext_len != bit_size_to_byte_size(dimension))

      {

      throw Invalid_Argument("mce-decryption: wrong length of cleartext buffer");

      }


   secure_vector<uint32_t> syndrome_vec(bit_size_to_32bit_size(codimension));

   matrix_arr_mul(key.get_H_coeffs(),

                  key.get_code_length(),

                  bit_size_to_32bit_size(codimension),

                  ciphertext,

                  syndrome_vec.data(), syndrome_vec.size());


   secure_vector<uint8_t> syndrome_byte_vec(bit_size_to_byte_size(codimension));

   const size_t syndrome_byte_vec_size = syndrome_byte_vec.size();

   for(size_t i = 0; i < syndrome_byte_vec_size; i++)

      {

      syndrome_byte_vec[i] = static_cast<uint8_t>(syndrome_vec[i/4] >> (8 * (i % 4)));

      }


   syndrome_polyn = polyn_gf2m(t-1, syndrome_byte_vec.data(), bit_size_to_byte_size(codimension), key.get_goppa_polyn().get_sp_field());


   syndrome_polyn.get_degree();

   error_pos = goppa_decode(syndrome_polyn, key.get_goppa_polyn(), key.get_sqrtmod(), key.get_Linv());


   const size_t nb_err = error_pos.size();


   secure_vector<uint8_t> cleartext(cleartext_len);

   copy_mem(cleartext.data(), ciphertext, cleartext_len);


   for(size_t i = 0; i < nb_err; i++)

      {

      gf2m current = error_pos[i];


      if(current >= cleartext_len * 8)

         {

         // an invalid position, this shouldn't happen

         continue;

         }

      cleartext[current / 8] ^= (1 << (current % 8));

      }


   if(unused_pt_bits)

      {

      cleartext[cleartext_len - 1] &= unused_pt_bits_mask;

      }


   return cleartext;

   }


}

BOTAN_ASSERT
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:54

Botan::Invalid_Argument
Definition: exceptn.h:133

Botan::McEliece_PrivateKey
Definition: mceliece.h:81

Botan::McEliece_PrivateKey::get_Linv
std::vector< gf2m > const & get_Linv() const
Definition: mceliece.h:118

Botan::McEliece_PrivateKey::get_codimension
size_t get_codimension() const
Definition: mceliece.h:123

Botan::McEliece_PrivateKey::get_dimension
size_t get_dimension() const
Definition: mceliece.h:121

Botan::McEliece_PrivateKey::get_sqrtmod
std::vector< polyn_gf2m > const & get_sqrtmod() const
Definition: mceliece.h:119

Botan::McEliece_PrivateKey::get_goppa_polyn
polyn_gf2m const & get_goppa_polyn() const
Definition: mceliece_key.cpp:53

Botan::McEliece_PrivateKey::get_H_coeffs
std::vector< uint32_t > const & get_H_coeffs() const
Definition: mceliece.h:117

Botan::McEliece_PublicKey::get_message_word_bit_length
size_t get_message_word_bit_length() const
Definition: mceliece_key.cpp:58

Botan::McEliece_PublicKey::get_code_length
size_t get_code_length() const
Definition: mceliece.h:52

Botan::polyn_gf2m
Definition: polyn_gf2m.h:27

Botan::polyn_gf2m::get_degree
int get_degree() const
Definition: polyn_gf2m.cpp:179

Botan::polyn_gf2m::get_sp_field
std::shared_ptr< GF2m_Field > get_sp_field() const
Definition: polyn_gf2m.h:85

Botan::polyn_gf2m::eea_with_coefficients
static std::pair< polyn_gf2m, polyn_gf2m > eea_with_coefficients(const polyn_gf2m &p, const polyn_gf2m &g, int break_deg)
Definition: polyn_gf2m.cpp:399

Botan
Definition: alg_id.cpp:12

Botan::sigma
constexpr T sigma(T x)
Definition: rotate.h:43

Botan::mceliece_decrypt
void mceliece_decrypt(secure_vector< uint8_t > &plaintext_out, secure_vector< uint8_t > &error_mask_out, const secure_vector< uint8_t > &ciphertext, const McEliece_PrivateKey &key)
Definition: goppa_code.cpp:130

Botan::copy_mem
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:126

Botan::gray_to_lex
gf2m gray_to_lex(gf2m gray)
Definition: code_based_util.h:31

Botan::bit_size_to_32bit_size
size_t bit_size_to_32bit_size(size_t bit_size)
Definition: code_based_util.h:50

Botan::find_roots_gf2m_decomp
secure_vector< gf2m > find_roots_gf2m_decomp(const polyn_gf2m &polyn, size_t code_length)
Definition: gf2m_rootfind_dcmp.cpp:294

Botan::bit_size_to_byte_size
size_t bit_size_to_byte_size(size_t bit_size)
Definition: code_based_util.h:45

Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:64

Botan::gf2m
uint16_t gf2m
Definition: gf2m_small_m.h:20