13#include <botan/mceliece.h>
15#include <botan/ber_dec.h>
16#include <botan/der_enc.h>
18#include <botan/internal/bit_ops.h>
19#include <botan/internal/code_based_util.h>
20#include <botan/internal/loadstor.h>
21#include <botan/internal/mce_internal.h>
22#include <botan/internal/pk_ops_impl.h>
23#include <botan/internal/polyn_gf2m.h>
24#include <botan/internal/stl_util.h>
30McEliece_PrivateKey& McEliece_PrivateKey::operator=(const McEliece_PrivateKey&) = default;
31McEliece_PrivateKey& McEliece_PrivateKey::operator=(McEliece_PrivateKey&&) noexcept = default;
32McEliece_PrivateKey::~McEliece_PrivateKey() = default;
35 const std::vector<uint32_t>& parity_check_matrix_coeffs,
36 const std::vector<
polyn_gf2m>& square_root_matrix,
37 const std::vector<
gf2m>& inverse_support,
38 const std::vector<uint8_t>& public_matrix) :
41 m_sqrtmod(square_root_matrix),
42 m_Linv(inverse_support),
43 m_coeffs(parity_check_matrix_coeffs),
44 m_codimension(
static_cast<size_t>(
ceil_log2(inverse_support.size())) * goppa_polyn.get_degree()),
45 m_dimension(inverse_support.size() - m_codimension) {}
48 uint32_t ext_deg =
ceil_log2(code_length);
65 rng.
randomize(plaintext.data(), plaintext.size());
68 if(uint32_t used = bits % 8) {
69 const uint8_t mask = (1 << used) - 1;
70 plaintext[plaintext.size() - 1] &= mask;
81 std::vector<uint8_t> output;
126 for(
size_t i = 0; i < m_sqrtmod.size(); i++) {
132 for(uint16_t Linv : m_Linv) {
133 enc_support.push_back(get_byte<0>(Linv));
134 enc_support.push_back(get_byte<1>(Linv));
138 for(uint32_t coef : m_coeffs) {
139 enc_H.push_back(get_byte<0>(coef));
140 enc_H.push_back(get_byte<1>(coef));
141 enc_H.push_back(get_byte<2>(coef));
142 enc_H.push_back(get_byte<3>(coef));
160 if(errors != errors_out || plaintext != plaintext_out) {
179 if(t == 0 || n == 0) {
186 m_codimension = (ext_deg * t);
187 m_dimension = (n - m_codimension);
189 auto sp_field = std::make_shared<GF2m_Field>(ext_deg);
191 if(m_g[0].get_degree() !=
static_cast<int>(t)) {
192 throw Decoding_Error(
"degree of decoded Goppa polynomial is incorrect");
195 for(uint32_t i = 0; i < t / 2; i++) {
198 while(sqrt_enc.size() < (t * 2)) {
201 sqrt_enc.push_back(0);
203 if(sqrt_enc.size() != t * 2) {
204 throw Decoding_Error(
"length of square root polynomial entry is too large");
206 m_sqrtmod.push_back(
polyn_gf2m(sqrt_enc, sp_field));
210 if(enc_support.size() % 2) {
213 if(enc_support.size() / 2 != n) {
214 throw Decoding_Error(
"encoded support has length different from code length");
216 for(uint32_t i = 0; i < n * 2; i += 2) {
217 gf2m el = (enc_support[i] << 8) | enc_support[i + 1];
218 m_Linv.push_back(el);
222 if(enc_H.size() % 4) {
223 throw Decoding_Error(
"encoded parity check matrix has length which is not a multiple of four");
226 throw Decoding_Error(
"encoded parity check matrix has wrong length");
229 for(uint32_t i = 0; i < enc_H.size(); i += 4) {
230 uint32_t coeff = (enc_H[i] << 24) | (enc_H[i + 1] << 16) | (enc_H[i + 2] << 8) | enc_H[i + 3];
231 m_coeffs.push_back(coeff);
239 if(m_g != other.m_g) {
243 if(m_sqrtmod != other.m_sqrtmod) {
246 if(m_Linv != other.m_Linv) {
249 if(m_coeffs != other.m_coeffs) {
253 if(m_codimension != other.m_codimension || m_dimension != other.m_dimension) {
282 KEM_Encryption_with_KDF(kdf), m_key(key) {}
285 size_t raw_kem_shared_key_length()
const override {
286 const size_t err_sz = (m_key.get_code_length() + 7) / 8;
287 const size_t ptext_sz = (m_key.get_message_word_bit_length() + 7) / 8;
288 return ptext_sz + err_sz;
291 size_t encapsulated_key_length()
const override {
return (m_key.get_code_length() + 7) / 8; }
293 void raw_kem_encrypt(std::span<uint8_t> out_encapsulated_key,
294 std::span<uint8_t> raw_shared_key,
295 RandomNumberGenerator& rng)
override {
296 secure_vector<uint8_t> plaintext = m_key.random_plaintext_element(rng);
298 secure_vector<uint8_t> ciphertext, error_mask;
303 std::copy(ciphertext.begin(), ciphertext.end(), out_encapsulated_key.begin());
306 BufferStuffer bs(raw_shared_key);
307 bs.append(plaintext);
308 bs.append(error_mask);
311 const McEliece_PublicKey& m_key;
314class MCE_KEM_Decryptor
final :
public PK_Ops::KEM_Decryption_with_KDF {
316 MCE_KEM_Decryptor(
const McEliece_PrivateKey& key, std::string_view kdf) :
317 KEM_Decryption_with_KDF(kdf), m_key(key) {}
320 size_t raw_kem_shared_key_length()
const override {
321 const size_t err_sz = (m_key.get_code_length() + 7) / 8;
322 const size_t ptext_sz = (m_key.get_message_word_bit_length() + 7) / 8;
323 return ptext_sz + err_sz;
326 size_t encapsulated_key_length()
const override {
return (m_key.get_code_length() + 7) / 8; }
328 void raw_kem_decrypt(std::span<uint8_t> out_shared_key, std::span<const uint8_t> encapsulated_key)
override {
329 secure_vector<uint8_t> plaintext, error_mask;
330 mceliece_decrypt(plaintext, error_mask, encapsulated_key.data(), encapsulated_key.size(), m_key);
334 BufferStuffer bs(out_shared_key);
335 bs.append(plaintext);
336 bs.append(error_mask);
339 const McEliece_PrivateKey& m_key;
349 std::string_view provider)
const {
350 if(provider ==
"base" || provider.empty()) {
351 return std::make_unique<MCE_KEM_Encryptor>(*
this, params);
357 std::string_view params,
358 std::string_view provider)
const {
359 if(provider ==
"base" || provider.empty()) {
360 return std::make_unique<MCE_KEM_Decryptor>(*
this, params);
#define BOTAN_ASSERT_NOMSG(expr)
virtual OID object_identifier() const
void push_back(const BER_Object &obj)
BER_Decoder & decode(bool &out)
BER_Decoder start_sequence()
secure_vector< uint8_t > get_contents()
DER_Encoder & start_sequence()
DER_Encoder & encode(bool b)
secure_vector< uint8_t > private_key_bits() const override
McEliece_PrivateKey(RandomNumberGenerator &rng, size_t code_length, size_t t)
std::unique_ptr< Public_Key > public_key() const override
std::unique_ptr< PK_Ops::KEM_Decryption > create_kem_decryption_op(RandomNumberGenerator &rng, std::string_view params, std::string_view provider) const override
const polyn_gf2m & get_goppa_polyn() const
bool operator==(const McEliece_PrivateKey &other) const
bool check_key(RandomNumberGenerator &rng, bool strong) const override
secure_vector< uint8_t > random_plaintext_element(RandomNumberGenerator &rng) const
size_t get_message_word_bit_length() const
std::unique_ptr< PK_Ops::KEM_Encryption > create_kem_encryption_op(std::string_view params, std::string_view provider) const override
std::string algo_name() const override
std::vector< uint8_t > public_key_bits() const override
std::unique_ptr< Private_Key > generate_another(RandomNumberGenerator &rng) const final
std::vector< uint8_t > m_public_matrix
const std::vector< uint8_t > & get_public_matrix() const
size_t estimated_strength() const override
size_t get_code_length() const
bool operator==(const McEliece_PublicKey &other) const
AlgorithmIdentifier algorithm_identifier() const override
size_t key_length() const override
void randomize(std::span< uint8_t > output)
int(* final)(unsigned char *, CTX *)
void mceliece_decrypt(secure_vector< uint8_t > &plaintext_out, secure_vector< uint8_t > &error_mask_out, const secure_vector< uint8_t > &ciphertext, const McEliece_PrivateKey &key)
void mceliece_encrypt(secure_vector< uint8_t > &ciphertext_out, secure_vector< uint8_t > &error_mask_out, const secure_vector< uint8_t > &plaintext, const McEliece_PublicKey &key, RandomNumberGenerator &rng)
McEliece_PrivateKey generate_mceliece_key(RandomNumberGenerator &rng, size_t ext_deg, size_t code_length, size_t t)
size_t mceliece_work_factor(size_t n, size_t t)
std::vector< T, secure_allocator< T > > secure_vector
size_t bit_size_to_32bit_size(size_t bit_size)
constexpr uint8_t ceil_log2(T x)