13#include <botan/mceliece.h>
14#include <botan/internal/polyn_gf2m.h>
15#include <botan/internal/mce_internal.h>
16#include <botan/internal/bit_ops.h>
17#include <botan/internal/code_based_util.h>
18#include <botan/internal/pk_ops_impl.h>
19#include <botan/internal/loadstor.h>
20#include <botan/der_enc.h>
21#include <botan/ber_dec.h>
33 std::vector<uint32_t>
const& parity_check_matrix_coeffs,
34 std::vector<polyn_gf2m>
const& square_root_matrix,
35 std::vector<gf2m>
const& inverse_support,
36 std::vector<uint8_t>
const& public_matrix) :
39 m_sqrtmod(square_root_matrix),
40 m_Linv(inverse_support),
41 m_coeffs(parity_check_matrix_coeffs),
42 m_codimension(static_cast<size_t>(
ceil_log2(inverse_support.size())) * goppa_polyn.get_degree()),
43 m_dimension(inverse_support.size() - m_codimension)
49 uint32_t ext_deg =
ceil_log2(code_length);
69 rng.
randomize(plaintext.data(), plaintext.size());
72 if(uint32_t used = bits % 8)
74 const uint8_t mask = (1 << used) - 1;
75 plaintext[plaintext.size() - 1] &= mask;
88 std::vector<uint8_t> output;
137 for(
size_t i = 0; i < m_sqrtmod.size(); i++)
144 for(uint16_t Linv : m_Linv)
146 enc_support.push_back(get_byte<0>(Linv));
147 enc_support.push_back(get_byte<1>(Linv));
151 for(uint32_t coef : m_coeffs)
153 enc_H.push_back(get_byte<0>(coef));
154 enc_H.push_back(get_byte<1>(coef));
155 enc_H.push_back(get_byte<2>(coef));
156 enc_H.push_back(get_byte<3>(coef));
175 if(errors != errors_out || plaintext != plaintext_out)
200 m_codimension = (ext_deg * t);
201 m_dimension = (n - m_codimension);
203 auto sp_field = std::make_shared<GF2m_Field>(ext_deg);
205 if(m_g[0].get_degree() !=
static_cast<int>(t))
207 throw Decoding_Error(
"degree of decoded Goppa polynomial is incorrect");
210 for(uint32_t i = 0; i < t/2; i++)
214 while(sqrt_enc.size() < (t*2))
218 sqrt_enc.push_back(0);
220 if(sqrt_enc.size() != t*2)
222 throw Decoding_Error(
"length of square root polynomial entry is too large");
224 m_sqrtmod.push_back(
polyn_gf2m(sqrt_enc, sp_field));
229 if(enc_support.size() % 2)
233 if(enc_support.size() / 2 != n)
235 throw Decoding_Error(
"encoded support has length different from code length");
237 for(uint32_t i = 0; i < n*2; i+=2)
239 gf2m el = (enc_support[i] << 8) | enc_support[i+1];
240 m_Linv.push_back(el);
247 throw Decoding_Error(
"encoded parity check matrix has length which is not a multiple of four");
251 throw Decoding_Error(
"encoded parity check matrix has wrong length");
254 for(uint32_t i = 0; i < enc_H.size(); i+=4)
256 uint32_t coeff = (enc_H[i] << 24) | (enc_H[i+1] << 16) | (enc_H[i+2] << 8) | enc_H[i+3];
257 m_coeffs.push_back(coeff);
273 if( m_sqrtmod != other.m_sqrtmod)
277 if( m_Linv != other.m_Linv)
281 if( m_coeffs != other.m_coeffs)
286 if(m_codimension != other.m_codimension || m_dimension != other.m_dimension)
296 return std::make_unique<McEliece_PublicKey>(
324 const std::string& kdf) :
325 KEM_Encryption_with_KDF(kdf), m_key(key) {}
328 void raw_kem_encrypt(secure_vector<uint8_t>& out_encapsulated_key,
329 secure_vector<uint8_t>& raw_shared_key,
332 secure_vector<uint8_t> plaintext = m_key.random_plaintext_element(rng);
334 secure_vector<uint8_t> ciphertext, error_mask;
337 raw_shared_key.clear();
338 raw_shared_key += plaintext;
339 raw_shared_key += error_mask;
341 out_encapsulated_key.swap(ciphertext);
344 const McEliece_PublicKey& m_key;
347class MCE_KEM_Decryptor
final :
public PK_Ops::KEM_Decryption_with_KDF
351 MCE_KEM_Decryptor(
const McEliece_PrivateKey& key,
352 const std::string& kdf) :
353 KEM_Decryption_with_KDF(kdf), m_key(key) {}
356 secure_vector<uint8_t>
357 raw_kem_decrypt(
const uint8_t encap_key[],
size_t len)
override
359 secure_vector<uint8_t> plaintext, error_mask;
362 secure_vector<uint8_t> output;
363 output.reserve(plaintext.size() + error_mask.size());
364 output.insert(output.end(), plaintext.begin(), plaintext.end());
365 output.insert(output.end(), error_mask.begin(), error_mask.end());
369 const McEliece_PrivateKey& m_key;
374std::unique_ptr<PK_Ops::KEM_Encryption>
376 const std::string& params,
377 const std::string& provider)
const
379 if(provider ==
"base" || provider.empty())
380 return std::make_unique<MCE_KEM_Encryptor>(*
this, params);
384std::unique_ptr<PK_Ops::KEM_Decryption>
386 const std::string& params,
387 const std::string& provider)
const
389 if(provider ==
"base" || provider.empty())
390 return std::make_unique<MCE_KEM_Decryptor>(*
this, params);
void push_back(const BER_Object &obj)
BER_Decoder & decode(bool &out)
BER_Decoder start_sequence()
secure_vector< uint8_t > get_contents()
DER_Encoder & start_sequence()
DER_Encoder & encode(bool b)
secure_vector< uint8_t > private_key_bits() const override
McEliece_PrivateKey(RandomNumberGenerator &rng, size_t code_length, size_t t)
std::unique_ptr< Public_Key > public_key() const override
polyn_gf2m const & get_goppa_polyn() const
bool operator==(const McEliece_PrivateKey &other) const
McEliece_PrivateKey & operator=(const McEliece_PrivateKey &)
std::unique_ptr< PK_Ops::KEM_Decryption > create_kem_decryption_op(RandomNumberGenerator &rng, const std::string ¶ms, const std::string &provider) const override
bool check_key(RandomNumberGenerator &rng, bool strong) const override
secure_vector< uint8_t > random_plaintext_element(RandomNumberGenerator &rng) const
size_t get_message_word_bit_length() const
std::string algo_name() const override
std::vector< uint8_t > public_key_bits() const override
std::vector< uint8_t > m_public_matrix
const std::vector< uint8_t > & get_public_matrix() const
std::unique_ptr< PK_Ops::KEM_Encryption > create_kem_encryption_op(RandomNumberGenerator &rng, const std::string ¶ms, const std::string &provider) const override
size_t estimated_strength() const override
size_t get_code_length() const
bool operator==(const McEliece_PublicKey &other) const
AlgorithmIdentifier algorithm_identifier() const override
size_t key_length() const override
virtual OID get_oid() const
virtual void randomize(uint8_t output[], size_t length)=0
int(* final)(unsigned char *, CTX *)
std::array< int16_t, KyberConstants::N > m_coeffs
std::string encode(const uint8_t der[], size_t length, const std::string &label, size_t width)
void mceliece_decrypt(secure_vector< uint8_t > &plaintext_out, secure_vector< uint8_t > &error_mask_out, const secure_vector< uint8_t > &ciphertext, const McEliece_PrivateKey &key)
constexpr uint8_t ceil_log2(T x)
void mceliece_encrypt(secure_vector< uint8_t > &ciphertext_out, secure_vector< uint8_t > &error_mask_out, const secure_vector< uint8_t > &plaintext, const McEliece_PublicKey &key, RandomNumberGenerator &rng)
McEliece_PrivateKey generate_mceliece_key(RandomNumberGenerator &rng, size_t ext_deg, size_t code_length, size_t t)
size_t mceliece_work_factor(size_t n, size_t t)
size_t bit_size_to_32bit_size(size_t bit_size)
std::vector< T, secure_allocator< T > > secure_vector