Botan 3.4.0
Crypto and TLS for C&
mceliece_key.cpp
Go to the documentation of this file.
1/*
2 * (C) Copyright Projet SECRET, INRIA, Rocquencourt
3 * (C) Bhaskar Biswas and Nicolas Sendrier
4 *
5 * (C) 2014 cryptosource GmbH
6 * (C) 2014 Falko Strenzke fstrenzke@cryptosource.de
7 * (C) 2015 Jack Lloyd
8 *
9 * Botan is released under the Simplified BSD License (see license.txt)
10 *
11 */
12
13#include <botan/mceliece.h>
14
15#include <botan/ber_dec.h>
16#include <botan/der_enc.h>
17#include <botan/rng.h>
18#include <botan/internal/bit_ops.h>
19#include <botan/internal/code_based_util.h>
20#include <botan/internal/loadstor.h>
21#include <botan/internal/mce_internal.h>
22#include <botan/internal/pk_ops_impl.h>
23#include <botan/internal/polyn_gf2m.h>
24#include <botan/internal/stl_util.h>
25
26namespace Botan {
27
28McEliece_PrivateKey::McEliece_PrivateKey(const McEliece_PrivateKey&) = default;
29McEliece_PrivateKey::McEliece_PrivateKey(McEliece_PrivateKey&&) noexcept = default;
30McEliece_PrivateKey& McEliece_PrivateKey::operator=(const McEliece_PrivateKey&) = default;
31McEliece_PrivateKey& McEliece_PrivateKey::operator=(McEliece_PrivateKey&&) noexcept = default;
32McEliece_PrivateKey::~McEliece_PrivateKey() = default;
33
34McEliece_PrivateKey::McEliece_PrivateKey(const polyn_gf2m& goppa_polyn,
35 const std::vector<uint32_t>& parity_check_matrix_coeffs,
36 const std::vector<polyn_gf2m>& square_root_matrix,
37 const std::vector<gf2m>& inverse_support,
38 const std::vector<uint8_t>& public_matrix) :
39 McEliece_PublicKey(public_matrix, goppa_polyn.get_degree(), inverse_support.size()),
40 m_g{goppa_polyn},
41 m_sqrtmod(square_root_matrix),
42 m_Linv(inverse_support),
43 m_coeffs(parity_check_matrix_coeffs),
44 m_codimension(static_cast<size_t>(ceil_log2(inverse_support.size())) * goppa_polyn.get_degree()),
45 m_dimension(inverse_support.size() - m_codimension) {}
46
47McEliece_PrivateKey::McEliece_PrivateKey(RandomNumberGenerator& rng, size_t code_length, size_t t) {
48 uint32_t ext_deg = ceil_log2(code_length);
49 *this = generate_mceliece_key(rng, ext_deg, code_length, t);
50}
51
52const polyn_gf2m& McEliece_PrivateKey::get_goppa_polyn() const {
53 return m_g[0];
54}
55
56size_t McEliece_PublicKey::get_message_word_bit_length() const {
57 size_t codimension = ceil_log2(m_code_length) * m_t;
58 return m_code_length - codimension;
59}
60
61secure_vector<uint8_t> McEliece_PublicKey::random_plaintext_element(RandomNumberGenerator& rng) const {
62 const size_t bits = get_message_word_bit_length();
63
64 secure_vector<uint8_t> plaintext((bits + 7) / 8);
65 rng.randomize(plaintext.data(), plaintext.size());
66
67 // unset unused bits in the last plaintext byte
68 if(uint32_t used = bits % 8) {
69 const uint8_t mask = (1 << used) - 1;
70 plaintext[plaintext.size() - 1] &= mask;
71 }
72
73 return plaintext;
74}
75
79
80std::vector<uint8_t> McEliece_PublicKey::public_key_bits() const {
81 std::vector<uint8_t> output;
82 DER_Encoder(output)
83 .start_sequence()
84 .start_sequence()
85 .encode(static_cast<size_t>(get_code_length()))
86 .encode(static_cast<size_t>(get_t()))
87 .end_cons()
88 .encode(m_public_matrix, ASN1_Type::OctetString)
89 .end_cons();
90 return output;
91}
92
93size_t McEliece_PublicKey::key_length() const {
94 return m_code_length;
95}
96
100
101McEliece_PublicKey::McEliece_PublicKey(std::span<const uint8_t> key_bits) {
102 BER_Decoder dec(key_bits);
103 size_t n;
104 size_t t;
105 dec.start_sequence()
106 .start_sequence()
107 .decode(n)
108 .decode(t)
109 .end_cons()
110 .decode(m_public_matrix, ASN1_Type::OctetString)
111 .end_cons();
112 m_t = t;
113 m_code_length = n;
114}
115
116secure_vector<uint8_t> McEliece_PrivateKey::private_key_bits() const {
117 DER_Encoder enc;
118 enc.start_sequence()
119 .start_sequence()
120 .encode(static_cast<size_t>(get_code_length()))
121 .encode(static_cast<size_t>(get_t()))
122 .end_cons()
123 .encode(m_public_matrix, ASN1_Type::OctetString)
124 .encode(m_g[0].encode(), ASN1_Type::OctetString); // g as octet string
125 enc.start_sequence();
126 for(size_t i = 0; i < m_sqrtmod.size(); i++) {
127 enc.encode(m_sqrtmod[i].encode(), ASN1_Type::OctetString);
128 }
129 enc.end_cons();
130 secure_vector<uint8_t> enc_support;
131
132 for(uint16_t Linv : m_Linv) {
133 enc_support.push_back(get_byte<0>(Linv));
134 enc_support.push_back(get_byte<1>(Linv));
135 }
136 enc.encode(enc_support, ASN1_Type::OctetString);
137 secure_vector<uint8_t> enc_H;
138 for(uint32_t coef : m_coeffs) {
139 enc_H.push_back(get_byte<0>(coef));
140 enc_H.push_back(get_byte<1>(coef));
141 enc_H.push_back(get_byte<2>(coef));
142 enc_H.push_back(get_byte<3>(coef));
143 }
144 enc.encode(enc_H, ASN1_Type::OctetString);
145 enc.end_cons();
146 return enc.get_contents();
147}
148
149bool McEliece_PrivateKey::check_key(RandomNumberGenerator& rng, bool /*unused*/) const {
150 const secure_vector<uint8_t> plaintext = this->random_plaintext_element(rng);
151
152 secure_vector<uint8_t> ciphertext;
153 secure_vector<uint8_t> errors;
154 mceliece_encrypt(ciphertext, errors, plaintext, *this, rng);
155
156 secure_vector<uint8_t> plaintext_out;
157 secure_vector<uint8_t> errors_out;
158 mceliece_decrypt(plaintext_out, errors_out, ciphertext, *this);
159
160 if(errors != errors_out || plaintext != plaintext_out) {
161 return false;
162 }
163
164 return true;
165}
166
167McEliece_PrivateKey::McEliece_PrivateKey(std::span<const uint8_t> key_bits) {
168 size_t n, t;
169 secure_vector<uint8_t> enc_g;
170 BER_Decoder dec_base(key_bits);
171 BER_Decoder dec = dec_base.start_sequence()
172 .start_sequence()
173 .decode(n)
174 .decode(t)
175 .end_cons()
176 .decode(m_public_matrix, ASN1_Type::OctetString)
177 .decode(enc_g, ASN1_Type::OctetString);
178
179 if(t == 0 || n == 0) {
180 throw Decoding_Error("invalid McEliece parameters");
181 }
182
183 uint32_t ext_deg = ceil_log2(n);
184 m_code_length = n;
185 m_t = t;
186 m_codimension = (ext_deg * t);
187 m_dimension = (n - m_codimension);
188
189 auto sp_field = std::make_shared<GF2m_Field>(ext_deg);
190 m_g = {polyn_gf2m(enc_g, sp_field)};
191 if(m_g[0].get_degree() != static_cast<int>(t)) {
192 throw Decoding_Error("degree of decoded Goppa polynomial is incorrect");
193 }
194 BER_Decoder dec2 = dec.start_sequence();
195 for(uint32_t i = 0; i < t / 2; i++) {
196 secure_vector<uint8_t> sqrt_enc;
197 dec2.decode(sqrt_enc, ASN1_Type::OctetString);
198 while(sqrt_enc.size() < (t * 2)) {
199 // ensure that the length is always t
200 sqrt_enc.push_back(0);
201 sqrt_enc.push_back(0);
202 }
203 if(sqrt_enc.size() != t * 2) {
204 throw Decoding_Error("length of square root polynomial entry is too large");
205 }
206 m_sqrtmod.push_back(polyn_gf2m(sqrt_enc, sp_field));
207 }
208 secure_vector<uint8_t> enc_support;
209 BER_Decoder dec3 = dec2.end_cons().decode(enc_support, ASN1_Type::OctetString);
210 if(enc_support.size() % 2) {
211 throw Decoding_Error("encoded support has odd length");
212 }
213 if(enc_support.size() / 2 != n) {
214 throw Decoding_Error("encoded support has length different from code length");
215 }
216 for(uint32_t i = 0; i < n * 2; i += 2) {
217 gf2m el = (enc_support[i] << 8) | enc_support[i + 1];
218 m_Linv.push_back(el);
219 }
220 secure_vector<uint8_t> enc_H;
221 dec3.decode(enc_H, ASN1_Type::OctetString).end_cons();
222 if(enc_H.size() % 4) {
223 throw Decoding_Error("encoded parity check matrix has length which is not a multiple of four");
224 }
225 if(enc_H.size() / 4 != bit_size_to_32bit_size(m_codimension) * m_code_length) {
226 throw Decoding_Error("encoded parity check matrix has wrong length");
227 }
228
229 for(uint32_t i = 0; i < enc_H.size(); i += 4) {
230 uint32_t coeff = (enc_H[i] << 24) | (enc_H[i + 1] << 16) | (enc_H[i + 2] << 8) | enc_H[i + 3];
231 m_coeffs.push_back(coeff);
232 }
233}
234
235bool McEliece_PrivateKey::operator==(const McEliece_PrivateKey& other) const {
236 if(*static_cast<const McEliece_PublicKey*>(this) != *static_cast<const McEliece_PublicKey*>(&other)) {
237 return false;
238 }
239 if(m_g != other.m_g) {
240 return false;
241 }
242
243 if(m_sqrtmod != other.m_sqrtmod) {
244 return false;
245 }
246 if(m_Linv != other.m_Linv) {
247 return false;
248 }
249 if(m_coeffs != other.m_coeffs) {
250 return false;
251 }
252
253 if(m_codimension != other.m_codimension || m_dimension != other.m_dimension) {
254 return false;
255 }
256
257 return true;
258}
259
260std::unique_ptr<Public_Key> McEliece_PrivateKey::public_key() const {
261 return std::make_unique<McEliece_PublicKey>(get_public_matrix(), get_t(), get_code_length());
262}
263
264bool McEliece_PublicKey::operator==(const McEliece_PublicKey& other) const {
265 if(m_public_matrix != other.m_public_matrix) {
266 return false;
267 }
268 if(m_t != other.m_t) {
269 return false;
270 }
271 if(m_code_length != other.m_code_length) {
272 return false;
273 }
274 return true;
275}
276
277namespace {
278
279class MCE_KEM_Encryptor final : public PK_Ops::KEM_Encryption_with_KDF {
280 public:
281 MCE_KEM_Encryptor(const McEliece_PublicKey& key, std::string_view kdf) :
282 KEM_Encryption_with_KDF(kdf), m_key(key) {}
283
284 private:
285 size_t raw_kem_shared_key_length() const override {
286 const size_t err_sz = (m_key.get_code_length() + 7) / 8;
287 const size_t ptext_sz = (m_key.get_message_word_bit_length() + 7) / 8;
288 return ptext_sz + err_sz;
289 }
290
291 size_t encapsulated_key_length() const override { return (m_key.get_code_length() + 7) / 8; }
292
293 void raw_kem_encrypt(std::span<uint8_t> out_encapsulated_key,
294 std::span<uint8_t> raw_shared_key,
295 RandomNumberGenerator& rng) override {
296 secure_vector<uint8_t> plaintext = m_key.random_plaintext_element(rng);
297
298 secure_vector<uint8_t> ciphertext, error_mask;
299 mceliece_encrypt(ciphertext, error_mask, plaintext, m_key, rng);
300
301 // TODO: Perhaps avoid the copies below
302 BOTAN_ASSERT_NOMSG(out_encapsulated_key.size() == ciphertext.size());
303 std::copy(ciphertext.begin(), ciphertext.end(), out_encapsulated_key.begin());
304
305 BOTAN_ASSERT_NOMSG(raw_shared_key.size() == plaintext.size() + error_mask.size());
306 BufferStuffer bs(raw_shared_key);
307 bs.append(plaintext);
308 bs.append(error_mask);
309 }
310
311 const McEliece_PublicKey& m_key;
312};
313
314class MCE_KEM_Decryptor final : public PK_Ops::KEM_Decryption_with_KDF {
315 public:
316 MCE_KEM_Decryptor(const McEliece_PrivateKey& key, std::string_view kdf) :
317 KEM_Decryption_with_KDF(kdf), m_key(key) {}
318
319 private:
320 size_t raw_kem_shared_key_length() const override {
321 const size_t err_sz = (m_key.get_code_length() + 7) / 8;
322 const size_t ptext_sz = (m_key.get_message_word_bit_length() + 7) / 8;
323 return ptext_sz + err_sz;
324 }
325
326 size_t encapsulated_key_length() const override { return (m_key.get_code_length() + 7) / 8; }
327
328 void raw_kem_decrypt(std::span<uint8_t> out_shared_key, std::span<const uint8_t> encapsulated_key) override {
329 secure_vector<uint8_t> plaintext, error_mask;
330 mceliece_decrypt(plaintext, error_mask, encapsulated_key.data(), encapsulated_key.size(), m_key);
331
332 // TODO: perhaps avoid the copies below
333 BOTAN_ASSERT_NOMSG(out_shared_key.size() == plaintext.size() + error_mask.size());
334 BufferStuffer bs(out_shared_key);
335 bs.append(plaintext);
336 bs.append(error_mask);
337 }
338
339 const McEliece_PrivateKey& m_key;
340};
341
342} // namespace
343
344std::unique_ptr<Private_Key> McEliece_PublicKey::generate_another(RandomNumberGenerator& rng) const {
345 return std::make_unique<McEliece_PrivateKey>(rng, get_code_length(), get_t());
346}
347
348std::unique_ptr<PK_Ops::KEM_Encryption> McEliece_PublicKey::create_kem_encryption_op(std::string_view params,
349 std::string_view provider) const {
350 if(provider == "base" || provider.empty()) {
351 return std::make_unique<MCE_KEM_Encryptor>(*this, params);
352 }
353 throw Provider_Not_Found(algo_name(), provider);
354}
355
356std::unique_ptr<PK_Ops::KEM_Decryption> McEliece_PrivateKey::create_kem_decryption_op(RandomNumberGenerator& /*rng*/,
357 std::string_view params,
358 std::string_view provider) const {
359 if(provider == "base" || provider.empty()) {
360 return std::make_unique<MCE_KEM_Decryptor>(*this, params);
361 }
362 throw Provider_Not_Found(algo_name(), provider);
363}
364
365} // namespace Botan
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:59
Botan::Asymmetric_Key::object_identifier
virtual OID object_identifier() const
Definition pk_keys.cpp:22
Botan::BER_Decoder
Definition ber_dec.h:22
Botan::BER_Decoder::push_back
void push_back(const BER_Object &obj)
Definition ber_dec.cpp:272
Botan::BER_Decoder::decode
BER_Decoder & decode(bool &out)
Definition ber_dec.h:176
Botan::BER_Decoder::end_cons
BER_Decoder & end_cons()
Definition ber_dec.cpp:295
Botan::BER_Decoder::start_sequence
BER_Decoder start_sequence()
Definition ber_dec.h:113
Botan::DER_Encoder
Definition der_enc.h:22
Botan::DER_Encoder::get_contents
secure_vector< uint8_t > get_contents()
Definition der_enc.cpp:132
Botan::DER_Encoder::start_sequence
DER_Encoder & start_sequence()
Definition der_enc.h:65
Botan::DER_Encoder::end_cons
DER_Encoder & end_cons()
Definition der_enc.cpp:171
Botan::DER_Encoder::encode
DER_Encoder & encode(bool b)
Definition der_enc.cpp:250
Botan::Decoding_Error
Definition exceptn.h:191
Botan::McEliece_PrivateKey
Definition mceliece.h:80
Botan::McEliece_PrivateKey::private_key_bits
secure_vector< uint8_t > private_key_bits() const override
Definition mceliece_key.cpp:116
Botan::McEliece_PrivateKey::McEliece_PrivateKey
McEliece_PrivateKey(RandomNumberGenerator &rng, size_t code_length, size_t t)
Definition mceliece_key.cpp:47
Botan::McEliece_PrivateKey::public_key
std::unique_ptr< Public_Key > public_key() const override
Definition mceliece_key.cpp:260
Botan::McEliece_PrivateKey::create_kem_decryption_op
std::unique_ptr< PK_Ops::KEM_Decryption > create_kem_decryption_op(RandomNumberGenerator &rng, std::string_view params, std::string_view provider) const override
Definition mceliece_key.cpp:356
Botan::McEliece_PrivateKey::get_goppa_polyn
const polyn_gf2m & get_goppa_polyn() const
Definition mceliece_key.cpp:52
Botan::McEliece_PrivateKey::operator==
bool operator==(const McEliece_PrivateKey &other) const
Definition mceliece_key.cpp:235
Botan::McEliece_PrivateKey::check_key
bool check_key(RandomNumberGenerator &rng, bool strong) const override
Definition mceliece_key.cpp:149
Botan::McEliece_PublicKey
Definition mceliece.h:23
Botan::McEliece_PublicKey::random_plaintext_element
secure_vector< uint8_t > random_plaintext_element(RandomNumberGenerator &rng) const
Definition mceliece_key.cpp:61
Botan::McEliece_PublicKey::get_message_word_bit_length
size_t get_message_word_bit_length() const
Definition mceliece_key.cpp:56
Botan::McEliece_PublicKey::get_t
size_t get_t() const
Definition mceliece.h:47
Botan::McEliece_PublicKey::create_kem_encryption_op
std::unique_ptr< PK_Ops::KEM_Encryption > create_kem_encryption_op(std::string_view params, std::string_view provider) const override
Definition mceliece_key.cpp:348
Botan::McEliece_PublicKey::algo_name
std::string algo_name() const override
Definition mceliece.h:36
Botan::McEliece_PublicKey::public_key_bits
std::vector< uint8_t > public_key_bits() const override
Definition mceliece_key.cpp:80
Botan::McEliece_PublicKey::generate_another
std::unique_ptr< Private_Key > generate_another(RandomNumberGenerator &rng) const final
Definition mceliece_key.cpp:344
Botan::McEliece_PublicKey::McEliece_PublicKey
McEliece_PublicKey()
Definition mceliece.h:69
Botan::McEliece_PublicKey::m_t
size_t m_t
Definition mceliece.h:72
Botan::McEliece_PublicKey::m_public_matrix
std::vector< uint8_t > m_public_matrix
Definition mceliece.h:71
Botan::McEliece_PublicKey::get_public_matrix
const std::vector< uint8_t > & get_public_matrix() const
Definition mceliece.h:53
Botan::McEliece_PublicKey::m_code_length
size_t m_code_length
Definition mceliece.h:73
Botan::McEliece_PublicKey::estimated_strength
size_t estimated_strength() const override
Definition mceliece_key.cpp:97
Botan::McEliece_PublicKey::get_code_length
size_t get_code_length() const
Definition mceliece.h:49
Botan::McEliece_PublicKey::operator==
bool operator==(const McEliece_PublicKey &other) const
Definition mceliece_key.cpp:264
Botan::McEliece_PublicKey::algorithm_identifier
AlgorithmIdentifier algorithm_identifier() const override
Definition mceliece_key.cpp:76
Botan::McEliece_PublicKey::key_length
size_t key_length() const override
Definition mceliece_key.cpp:93
Botan::PK_Ops::KEM_Encryption_with_KDF
Definition pk_ops_impl.h:121
Botan::Provider_Not_Found
Definition exceptn.h:262
Botan::RandomNumberGenerator::randomize
void randomize(std::span< uint8_t > output)
Definition rng.h:52
Botan::polyn_gf2m
Definition polyn_gf2m.h:26
final
int(* final)(unsigned char *, CTX *)
Definition commoncrypto_hash.cpp:29
Botan::mceliece_decrypt
void mceliece_decrypt(secure_vector< uint8_t > &plaintext_out, secure_vector< uint8_t > &error_mask_out, const secure_vector< uint8_t > &ciphertext, const McEliece_PrivateKey &key)
Definition goppa_code.cpp:117
Botan::mceliece_encrypt
void mceliece_encrypt(secure_vector< uint8_t > &ciphertext_out, secure_vector< uint8_t > &error_mask_out, const secure_vector< uint8_t > &plaintext, const McEliece_PublicKey &key, RandomNumberGenerator &rng)
Definition mceliece.cpp:109
Botan::generate_mceliece_key
McEliece_PrivateKey generate_mceliece_key(RandomNumberGenerator &rng, size_t ext_deg, size_t code_length, size_t t)
Definition code_based_key_gen.cpp:184
Botan::mceliece_work_factor
size_t mceliece_work_factor(size_t n, size_t t)
Definition mce_workfactor.cpp:89
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61
Botan::bit_size_to_32bit_size
size_t bit_size_to_32bit_size(size_t bit_size)
Definition code_based_util.h:46
Botan::ceil_log2
constexpr uint8_t ceil_log2(T x)
Definition bit_ops.h:122
Botan::gf2m
uint16_t gf2m
Definition gf2m_small_m.h:20
Generated by doxygen 1.10.0