Botan 3.9.0
Crypto and TLS for C&
mceliece_key.cpp
Go to the documentation of this file.
1/*
2 * (C) Copyright Projet SECRET, INRIA, Rocquencourt
3 * (C) Bhaskar Biswas and Nicolas Sendrier
4 *
5 * (C) 2014 cryptosource GmbH
6 * (C) 2014 Falko Strenzke fstrenzke@cryptosource.de
7 * (C) 2015 Jack Lloyd
8 *
9 * Botan is released under the Simplified BSD License (see license.txt)
10 *
11 */
12
13#include <botan/mceliece.h>
14
15#include <botan/ber_dec.h>
16#include <botan/der_enc.h>
17#include <botan/rng.h>
18#include <botan/internal/bit_ops.h>
19#include <botan/internal/code_based_util.h>
20#include <botan/internal/loadstor.h>
21#include <botan/internal/mce_internal.h>
22#include <botan/internal/pk_ops_impl.h>
23#include <botan/internal/polyn_gf2m.h>
24#include <botan/internal/stl_util.h>
25
26namespace Botan {
27
31McEliece_PrivateKey& McEliece_PrivateKey::operator=(McEliece_PrivateKey&&) noexcept = default;
33
35 const std::vector<uint32_t>& parity_check_matrix_coeffs,
36 const std::vector<polyn_gf2m>& square_root_matrix,
37 const std::vector<gf2m>& inverse_support,
38 const std::vector<uint8_t>& public_matrix) :
39 McEliece_PublicKey(public_matrix, goppa_polyn.get_degree(), inverse_support.size()),
40 m_g{goppa_polyn},
41 m_sqrtmod(square_root_matrix),
42 m_Linv(inverse_support),
43 m_coeffs(parity_check_matrix_coeffs),
44 m_codimension(static_cast<size_t>(ceil_log2(inverse_support.size())) * goppa_polyn.get_degree()),
45 m_dimension(inverse_support.size() - m_codimension) {}
46
47// NOLINTNEXTLINE(*-member-init)
49 uint32_t ext_deg = ceil_log2(code_length);
50 *this = generate_mceliece_key(rng, ext_deg, code_length, t);
51}
52
54 return m_g[0];
55}
56
58 size_t codimension = ceil_log2(m_code_length) * m_t;
59 return m_code_length - codimension;
60}
61
63 const size_t bits = get_message_word_bit_length();
64
65 secure_vector<uint8_t> plaintext((bits + 7) / 8);
66 rng.randomize(plaintext.data(), plaintext.size());
67
68 // unset unused bits in the last plaintext byte
69 if(uint32_t used = bits % 8) {
70 const uint8_t mask = (1 << used) - 1;
71 plaintext[plaintext.size() - 1] &= mask;
72 }
73
74 return plaintext;
75}
76
80
81std::vector<uint8_t> McEliece_PublicKey::raw_public_key_bits() const {
82 return m_public_matrix;
83}
84
85std::vector<uint8_t> McEliece_PublicKey::public_key_bits() const {
86 std::vector<uint8_t> output;
87 DER_Encoder(output)
91 .encode(get_t())
92 .end_cons()
94 .end_cons();
95 return output;
96}
97
99 return m_code_length;
100}
101
105
106McEliece_PublicKey::McEliece_PublicKey(std::span<const uint8_t> key_bits) {
107 BER_Decoder dec(key_bits);
108 size_t n = 0;
109 size_t t = 0;
110 dec.start_sequence()
111 .start_sequence()
112 .decode(n)
113 .decode(t)
114 .end_cons()
116 .end_cons();
117 m_t = t;
118 m_code_length = n;
119}
120
122 DER_Encoder enc;
123 enc.start_sequence()
124 .start_sequence()
125 .encode(get_code_length())
126 .encode(get_t())
127 .end_cons()
129 .encode(m_g[0].encode(), ASN1_Type::OctetString); // g as octet string
130 enc.start_sequence();
131 for(const auto& x : m_sqrtmod) {
132 enc.encode(x.encode(), ASN1_Type::OctetString);
133 }
134 enc.end_cons();
135 secure_vector<uint8_t> enc_support;
136
137 for(uint16_t Linv : m_Linv) {
138 enc_support.push_back(get_byte<0>(Linv));
139 enc_support.push_back(get_byte<1>(Linv));
140 }
141 enc.encode(enc_support, ASN1_Type::OctetString);
143 for(uint32_t coef : m_coeffs) {
144 enc_H.push_back(get_byte<0>(coef));
145 enc_H.push_back(get_byte<1>(coef));
146 enc_H.push_back(get_byte<2>(coef));
147 enc_H.push_back(get_byte<3>(coef));
148 }
149 enc.encode(enc_H, ASN1_Type::OctetString);
150 enc.end_cons();
151 return enc.get_contents();
152}
153
154bool McEliece_PrivateKey::check_key(RandomNumberGenerator& rng, bool /*unused*/) const {
155 const secure_vector<uint8_t> plaintext = this->random_plaintext_element(rng);
156
157 secure_vector<uint8_t> ciphertext;
159 mceliece_encrypt(ciphertext, errors, plaintext, *this, rng);
160
161 secure_vector<uint8_t> plaintext_out;
162 secure_vector<uint8_t> errors_out;
163 mceliece_decrypt(plaintext_out, errors_out, ciphertext, *this);
164
165 if(errors != errors_out || plaintext != plaintext_out) {
166 return false;
167 }
168
169 return true;
170}
171
172McEliece_PrivateKey::McEliece_PrivateKey(std::span<const uint8_t> key_bits) {
173 size_t n = 0;
174 size_t t = 0;
176 BER_Decoder dec_base(key_bits);
177 BER_Decoder dec = dec_base.start_sequence()
179 .decode(n)
180 .decode(t)
181 .end_cons()
184
185 if(t == 0 || n == 0) {
186 throw Decoding_Error("invalid McEliece parameters");
187 }
188
189 uint32_t ext_deg = ceil_log2(n);
190 m_code_length = n;
191 m_t = t;
192 m_codimension = (ext_deg * t);
193 m_dimension = (n - m_codimension);
194
195 auto sp_field = std::make_shared<GF2m_Field>(ext_deg);
196 m_g = {polyn_gf2m(enc_g, sp_field)};
197 if(m_g[0].get_degree() != static_cast<int>(t)) {
198 throw Decoding_Error("degree of decoded Goppa polynomial is incorrect");
199 }
200 BER_Decoder dec2 = dec.start_sequence();
201 for(uint32_t i = 0; i < t / 2; i++) {
202 secure_vector<uint8_t> sqrt_enc;
203 dec2.decode(sqrt_enc, ASN1_Type::OctetString);
204 while(sqrt_enc.size() < (t * 2)) {
205 // ensure that the length is always t
206 sqrt_enc.push_back(0);
207 sqrt_enc.push_back(0);
208 }
209 if(sqrt_enc.size() != t * 2) {
210 throw Decoding_Error("length of square root polynomial entry is too large");
211 }
212 m_sqrtmod.push_back(polyn_gf2m(sqrt_enc, sp_field));
213 }
214 secure_vector<uint8_t> enc_support;
215 BER_Decoder dec3 = dec2.end_cons().decode(enc_support, ASN1_Type::OctetString);
216 if(enc_support.size() % 2 != 0) {
217 throw Decoding_Error("encoded support has odd length");
218 }
219 if(enc_support.size() / 2 != n) {
220 throw Decoding_Error("encoded support has length different from code length");
221 }
222 for(uint32_t i = 0; i < n * 2; i += 2) {
223 gf2m el = (enc_support[i] << 8) | enc_support[i + 1];
224 m_Linv.push_back(el);
225 }
228 if(enc_H.size() % 4 != 0) {
229 throw Decoding_Error("encoded parity check matrix has length which is not a multiple of four");
230 }
231 if(enc_H.size() / 4 != bit_size_to_32bit_size(m_codimension) * m_code_length) {
232 throw Decoding_Error("encoded parity check matrix has wrong length");
233 }
234
235 for(uint32_t i = 0; i < enc_H.size(); i += 4) {
236 uint32_t coeff = (enc_H[i] << 24) | (enc_H[i + 1] << 16) | (enc_H[i + 2] << 8) | enc_H[i + 3];
237 m_coeffs.push_back(coeff);
238 }
239}
240
242 if(*static_cast<const McEliece_PublicKey*>(this) != *static_cast<const McEliece_PublicKey*>(&other)) {
243 return false;
244 }
245 if(m_g != other.m_g) {
246 return false;
247 }
248
249 if(m_sqrtmod != other.m_sqrtmod) {
250 return false;
251 }
252 if(m_Linv != other.m_Linv) {
253 return false;
254 }
255 if(m_coeffs != other.m_coeffs) {
256 return false;
257 }
258
259 if(m_codimension != other.m_codimension || m_dimension != other.m_dimension) {
260 return false;
261 }
262
263 return true;
264}
265
266std::unique_ptr<Public_Key> McEliece_PrivateKey::public_key() const {
267 return std::make_unique<McEliece_PublicKey>(get_public_matrix(), get_t(), get_code_length());
268}
269
271 if(m_public_matrix != other.m_public_matrix) {
272 return false;
273 }
274 if(m_t != other.m_t) {
275 return false;
276 }
277 if(m_code_length != other.m_code_length) {
278 return false;
279 }
280 return true;
281}
282
283namespace {
284
285class MCE_KEM_Encryptor final : public PK_Ops::KEM_Encryption_with_KDF {
286 public:
287 MCE_KEM_Encryptor(const McEliece_PublicKey& key, std::string_view kdf) :
288 KEM_Encryption_with_KDF(kdf), m_key(key) {}
289
290 private:
291 size_t raw_kem_shared_key_length() const override {
292 const size_t err_sz = (m_key.get_code_length() + 7) / 8;
293 const size_t ptext_sz = (m_key.get_message_word_bit_length() + 7) / 8;
294 return ptext_sz + err_sz;
295 }
296
297 size_t encapsulated_key_length() const override { return (m_key.get_code_length() + 7) / 8; }
298
299 void raw_kem_encrypt(std::span<uint8_t> out_encapsulated_key,
300 std::span<uint8_t> raw_shared_key,
301 RandomNumberGenerator& rng) override {
302 secure_vector<uint8_t> plaintext = m_key.random_plaintext_element(rng);
303
304 secure_vector<uint8_t> ciphertext;
305 secure_vector<uint8_t> error_mask;
306 mceliece_encrypt(ciphertext, error_mask, plaintext, m_key, rng);
307
308 // TODO: Perhaps avoid the copies below
309 BOTAN_ASSERT_NOMSG(out_encapsulated_key.size() == ciphertext.size());
310 std::copy(ciphertext.begin(), ciphertext.end(), out_encapsulated_key.begin());
311
312 BOTAN_ASSERT_NOMSG(raw_shared_key.size() == plaintext.size() + error_mask.size());
313 BufferStuffer bs(raw_shared_key);
314 bs.append(plaintext);
315 bs.append(error_mask);
316 }
317
318 const McEliece_PublicKey& m_key;
319};
320
321class MCE_KEM_Decryptor final : public PK_Ops::KEM_Decryption_with_KDF {
322 public:
323 MCE_KEM_Decryptor(const McEliece_PrivateKey& key, std::string_view kdf) :
324 KEM_Decryption_with_KDF(kdf), m_key(key) {}
325
326 private:
327 size_t raw_kem_shared_key_length() const override {
328 const size_t err_sz = (m_key.get_code_length() + 7) / 8;
329 const size_t ptext_sz = (m_key.get_message_word_bit_length() + 7) / 8;
330 return ptext_sz + err_sz;
331 }
332
333 size_t encapsulated_key_length() const override { return (m_key.get_code_length() + 7) / 8; }
334
335 void raw_kem_decrypt(std::span<uint8_t> out_shared_key, std::span<const uint8_t> encapsulated_key) override {
336 secure_vector<uint8_t> plaintext;
337 secure_vector<uint8_t> error_mask;
338 mceliece_decrypt(plaintext, error_mask, encapsulated_key.data(), encapsulated_key.size(), m_key);
339
340 // TODO: perhaps avoid the copies below
341 BOTAN_ASSERT_NOMSG(out_shared_key.size() == plaintext.size() + error_mask.size());
342 BufferStuffer bs(out_shared_key);
343 bs.append(plaintext);
344 bs.append(error_mask);
345 }
346
347 const McEliece_PrivateKey& m_key;
348};
349
350} // namespace
351
352std::unique_ptr<Private_Key> McEliece_PublicKey::generate_another(RandomNumberGenerator& rng) const {
353 return std::make_unique<McEliece_PrivateKey>(rng, get_code_length(), get_t());
354}
355
356std::unique_ptr<PK_Ops::KEM_Encryption> McEliece_PublicKey::create_kem_encryption_op(std::string_view params,
357 std::string_view provider) const {
358 if(provider == "base" || provider.empty()) {
359 return std::make_unique<MCE_KEM_Encryptor>(*this, params);
360 }
361 throw Provider_Not_Found(algo_name(), provider);
362}
363
364std::unique_ptr<PK_Ops::KEM_Decryption> McEliece_PrivateKey::create_kem_decryption_op(RandomNumberGenerator& /*rng*/,
365 std::string_view params,
366 std::string_view provider) const {
367 if(provider == "base" || provider.empty()) {
368 return std::make_unique<MCE_KEM_Decryptor>(*this, params);
369 }
370 throw Provider_Not_Found(algo_name(), provider);
371}
372
373} // namespace Botan
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:75
virtual OID object_identifier() const
Definition pk_keys.cpp:22
void push_back(const BER_Object &obj)
Definition ber_dec.cpp:289
BER_Decoder & decode(bool &out)
Definition ber_dec.h:188
BER_Decoder & end_cons()
Definition ber_dec.cpp:312
BER_Decoder start_sequence()
Definition ber_dec.h:125
DER_Encoder & start_sequence()
Definition der_enc.h:65
DER_Encoder & end_cons()
Definition der_enc.cpp:173
DER_Encoder & encode(bool b)
Definition der_enc.cpp:252
secure_vector< uint8_t > private_key_bits() const override
McEliece_PrivateKey(RandomNumberGenerator &rng, size_t code_length, size_t t)
std::unique_ptr< Public_Key > public_key() const override
std::unique_ptr< PK_Ops::KEM_Decryption > create_kem_decryption_op(RandomNumberGenerator &rng, std::string_view params, std::string_view provider) const override
const polyn_gf2m & get_goppa_polyn() const
bool operator==(const McEliece_PrivateKey &other) const
bool check_key(RandomNumberGenerator &rng, bool strong) const override
secure_vector< uint8_t > random_plaintext_element(RandomNumberGenerator &rng) const
size_t get_message_word_bit_length() const
std::vector< uint8_t > raw_public_key_bits() const override
size_t get_t() const
Definition mceliece.h:50
std::unique_ptr< PK_Ops::KEM_Encryption > create_kem_encryption_op(std::string_view params, std::string_view provider) const override
McEliece_PublicKey(std::span< const uint8_t > key_bits)
std::string algo_name() const override
Definition mceliece.h:38
std::vector< uint8_t > public_key_bits() const override
std::unique_ptr< Private_Key > generate_another(RandomNumberGenerator &rng) const final
std::vector< uint8_t > m_public_matrix
Definition mceliece.h:74
const std::vector< uint8_t > & get_public_matrix() const
Definition mceliece.h:56
size_t estimated_strength() const override
size_t get_code_length() const
Definition mceliece.h:52
bool operator==(const McEliece_PublicKey &other) const
AlgorithmIdentifier algorithm_identifier() const override
size_t key_length() const override
void randomize(std::span< uint8_t > output)
Definition rng.h:71
constexpr uint8_t get_byte(T input)
Definition loadstor.h:79
void mceliece_decrypt(secure_vector< uint8_t > &plaintext_out, secure_vector< uint8_t > &error_mask_out, const secure_vector< uint8_t > &ciphertext, const McEliece_PrivateKey &key)
void mceliece_encrypt(secure_vector< uint8_t > &ciphertext_out, secure_vector< uint8_t > &error_mask_out, const secure_vector< uint8_t > &plaintext, const McEliece_PublicKey &key, RandomNumberGenerator &rng)
Definition mceliece.cpp:109
constexpr uint8_t ceil_log2(T x)
Definition bit_ops.h:120
McEliece_PrivateKey generate_mceliece_key(RandomNumberGenerator &rng, size_t ext_deg, size_t code_length, size_t t)
size_t mceliece_work_factor(size_t n, size_t t)
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:69
size_t bit_size_to_32bit_size(size_t bit_size)
uint16_t gf2m