diff options
| author | Romain Francoise <rfrancoise@debian.org> | 2014-04-15 19:34:32 +0200 |
|---|---|---|
| committer | Romain Francoise <rfrancoise@debian.org> | 2014-04-15 19:34:32 +0200 |
| commit | c5ebfc7b9c16551fe825dc1d79c3f7e2f096f6c9 (patch) | |
| tree | d4e2118cbd411caa1a0528eac831030109bc6e65 /src/libstrongswan/plugins/ntru | |
| parent | 15fb7904f4431a6e7c305fd08732458f7f885e7e (diff) | |
| download | vyos-strongswan-c5ebfc7b9c16551fe825dc1d79c3f7e2f096f6c9.tar.gz vyos-strongswan-c5ebfc7b9c16551fe825dc1d79c3f7e2f096f6c9.zip | |
Import upstream version 5.1.3
Diffstat (limited to 'src/libstrongswan/plugins/ntru')
24 files changed, 2384 insertions, 3283 deletions
diff --git a/src/libstrongswan/plugins/ntru/Makefile.am b/src/libstrongswan/plugins/ntru/Makefile.am index b33cbc8c9..e241554b5 100644 --- a/src/libstrongswan/plugins/ntru/Makefile.am +++ b/src/libstrongswan/plugins/ntru/Makefile.am @@ -12,21 +12,15 @@ endif libstrongswan_ntru_la_SOURCES = \ ntru_plugin.h ntru_plugin.c \ + ntru_convert.h ntru_convert.c \ ntru_drbg.h ntru_drbg.c \ ntru_ke.h ntru_ke.c \ ntru_mgf1.h ntru_mgf1.c \ + ntru_param_set.h ntru_param_set.c \ ntru_poly.h ntru_poly.c \ - ntru_trits.h ntru_trits.c \ - ntru_crypto/ntru_crypto.h \ - ntru_crypto/ntru_crypto_ntru_convert.h \ - ntru_crypto/ntru_crypto_ntru_convert.c \ - ntru_crypto/ntru_crypto_ntru_encrypt.c \ - ntru_crypto/ntru_crypto_ntru_encrypt_key.h \ - ntru_crypto/ntru_crypto_ntru_encrypt_key.c \ - ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.h \ - ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.c \ - ntru_crypto/ntru_crypto_ntru_poly.h \ - ntru_crypto/ntru_crypto_ntru_poly.c + ntru_public_key.h ntru_public_key.c \ + ntru_private_key.h ntru_private_key.c \ + ntru_trits.h ntru_trits.c libstrongswan_ntru_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/ntru/Makefile.in b/src/libstrongswan/plugins/ntru/Makefile.in index af192d203..38258048f 100644 --- a/src/libstrongswan/plugins/ntru/Makefile.in +++ b/src/libstrongswan/plugins/ntru/Makefile.in @@ -128,14 +128,10 @@ am__uninstall_files_from_dir = { \ am__installdirs = "$(DESTDIR)$(plugindir)" LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) libstrongswan_ntru_la_LIBADD = -am__dirstamp = $(am__leading_dot)dirstamp -am_libstrongswan_ntru_la_OBJECTS = ntru_plugin.lo ntru_drbg.lo \ - ntru_ke.lo ntru_mgf1.lo ntru_poly.lo ntru_trits.lo \ - ntru_crypto/ntru_crypto_ntru_convert.lo \ - ntru_crypto/ntru_crypto_ntru_encrypt.lo \ - ntru_crypto/ntru_crypto_ntru_encrypt_key.lo \ - ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.lo \ - ntru_crypto/ntru_crypto_ntru_poly.lo +am_libstrongswan_ntru_la_OBJECTS = ntru_plugin.lo ntru_convert.lo \ + ntru_drbg.lo ntru_ke.lo ntru_mgf1.lo ntru_param_set.lo \ + ntru_poly.lo ntru_public_key.lo ntru_private_key.lo \ + ntru_trits.lo libstrongswan_ntru_la_OBJECTS = $(am_libstrongswan_ntru_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) @@ -377,7 +373,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ @@ -427,21 +422,15 @@ AM_CFLAGS = \ @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-ntru.la libstrongswan_ntru_la_SOURCES = \ ntru_plugin.h ntru_plugin.c \ + ntru_convert.h ntru_convert.c \ ntru_drbg.h ntru_drbg.c \ ntru_ke.h ntru_ke.c \ ntru_mgf1.h ntru_mgf1.c \ + ntru_param_set.h ntru_param_set.c \ ntru_poly.h ntru_poly.c \ - ntru_trits.h ntru_trits.c \ - ntru_crypto/ntru_crypto.h \ - ntru_crypto/ntru_crypto_ntru_convert.h \ - ntru_crypto/ntru_crypto_ntru_convert.c \ - ntru_crypto/ntru_crypto_ntru_encrypt.c \ - ntru_crypto/ntru_crypto_ntru_encrypt_key.h \ - ntru_crypto/ntru_crypto_ntru_encrypt_key.c \ - ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.h \ - ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.c \ - ntru_crypto/ntru_crypto_ntru_poly.h \ - ntru_crypto/ntru_crypto_ntru_poly.c + ntru_public_key.h ntru_public_key.c \ + ntru_private_key.h ntru_private_key.c \ + ntru_trits.h ntru_trits.c libstrongswan_ntru_la_LDFLAGS = -module -avoid-version all: all-am @@ -524,47 +513,26 @@ clean-pluginLTLIBRARIES: echo rm -f $${locs}; \ rm -f $${locs}; \ } -ntru_crypto/$(am__dirstamp): - @$(MKDIR_P) ntru_crypto - @: > ntru_crypto/$(am__dirstamp) -ntru_crypto/$(DEPDIR)/$(am__dirstamp): - @$(MKDIR_P) ntru_crypto/$(DEPDIR) - @: > ntru_crypto/$(DEPDIR)/$(am__dirstamp) -ntru_crypto/ntru_crypto_ntru_convert.lo: ntru_crypto/$(am__dirstamp) \ - ntru_crypto/$(DEPDIR)/$(am__dirstamp) -ntru_crypto/ntru_crypto_ntru_encrypt.lo: ntru_crypto/$(am__dirstamp) \ - ntru_crypto/$(DEPDIR)/$(am__dirstamp) -ntru_crypto/ntru_crypto_ntru_encrypt_key.lo: \ - ntru_crypto/$(am__dirstamp) \ - ntru_crypto/$(DEPDIR)/$(am__dirstamp) -ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.lo: \ - ntru_crypto/$(am__dirstamp) \ - ntru_crypto/$(DEPDIR)/$(am__dirstamp) -ntru_crypto/ntru_crypto_ntru_poly.lo: ntru_crypto/$(am__dirstamp) \ - ntru_crypto/$(DEPDIR)/$(am__dirstamp) libstrongswan-ntru.la: $(libstrongswan_ntru_la_OBJECTS) $(libstrongswan_ntru_la_DEPENDENCIES) $(EXTRA_libstrongswan_ntru_la_DEPENDENCIES) $(AM_V_CCLD)$(libstrongswan_ntru_la_LINK) $(am_libstrongswan_ntru_la_rpath) $(libstrongswan_ntru_la_OBJECTS) $(libstrongswan_ntru_la_LIBADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) - -rm -f ntru_crypto/*.$(OBJEXT) - -rm -f ntru_crypto/*.lo distclean-compile: -rm -f *.tab.c +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_convert.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_drbg.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_ke.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_mgf1.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_param_set.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_plugin.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_poly.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_private_key.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_public_key.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_trits.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@ntru_crypto/$(DEPDIR)/ntru_crypto_ntru_convert.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@ntru_crypto/$(DEPDIR)/ntru_crypto_ntru_encrypt.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@ntru_crypto/$(DEPDIR)/ntru_crypto_ntru_encrypt_key.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@ntru_crypto/$(DEPDIR)/ntru_crypto_ntru_encrypt_param_sets.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@ntru_crypto/$(DEPDIR)/ntru_crypto_ntru_poly.Plo@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ @@ -595,7 +563,6 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs - -rm -rf ntru_crypto/.libs ntru_crypto/_libs ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique @@ -712,8 +679,6 @@ clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) - -rm -f ntru_crypto/$(DEPDIR)/$(am__dirstamp) - -rm -f ntru_crypto/$(am__dirstamp) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -724,7 +689,7 @@ clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ clean-pluginLTLIBRARIES mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) ntru_crypto/$(DEPDIR) + -rm -rf ./$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -770,7 +735,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) ntru_crypto/$(DEPDIR) + -rm -rf ./$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic diff --git a/src/libstrongswan/plugins/ntru/ntru_convert.c b/src/libstrongswan/plugins/ntru/ntru_convert.c new file mode 100644 index 000000000..6330b2e39 --- /dev/null +++ b/src/libstrongswan/plugins/ntru/ntru_convert.c @@ -0,0 +1,452 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * Copyright (C) 2009-2013 Security Innovation + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <stdlib.h> +#include <string.h> + +#include "ntru_convert.h" + +/** + * 3-bit to 2-trit conversion tables: 2 represents -1 + */ +static uint8_t const bits_2_trit1[] = {0, 0, 0, 1, 1, 1, 2, 2}; +static uint8_t const bits_2_trit2[] = {0, 1, 2, 0, 1, 2, 0, 1}; + +/** + * See header. + */ +void ntru_bits_2_trits(uint8_t const *octets, uint16_t num_trits, uint8_t *trits) +{ + uint32_t bits24, bits3, shift; + + while (num_trits >= 16) + { + /* get next three octets */ + bits24 = ((uint32_t)(*octets++)) << 16; + bits24 |= ((uint32_t)(*octets++)) << 8; + bits24 |= (uint32_t)(*octets++); + + /* for each 3 bits in the three octets, output 2 trits */ + bits3 = (bits24 >> 21) & 0x7; + *trits++ = bits_2_trit1[bits3]; + *trits++ = bits_2_trit2[bits3]; + + bits3 = (bits24 >> 18) & 0x7; + *trits++ = bits_2_trit1[bits3]; + *trits++ = bits_2_trit2[bits3]; + + bits3 = (bits24 >> 15) & 0x7; + *trits++ = bits_2_trit1[bits3]; + *trits++ = bits_2_trit2[bits3]; + + bits3 = (bits24 >> 12) & 0x7; + *trits++ = bits_2_trit1[bits3]; + *trits++ = bits_2_trit2[bits3]; + + bits3 = (bits24 >> 9) & 0x7; + *trits++ = bits_2_trit1[bits3]; + *trits++ = bits_2_trit2[bits3]; + + bits3 = (bits24 >> 6) & 0x7; + *trits++ = bits_2_trit1[bits3]; + *trits++ = bits_2_trit2[bits3]; + + bits3 = (bits24 >> 3) & 0x7; + *trits++ = bits_2_trit1[bits3]; + *trits++ = bits_2_trit2[bits3]; + + bits3 = bits24 & 0x7; + *trits++ = bits_2_trit1[bits3]; + *trits++ = bits_2_trit2[bits3]; + + num_trits -= 16; + } + if (num_trits == 0) + { + return; + } + + /* get three octets */ + bits24 = ((uint32_t)(*octets++)) << 16; + bits24 |= ((uint32_t)(*octets++)) << 8; + bits24 |= (uint32_t)(*octets++); + + shift = 21; + while (num_trits) + { + /** + * for each 3 bits in the three octets, output up to 2 trits + * until all trits needed are produced + */ + bits3 = (bits24 >> shift) & 0x7; + shift -= 3; + *trits++ = bits_2_trit1[bits3]; + if (--num_trits) + { + *trits++ = bits_2_trit2[bits3]; + --num_trits; + } + } +} + +/** + * See header. + */ +bool ntru_trits_2_bits(uint8_t const *trits, uint32_t num_trits, uint8_t *octets) +{ + bool all_trits_valid = TRUE; + uint32_t bits24, bits3, shift; + + while (num_trits >= 16) + { + /* convert each 2 trits to 3 bits and pack */ + bits3 = *trits++ * 3; + bits3 += *trits++; + if (bits3 > 7) + { + bits3 = 7; + all_trits_valid = FALSE; + } + bits24 = (bits3 << 21); + + bits3 = *trits++ * 3; + bits3 += *trits++; + if (bits3 > 7) + { + bits3 = 7; + all_trits_valid = FALSE; + } + bits24 |= (bits3 << 18); + + bits3 = *trits++ * 3; + bits3 += *trits++; + if (bits3 > 7) + { + bits3 = 7; + all_trits_valid = FALSE; + } + bits24 |= (bits3 << 15); + + bits3 = *trits++ * 3; + bits3 += *trits++; + if (bits3 > 7) + { + bits3 = 7; + all_trits_valid = FALSE; + } + bits24 |= (bits3 << 12); + + bits3 = *trits++ * 3; + bits3 += *trits++; + if (bits3 > 7) + { + bits3 = 7; + all_trits_valid = FALSE; + } + bits24 |= (bits3 << 9); + + bits3 = *trits++ * 3; + bits3 += *trits++; + if (bits3 > 7) + { + bits3 = 7; + all_trits_valid = FALSE; + } + bits24 |= (bits3 << 6); + + bits3 = *trits++ * 3; + bits3 += *trits++; + if (bits3 > 7) + { + bits3 = 7; + all_trits_valid = FALSE; + } + bits24 |= (bits3 << 3); + + bits3 = *trits++ * 3; + bits3 += *trits++; + if (bits3 > 7) + { + bits3 = 7; + all_trits_valid = FALSE; + } + bits24 |= bits3; + + num_trits -= 16; + + /* output three octets */ + *octets++ = (uint8_t)((bits24 >> 16) & 0xff); + *octets++ = (uint8_t)((bits24 >> 8) & 0xff); + *octets++ = (uint8_t)(bits24 & 0xff); + } + + bits24 = 0; + shift = 21; + while (num_trits) + { + /* convert each 2 trits to 3 bits and pack */ + bits3 = *trits++ * 3; + if (--num_trits) + { + bits3 += *trits++; + --num_trits; + } + if (bits3 > 7) + { + bits3 = 7; + all_trits_valid = FALSE; + } + bits24 |= (bits3 << shift); + shift -= 3; + } + + /* output three octets */ + *octets++ = (uint8_t)((bits24 >> 16) & 0xff); + *octets++ = (uint8_t)((bits24 >> 8) & 0xff); + *octets++ = (uint8_t)(bits24 & 0xff); + + return all_trits_valid; +} + +/** + * See header + */ +void ntru_coeffs_mod4_2_octets(uint16_t num_coeffs, uint16_t const *coeffs, uint8_t *octets) +{ + uint8_t bits2; + int shift, i; + + *octets = 0; + shift = 6; + for (i = 0; i < num_coeffs; i++) + { + bits2 = (uint8_t)(coeffs[i] & 0x3); + *octets |= bits2 << shift; + shift -= 2; + if (shift < 0) + { + ++octets; + *octets = 0; + shift = 6; + } + } +} + +/** + * See header. + */ +void ntru_trits_2_octet(uint8_t const *trits, uint8_t *octet) +{ + int i; + + *octet = 0; + for (i = 4; i >= 0; i--) + { + *octet = (*octet * 3) + trits[i]; + } +} + +/** + * See header. + */ +void ntru_octet_2_trits(uint8_t octet, uint8_t *trits) +{ + int i; + + for (i = 0; i < 5; i++) + { + trits[i] = octet % 3; + octet = (octet - trits[i]) / 3; + } +} + +/** + * See header. + */ +void ntru_indices_2_trits(uint16_t in_len, uint16_t const *in, bool plus1, + uint8_t *out) +{ + uint8_t trit = plus1 ? 1 : 2; + int i; + + for (i = 0; i < in_len; i++) + { + out[in[i]] = trit; + } +} + +/** + * See header. + */ +void ntru_packed_trits_2_indices(uint8_t const *in, uint16_t num_trits, + uint16_t *indices_plus1, + uint16_t *indices_minus1) +{ + uint8_t trits[5]; + uint16_t i = 0; + int j; + + while (num_trits >= 5) + { + ntru_octet_2_trits(*in++, trits); + num_trits -= 5; + for (j = 0; j < 5; j++, i++) + { + if (trits[j] == 1) + { + *indices_plus1 = i; + ++indices_plus1; + } + else if (trits[j] == 2) + { + *indices_minus1 = i; + ++indices_minus1; + } + } + } + if (num_trits) + { + ntru_octet_2_trits(*in, trits); + for (j = 0; num_trits && (j < 5); j++, i++) + { + if (trits[j] == 1) + { + *indices_plus1 = i; + ++indices_plus1; + } + else if (trits[j] == 2) + { + *indices_minus1 = i; + ++indices_minus1; + } + --num_trits; + } + } +} + +/** + * See header. + */ +void ntru_indices_2_packed_trits(uint16_t const *indices, uint16_t num_plus1, + uint16_t num_minus1, uint16_t num_trits, + uint8_t *buf, uint8_t *out) +{ + /* convert indices to an array of trits */ + memset(buf, 0, num_trits); + ntru_indices_2_trits(num_plus1, indices, TRUE, buf); + ntru_indices_2_trits(num_minus1, indices + num_plus1, FALSE, buf); + + /* pack the array of trits */ + while (num_trits >= 5) + { + ntru_trits_2_octet(buf, out); + num_trits -= 5; + buf += 5; + ++out; + } + if (num_trits) + { + uint8_t trits[5]; + + memcpy(trits, buf, num_trits); + memset(trits + num_trits, 0, sizeof(trits) - num_trits); + ntru_trits_2_octet(trits, out); + } +} + +/** + * See header + */ +void ntru_elements_2_octets(uint16_t in_len, uint16_t const *in, uint8_t n_bits, + uint8_t *out) +{ + uint16_t temp; + int shift, i; + + /* pack */ + temp = 0; + shift = n_bits - 8; + i = 0; + while (i < in_len) + { + /* add bits to temp to fill an octet and output the octet */ + temp |= in[i] >> shift; + *out++ = (uint8_t)(temp & 0xff); + shift = 8 - shift; + if (shift < 1) + { + /* next full octet is in current input word */ + shift += n_bits; + temp = 0; + } + else + { + /* put remaining bits of input word in temp as partial octet, + * and increment index to next input word + */ + temp = in[i] << (uint16_t)shift; + ++i; + } + shift = n_bits - shift; + } + + /* output any bits remaining in last input word */ + if (shift != n_bits - 8) + { + *out++ = (uint8_t)(temp & 0xff); + } +} + + +/** + * See header. + */ +void ntru_octets_2_elements(uint16_t in_len, uint8_t const *in, uint8_t n_bits, + uint16_t *out) +{ + uint16_t temp; + uint16_t mask = (1 << n_bits) - 1; + int shift, i; + + /* unpack */ + temp = 0; + shift = n_bits; + i = 0; + while (i < in_len) + { + shift = 8 - shift; + if (shift < 0) + { + /* the current octet will not fill the current element */ + shift += n_bits; + } + else + { + /* add bits from the current octet to fill the current element and + * output the element + */ + temp |= ((uint16_t)in[i]) >> shift; + *out++ = temp & mask; + temp = 0; + } + + /* add the remaining bits of the current octet to start an element */ + shift = n_bits - shift; + temp |= ((uint16_t)in[i]) << shift; + ++i; + } +} diff --git a/src/libstrongswan/plugins/ntru/ntru_convert.h b/src/libstrongswan/plugins/ntru/ntru_convert.h new file mode 100644 index 000000000..31594b1f6 --- /dev/null +++ b/src/libstrongswan/plugins/ntru/ntru_convert.h @@ -0,0 +1,147 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * Copyright (C) 2009-2013 Security Innovation + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup ntru_convert ntru_convert + * @{ @ingroup ntru_p + */ + +#ifndef NTRU_CONVERT_H_ +#define NTRU_CONVERT_H_ + +#include <library.h> + +/** + * Each 3 bits in an array of octets is converted to 2 trits in an array + * of trits. + * + * @param octets pointer to array of octets + * @param num_trits number of trits to produce + * @param trits address for array of trits + */ +void ntru_bits_2_trits(uint8_t const *octets, uint16_t num_trits, + uint8_t *trits); + +/** + * Each 2 trits in an array of trits is converted to 3 bits, and the bits + * are packed in an array of octets. A multiple of 3 octets is output. + * Any bits in the final octets not derived from trits are zero. + * + * @param trits pointer to array of trits + * @param num_trits number of trits to convert + * @param octets address for array of octets + * @return TRUE if all trits were valid + * FALSE if invalid trits were found + */ +bool ntru_trits_2_bits(uint8_t const *trits, uint32_t num_trits, + uint8_t *octets); + +/** + * Takes an array of coefficients mod 4 and packs the results into an + * octet string. + * + * @param num_coeffs number of coefficients + * @param coeffs pointer to coefficients + * @param octets address for octets + */ +void ntru_coeffs_mod4_2_octets(uint16_t num_coeffs, uint16_t const *coeffs, + uint8_t *octets); + +/** + * Packs 5 trits in an octet, where a trit is 0, 1, or 2 (-1). + * + * @param trits pointer to trits + * @param octet address for octet + */ +void ntru_trits_2_octet(uint8_t const *trits, uint8_t *octet); + +/** + * Unpacks an octet to 5 trits, where a trit is 0, 1, or 2 (-1). + * + * @param octet octet to be unpacked + * @param trits address for trits + */ +void ntru_octet_2_trits(uint8_t octet, uint8_t *trits); + +/** + * + * Converts a list of the nonzero indices of a polynomial into an array of + * trits. + * + * @param in_len no. of indices + * @param in pointer to list of indices + * @param plus1 if list is +1 coefficients + * @param out address of output polynomial + */ +void ntru_indices_2_trits(uint16_t in_len, uint16_t const *in, bool plus1, + uint8_t *out); + +/** + * Unpacks an array of N trits and creates a list of array indices + * corresponding to trits = +1, and list of array indices corresponding to + * trits = -1. + * + * @param in pointer to packed-trit octets + * @param num_trits no. of packed trits + * @param indices_plus1 address for indices of +1 trits + * @param indices_minus1 address for indices of -1 trits + */ +void ntru_packed_trits_2_indices(uint8_t const *in, uint16_t num_trits, + uint16_t *indices_plus1, + uint16_t *indices_minus1); + +/** + * Takes a list of array indices corresponding to elements whose values + * are +1 or -1, and packs the N-element array of trits described by these + * lists into octets, 5 trits per octet. + * + * @param indices pointer to indices + * @param num_plus1 no. of indices for +1 trits + * @param num_minus1 no. of indices for -1 trits + * @param num_trits N, no. of trits in array + * @param buf temp buf, N octets + * @param out address for packed octet + */ +void ntru_indices_2_packed_trits(uint16_t const *indices, uint16_t num_plus1, + uint16_t num_minus1, uint16_t num_trits, + uint8_t *buf, uint8_t *out); + +/** + * Packs an array of n-bit elements into an array of + * ((in_len * n_bits) + 7) / 8 octets, 8 < n_bits < 16. + * + * @param in_len no. of elements to be packed + * @param in ptr to elements to be packed + * @param n_bits no. of bits in input element + * @param out addr for output octets + */ +void ntru_elements_2_octets(uint16_t in_len, uint16_t const *in, uint8_t n_bits, + uint8_t *out); + +/** + * Unpacks an octet string into an array of ((in_len * 8) / n_bits) + * n-bit elements, 8 < n < 16. Any extra bits are discarded. + * + * @param in_len no. of octets to be unpacked + * @param in ptr to octets to be unpacked + * @param n_bits no. of bits in output element + * @param out addr for output elements + */ +void ntru_octets_2_elements(uint16_t in_len, uint8_t const *in, uint8_t n_bits, + uint16_t *out); + +#endif /** NTRU_CONVERT_H_ @}*/ diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto.h deleted file mode 100644 index 72f47035e..000000000 --- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto.h +++ /dev/null @@ -1,235 +0,0 @@ -/****************************************************************************** - * NTRU Cryptography Reference Source Code - * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. - * - * ntru_crypto.h is a component of ntru-crypto. - * - * Copyright (C) 2009-2013 Security Innovation - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - * - *****************************************************************************/ - - -/****************************************************************************** - * - * File: ntru_crypto.h - * - * Contents: Public header file for NTRUEncrypt. - * - *****************************************************************************/ - -#ifndef NTRU_CRYPTO_H -#define NTRU_CRYPTO_H - -#include <library.h> - -#include "ntru_drbg.h" - -#if !defined( NTRUCALL ) - #if !defined(WIN32) || defined (NTRUCRYPTO_STATIC) - // Linux, or a Win32 static library - #define NTRUCALL extern uint32_t - #elif defined (NTRUCRYPTO_EXPORTS) - // Win32 DLL build - #define NTRUCALL extern __declspec(dllexport) uint32_t - #else - // Win32 DLL import - #define NTRUCALL extern __declspec(dllimport) uint32_t - #endif -#endif /* NTRUCALL */ - -/* parameter set ID list */ - -typedef enum _NTRU_ENCRYPT_PARAM_SET_ID { - NTRU_EES401EP1, - NTRU_EES449EP1, - NTRU_EES677EP1, - NTRU_EES1087EP2, - NTRU_EES541EP1, - NTRU_EES613EP1, - NTRU_EES887EP1, - NTRU_EES1171EP1, - NTRU_EES659EP1, - NTRU_EES761EP1, - NTRU_EES1087EP1, - NTRU_EES1499EP1, - NTRU_EES401EP2, - NTRU_EES439EP1, - NTRU_EES593EP1, - NTRU_EES743EP1, -} NTRU_ENCRYPT_PARAM_SET_ID; - - -/* error codes */ - -#define NTRU_OK 0 -#define NTRU_FAIL 1 -#define NTRU_BAD_PARAMETER 2 -#define NTRU_BAD_LENGTH 3 -#define NTRU_BUFFER_TOO_SMALL 4 -#define NTRU_INVALID_PARAMETER_SET 5 -#define NTRU_BAD_PUBLIC_KEY 6 -#define NTRU_BAD_PRIVATE_KEY 7 -#define NTRU_OUT_OF_MEMORY 8 -#define NTRU_BAD_ENCODING 9 -#define NTRU_OID_NOT_RECOGNIZED 10 -#define NTRU_DRBG_FAIL 11 -#define NTRU_MGF1_FAIL 12 - -/* function declarations */ - -/* ntru_crypto_ntru_encrypt - * - * Implements NTRU encryption (SVES) for the parameter set specified in - * the public key blob. - * - * Before invoking this function, a DRBG must be instantiated using - * ntru_crypto_drbg_instantiate() to obtain a DRBG handle, and in that - * instantiation the requested security strength must be at least as large - * as the security strength of the NTRU parameter set being used. - * Failure to instantiate the DRBG with the proper security strength will - * result in this function returning DRBG_ERROR_BASE + DRBG_BAD_LENGTH. - * - * The required minimum size of the output ciphertext buffer (ct) may be - * queried by invoking this function with ct = NULL. In this case, no - * encryption is performed, NTRU_OK is returned, and the required minimum - * size for ct is returned in ct_len. - * - * When ct != NULL, at invocation *ct_len must be the size of the ct buffer. - * Upon return it is the actual size of the ciphertext. - * - * Returns NTRU_OK if successful. - * Returns NTRU_DRBG_FAIL if the DRBG handle is invalid. - * Returns NTRU_BAD_PARAMETER if an argument pointer (other than ct) is NULL. - * Returns NTRU_BAD_LENGTH if a length argument (pubkey_blob_len or pt_len) is - * zero, or if pt_len exceeds the maximum plaintext length for the parameter set. - * Returns NTRU_BAD_PUBLIC_KEY if the public-key blob is invalid - * (unknown format, corrupt, bad length). - * Returns NTRU_BUFFER_TOO_SMALL if the ciphertext buffer is too small. - * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap. - */ - -NTRUCALL -ntru_crypto_ntru_encrypt( - ntru_drbg_t *drbg , /* in - handle for DRBG */ - uint16_t pubkey_blob_len, /* in - no. of octets in public key - blob */ - uint8_t const *pubkey_blob, /* in - pointer to public key */ - uint16_t pt_len, /* in - no. of octets in plaintext */ - uint8_t const *pt, /* in - pointer to plaintext */ - uint16_t *ct_len, /* in/out - no. of octets in ct, addr for - no. of octets in ciphertext */ - uint8_t *ct); /* out - address for ciphertext */ - - -/* ntru_crypto_ntru_decrypt - * - * Implements NTRU decryption (SVES) for the parameter set specified in - * the private key blob. - * - * The maximum size of the output plaintext may be queried by invoking - * this function with pt = NULL. In this case, no decryption is performed, - * NTRU_OK is returned, and the maximum size the plaintext could be is - * returned in pt_len. - * Note that until the decryption is performed successfully, the actual size - * of the resulting plaintext cannot be known. - * - * When pt != NULL, at invocation *pt_len must be the size of the pt buffer. - * Upon return it is the actual size of the plaintext. - * - * Returns NTRU_OK if successful. - * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pt) is NULL. - * Returns NTRU_BAD_LENGTH if a length argument (privkey_blob) is zero, or if - * ct_len is invalid for the parameter set. - * Returns NTRU_BAD_PRIVATE_KEY if the private-key blob is invalid - * (unknown format, corrupt, bad length). - * Returns NTRU_BUFFER_TOO_SMALL if the plaintext buffer is too small. - * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap. - * Returns NTRU_FAIL if a decryption error occurs. - */ - -NTRUCALL -ntru_crypto_ntru_decrypt( - uint16_t privkey_blob_len, /* in - no. of octets in private key - blob */ - uint8_t const *privkey_blob, /* in - pointer to private key */ - uint16_t ct_len, /* in - no. of octets in ciphertext */ - uint8_t const *ct, /* in - pointer to ciphertext */ - uint16_t *pt_len, /* in/out - no. of octets in pt, addr for - no. of octets in plaintext */ - uint8_t *pt); /* out - address for plaintext */ - - -/* ntru_crypto_ntru_encrypt_keygen - * - * Implements key generation for NTRUEncrypt for the parameter set specified. - * - * Before invoking this function, a DRBG must be instantiated using - * ntru_crypto_drbg_instantiate() to obtain a DRBG handle, and in that - * instantiation the requested security strength must be at least as large - * as the security strength of the NTRU parameter set being used. - * Failure to instantiate the DRBG with the proper security strength will - * result in this function returning NTRU_DRBG_FAIL. - * - * The required minimum size of the output public-key buffer (pubkey_blob) - * may be queried by invoking this function with pubkey_blob = NULL. - * In this case, no key generation is performed, NTRU_OK is returned, and - * the required minimum size for pubkey_blob is returned in pubkey_blob_len. - * - * The required minimum size of the output private-key buffer (privkey_blob) - * may be queried by invoking this function with privkey_blob = NULL. - * In this case, no key generation is performed, NTRU_OK is returned, and - * the required minimum size for privkey_blob is returned in privkey_blob_len. - * - * The required minimum sizes of both pubkey_blob and privkey_blob may be - * queried as described above, in a single invocation of this function. - * - * When pubkey_blob != NULL and privkey_blob != NULL, at invocation - * *pubkey_blob_len must be the size of the pubkey_blob buffer and - * *privkey_blob_len must be the size of the privkey_blob buffer. - * Upon return, *pubkey_blob_len is the actual size of the public-key blob - * and *privkey_blob_len is the actual size of the private-key blob. - * - * Returns NTRU_OK if successful. - * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pubkey_blob - * or privkey_blob) is NULL. - * Returns NTRU_INVALID_PARAMETER_SET if the parameter-set ID is invalid. - * Returns NTRU_BAD_LENGTH if a length argument is invalid. - * Returns NTRU_BUFFER_TOO_SMALL if either the pubkey_blob buffer or the - * privkey_blob buffer is too small. - * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap. - * Returns NTRU_FAIL if the polynomial generated for f is not invertible in - * (Z/qZ)[X]/(X^N - 1), which is extremely unlikely. - * Should this occur, this function should simply be invoked again. - */ - -NTRUCALL -ntru_crypto_ntru_encrypt_keygen( - ntru_drbg_t *drbg, /* in - handle of DRBG */ - NTRU_ENCRYPT_PARAM_SET_ID param_set_id, /* in - parameter set ID */ - uint16_t *pubkey_blob_len, /* in/out - no. of octets in - pubkey_blob, addr - for no. of octets - in pubkey_blob */ - uint8_t *pubkey_blob, /* out - address for - public key blob */ - uint16_t *privkey_blob_len, /* in/out - no. of octets in - privkey_blob, addr - for no. of octets - in privkey_blob */ - uint8_t *privkey_blob); /* out - address for - private key blob */ -#endif /* NTRU_CRYPTO_H */ diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.c b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.c deleted file mode 100644 index 3d6dfde41..000000000 --- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.c +++ /dev/null @@ -1,581 +0,0 @@ -/****************************************************************************** - * NTRU Cryptography Reference Source Code - * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. - * - * ntru_crypto_ntru_convert.c is a component of ntru-crypto. - * - * Copyright (C) 2009-2013 Security Innovation - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - * - *****************************************************************************/ - -/****************************************************************************** - * - * File: ntru_crypto_ntru_convert.c - * - * Contents: Conversion routines for NTRUEncrypt, including packing, unpacking, - * and others. - * - *****************************************************************************/ - -#include <stdlib.h> -#include <string.h> -#include <assert.h> -#include "ntru_crypto_ntru_convert.h" - - -/* 3-bit to 2-trit conversion tables: 2 represents -1 */ - -static uint8_t const bits_2_trit1[] = {0, 0, 0, 1, 1, 1, 2, 2}; -static uint8_t const bits_2_trit2[] = {0, 1, 2, 0, 1, 2, 0, 1}; - - -/* ntru_bits_2_trits - * - * Each 3 bits in an array of octets is converted to 2 trits in an array - * of trits. - * - * The octet array may overlap the end of the trit array. - */ - -void -ntru_bits_2_trits( - uint8_t const *octets, /* in - pointer to array of octets */ - uint16_t num_trits, /* in - number of trits to produce */ - uint8_t *trits) /* out - address for array of trits */ -{ - uint32_t bits24; - uint32_t bits3; - uint32_t shift; - - assert(octets); - assert(trits); - - while (num_trits >= 16) { - - /* get next three octets */ - - bits24 = ((uint32_t)(*octets++)) << 16; - bits24 |= ((uint32_t)(*octets++)) << 8; - bits24 |= (uint32_t)(*octets++); - - /* for each 3 bits in the three octets, output 2 trits */ - - bits3 = (bits24 >> 21) & 0x7; - *trits++ = bits_2_trit1[bits3]; - *trits++ = bits_2_trit2[bits3]; - - bits3 = (bits24 >> 18) & 0x7; - *trits++ = bits_2_trit1[bits3]; - *trits++ = bits_2_trit2[bits3]; - - bits3 = (bits24 >> 15) & 0x7; - *trits++ = bits_2_trit1[bits3]; - *trits++ = bits_2_trit2[bits3]; - - bits3 = (bits24 >> 12) & 0x7; - *trits++ = bits_2_trit1[bits3]; - *trits++ = bits_2_trit2[bits3]; - - bits3 = (bits24 >> 9) & 0x7; - *trits++ = bits_2_trit1[bits3]; - *trits++ = bits_2_trit2[bits3]; - - bits3 = (bits24 >> 6) & 0x7; - *trits++ = bits_2_trit1[bits3]; - *trits++ = bits_2_trit2[bits3]; - - bits3 = (bits24 >> 3) & 0x7; - *trits++ = bits_2_trit1[bits3]; - *trits++ = bits_2_trit2[bits3]; - - bits3 = bits24 & 0x7; - *trits++ = bits_2_trit1[bits3]; - *trits++ = bits_2_trit2[bits3]; - - num_trits -= 16; - } - if (num_trits == 0) - return; - - /* get three octets */ - - bits24 = ((uint32_t)(*octets++)) << 16; - bits24 |= ((uint32_t)(*octets++)) << 8; - bits24 |= (uint32_t)(*octets++); - - shift = 21; - while (num_trits) { - - /* for each 3 bits in the three octets, output up to 2 trits - * until all trits needed are produced - */ - - bits3 = (bits24 >> shift) & 0x7; - shift -= 3; - *trits++ = bits_2_trit1[bits3]; - if (--num_trits) { - *trits++ = bits_2_trit2[bits3]; - --num_trits; - } - } -} - - -/* ntru_trits_2_bits - * - * Each 2 trits in an array of trits is converted to 3 bits, and the bits - * are packed in an array of octets. A multiple of 3 octets is output. - * Any bits in the final octets not derived from trits are zero. - * - * Returns TRUE if all trits were valid. - * Returns FALSE if invalid trits were found. - */ - -bool -ntru_trits_2_bits( - uint8_t const *trits, /* in - pointer to array of trits */ - uint32_t num_trits, /* in - number of trits to convert */ - uint8_t *octets) /* out - address for array of octets */ -{ - bool all_trits_valid = TRUE; - uint32_t bits24; - uint32_t bits3; - uint32_t shift; - - assert(octets); - assert(trits); - - while (num_trits >= 16) { - - /* convert each 2 trits to 3 bits and pack */ - - bits3 = *trits++ * 3; - bits3 += *trits++; - if (bits3 > 7) { - bits3 = 7; - all_trits_valid = FALSE; - } - bits24 = (bits3 << 21); - - bits3 = *trits++ * 3; - bits3 += *trits++; - if (bits3 > 7) { - bits3 = 7; - all_trits_valid = FALSE; - } - bits24 |= (bits3 << 18); - - bits3 = *trits++ * 3; - bits3 += *trits++; - if (bits3 > 7) { - bits3 = 7; - all_trits_valid = FALSE; - } - bits24 |= (bits3 << 15); - - bits3 = *trits++ * 3; - bits3 += *trits++; - if (bits3 > 7) { - bits3 = 7; - all_trits_valid = FALSE; - } - bits24 |= (bits3 << 12); - - bits3 = *trits++ * 3; - bits3 += *trits++; - if (bits3 > 7) { - bits3 = 7; - all_trits_valid = FALSE; - } - bits24 |= (bits3 << 9); - - bits3 = *trits++ * 3; - bits3 += *trits++; - if (bits3 > 7) { - bits3 = 7; - all_trits_valid = FALSE; - } - bits24 |= (bits3 << 6); - - bits3 = *trits++ * 3; - bits3 += *trits++; - if (bits3 > 7) { - bits3 = 7; - all_trits_valid = FALSE; - } - bits24 |= (bits3 << 3); - - bits3 = *trits++ * 3; - bits3 += *trits++; - if (bits3 > 7) { - bits3 = 7; - all_trits_valid = FALSE; - } - bits24 |= bits3; - - num_trits -= 16; - - /* output three octets */ - - *octets++ = (uint8_t)((bits24 >> 16) & 0xff); - *octets++ = (uint8_t)((bits24 >> 8) & 0xff); - *octets++ = (uint8_t)(bits24 & 0xff); - } - - bits24 = 0; - shift = 21; - while (num_trits) { - - /* convert each 2 trits to 3 bits and pack */ - - bits3 = *trits++ * 3; - if (--num_trits) { - bits3 += *trits++; - --num_trits; - } - if (bits3 > 7) { - bits3 = 7; - all_trits_valid = FALSE; - } - bits24 |= (bits3 << shift); - shift -= 3; - } - - /* output three octets */ - - *octets++ = (uint8_t)((bits24 >> 16) & 0xff); - *octets++ = (uint8_t)((bits24 >> 8) & 0xff); - *octets++ = (uint8_t)(bits24 & 0xff); - - return all_trits_valid; -} - - -/* ntru_coeffs_mod4_2_octets - * - * Takes an array of ring element coefficients mod 4 and packs the - * results into an octet string. - */ - -void -ntru_coeffs_mod4_2_octets( - uint16_t num_coeffs, /* in - number of coefficients */ - uint16_t const *coeffs, /* in - pointer to coefficients */ - uint8_t *octets) /* out - address for octets */ -{ - uint8_t bits2; - int shift; - uint16_t i; - - assert(coeffs); - assert(octets); - - *octets = 0; - shift = 6; - for (i = 0; i < num_coeffs; i++) { - bits2 = (uint8_t)(coeffs[i] & 0x3); - *octets |= bits2 << shift; - shift -= 2; - if (shift < 0) { - ++octets; - *octets = 0; - shift = 6; - } - } -} - - -/* ntru_trits_2_octet - * - * Packs 5 trits in an octet, where a trit is 0, 1, or 2 (-1). - */ - -void -ntru_trits_2_octet( - uint8_t const *trits, /* in - pointer to trits */ - uint8_t *octet) /* out - address for octet */ -{ - int i; - - assert(trits); - assert(octet); - - *octet = 0; - for (i = 4; i >= 0; i--) { - *octet = (*octet * 3) + trits[i]; - } -} - - -/* ntru_octet_2_trits - * - * Unpacks an octet to 5 trits, where a trit is 0, 1, or 2 (-1). - */ - -void -ntru_octet_2_trits( - uint8_t octet, /* in - octet to be unpacked */ - uint8_t *trits) /* out - address for trits */ -{ - int i; - - assert(trits); - - for (i = 0; i < 5; i++) { - trits[i] = octet % 3; - octet = (octet - trits[i]) / 3; - } -} - - -/* ntru_indices_2_trits - * - * Converts a list of the nonzero indices of a polynomial into an array of - * trits. - */ - -void -ntru_indices_2_trits( - uint16_t in_len, /* in - no. of indices */ - uint16_t const *in, /* in - pointer to list of indices */ - bool plus1, /* in - if list is +1 cofficients */ - uint8_t *out) /* out - address of output polynomial */ -{ - uint8_t trit = plus1 ? 1 : 2; - uint16_t i; - - assert(in); - assert(out); - - for (i = 0; i < in_len; i++) { - out[in[i]] = trit; - } -} - - -/* ntru_packed_trits_2_indices - * - * Unpacks an array of N trits and creates a list of array indices - * corresponding to trits = +1, and list of array indices corresponding to - * trits = -1. - */ - -void -ntru_packed_trits_2_indices( - uint8_t const *in, /* in - pointer to packed-trit octets */ - uint16_t num_trits, /* in - no. of packed trits */ - uint16_t *indices_plus1, /* out - address for indices of +1 trits */ - uint16_t *indices_minus1) /* out - address for indices of -1 trits */ -{ - uint8_t trits[5]; - uint16_t i = 0; - int j; - - assert(in); - assert(indices_plus1); - assert(indices_minus1); - - while (num_trits >= 5) { - ntru_octet_2_trits(*in++, trits); - num_trits -= 5; - for (j = 0; j < 5; j++, i++) { - if (trits[j] == 1) { - *indices_plus1 = i; - ++indices_plus1; - } else if (trits[j] == 2) { - *indices_minus1 = i; - ++indices_minus1; - } - } - } - if (num_trits) { - ntru_octet_2_trits(*in, trits); - for (j = 0; num_trits && (j < 5); j++, i++) { - if (trits[j] == 1) { - *indices_plus1 = i; - ++indices_plus1; - } else if (trits[j] == 2) { - *indices_minus1 = i; - ++indices_minus1; - } - --num_trits; - } - } -} - - -/* ntru_indices_2_packed_trits - * - * Takes a list of array indices corresponding to elements whose values - * are +1 or -1, and packs the N-element array of trits described by these - * lists into octets, 5 trits per octet. - */ - -void -ntru_indices_2_packed_trits( - uint16_t const *indices, /* in - pointer to indices */ - uint16_t num_plus1, /* in - no. of indices for +1 trits */ - uint16_t num_minus1, /* in - no. of indices for -1 trits */ - uint16_t num_trits, /* in - N, no. of trits in array */ - uint8_t *buf, /* in - temp buf, N octets */ - uint8_t *out) /* out - address for packed octets */ -{ - assert(indices); - assert(buf); - assert(out); - - /* convert indices to an array of trits */ - - memset(buf, 0, num_trits); - ntru_indices_2_trits(num_plus1, indices, TRUE, buf); - ntru_indices_2_trits(num_minus1, indices + num_plus1, FALSE, buf); - - /* pack the array of trits */ - - while (num_trits >= 5) { - ntru_trits_2_octet(buf, out); - num_trits -= 5; - buf += 5; - ++out; - } - if (num_trits) { - uint8_t trits[5]; - - memcpy(trits, buf, num_trits); - memset(trits + num_trits, 0, sizeof(trits) - num_trits); - ntru_trits_2_octet(trits, out); - } -} - - -/* ntru_elements_2_octets - * - * Packs an array of n-bit elements into an array of - * ((in_len * n_bits) + 7) / 8 octets, 8 < n_bits < 16. - */ - -void -ntru_elements_2_octets( - uint16_t in_len, /* in - no. of elements to be packed */ - uint16_t const *in, /* in - ptr to elements to be packed */ - uint8_t n_bits, /* in - no. of bits in input element */ - uint8_t *out) /* out - addr for output octets */ -{ - uint16_t temp; - int shift; - uint16_t i; - - assert(in_len); - assert(in); - assert((n_bits > 8) && (n_bits < 16)); - assert(out); - - /* pack */ - - temp = 0; - shift = n_bits - 8; - i = 0; - while (i < in_len) { - - /* add bits to temp to fill an octet and output the octet */ - - temp |= in[i] >> shift; - *out++ = (uint8_t)(temp & 0xff); - shift = 8 - shift; - if (shift < 1) { - - /* next full octet is in current input word */ - - shift += n_bits; - temp = 0; - - } else { - - /* put remaining bits of input word in temp as partial octet, - * and increment index to next input word - */ - temp = in[i] << (uint16_t)shift; - - ++i; - } - shift = n_bits - shift; - } - - /* output any bits remaining in last input word */ - - if (shift != n_bits - 8) { - *out++ = (uint8_t)(temp & 0xff); - } -} - - -/* ntru_octets_2_elements - * - * Unpacks an octet string into an array of ((in_len * 8) / n_bits) - * n-bit elements, 8 < n_bits < 16. Any extra bits are discarded. - */ - -void -ntru_octets_2_elements( - uint16_t in_len, /* in - no. of octets to be unpacked */ - uint8_t const *in, /* in - ptr to octets to be unpacked */ - uint8_t n_bits, /* in - no. of bits in output element */ - uint16_t *out) /* out - addr for output elements */ -{ - uint16_t temp; - uint16_t mask = (1 << n_bits) - 1; - int shift; - uint16_t i; - - assert(in_len > 1); - assert(in); - assert((n_bits > 8) && (n_bits < 16)); - assert(out); - - /* unpack */ - - temp = 0; - shift = n_bits; - i = 0; - while (i < in_len) { - shift = 8 - shift; - if (shift < 0) { - - /* the current octet will not fill the current element */ - - shift += n_bits; - - } else { - - /* add bits from the current octet to fill the current element and - * output the element - */ - - temp |= ((uint16_t)in[i]) >> shift; - *out++ = temp & mask; - temp = 0; - } - - /* add the remaining bits of the current octet to start an element */ - - shift = n_bits - shift; - temp |= ((uint16_t)in[i]) << shift; - ++i; - } -} - - diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.h deleted file mode 100644 index 1c4b35b24..000000000 --- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_convert.h +++ /dev/null @@ -1,183 +0,0 @@ -/****************************************************************************** - * NTRU Cryptography Reference Source Code - * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. - * - * ntru_crypto_ntru_convert.h is a component of ntru-crypto. - * - * Copyright (C) 2009-2013 Security Innovation - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - * - *****************************************************************************/ - -/****************************************************************************** - * - * File: ntru_crypto_ntru_convert.h - * - * Contents: Definitions and declarations for conversion routines - * for NTRUEncrypt, including packing, unpacking and others. - * - *****************************************************************************/ - -#ifndef NTRU_CRYPTO_NTRU_CONVERT_H -#define NTRU_CRYPTO_NTRU_CONVERT_H - -#include "ntru_crypto.h" - - -/* function declarations */ - -/* ntru_bits_2_trits - * - * Each 3 bits in an array of octets is converted to 2 trits in an array - * of trits. - */ - -extern void -ntru_bits_2_trits( - uint8_t const *octets, /* in - pointer to array of octets */ - uint16_t num_trits, /* in - number of trits to produce */ - uint8_t *trits); /* out - address for array of trits */ - - -/* ntru_trits_2_bits - * - * Each 2 trits in an array of trits is converted to 3 bits, and the bits - * are packed in an array of octets. A multiple of 3 octets is output. - * Any bits in the final octets not derived from trits are zero. - * - * Returns TRUE if all trits were valid. - * Returns FALSE if invalid trits were found. - */ - -extern bool -ntru_trits_2_bits( - uint8_t const *trits, /* in - pointer to array of trits */ - uint32_t num_trits, /* in - number of trits to convert */ - uint8_t *octets); /* out - address for array of octets */ - - -/* ntru_coeffs_mod4_2_octets - * - * Takes an array of coefficients mod 4 and packs the results into an - * octet string. - */ - -extern void -ntru_coeffs_mod4_2_octets( - uint16_t num_coeffs, /* in - number of coefficients */ - uint16_t const *coeffs, /* in - pointer to coefficients */ - uint8_t *octets); /* out - address for octets */ - - -/* ntru_trits_2_octet - * - * Packs 5 trits in an octet, where a trit is 0, 1, or 2 (-1). - */ - -extern void -ntru_trits_2_octet( - uint8_t const *trits, /* in - pointer to trits */ - uint8_t *octet); /* out - address for octet */ - - -/* ntru_octet_2_trits - * - * Unpacks an octet to 5 trits, where a trit is 0, 1, or 2 (-1). - */ - -extern void -ntru_octet_2_trits( - uint8_t octet, /* in - octet to be unpacked */ - uint8_t *trits); /* out - address for trits */ - - -/* ntru_indices_2_trits - * - * Converts a list of the nonzero indices of a polynomial into an array of - * trits. - */ - -extern void -ntru_indices_2_trits( - uint16_t in_len, /* in - no. of indices */ - uint16_t const *in, /* in - pointer to list of indices */ - bool plus1, /* in - if list is +1 coefficients */ - uint8_t *out); /* out - address of output polynomial */ - - -/* ntru_packed_trits_2_indices - * - * Unpacks an array of N trits and creates a list of array indices - * corresponding to trits = +1, and list of array indices corresponding to - * trits = -1. - */ - -extern void -ntru_packed_trits_2_indices( - uint8_t const *in, /* in - pointer to packed-trit octets */ - uint16_t num_trits, /* in - no. of packed trits */ - uint16_t *indices_plus1, /* out - address for indices of +1 trits */ - uint16_t *indices_minus1); /* out - address for indices of -1 trits */ - - -/* ntru_indices_2_packed_trits - * - * Takes a list of array indices corresponding to elements whose values - * are +1 or -1, and packs the N-element array of trits described by these - * lists into octets, 5 trits per octet. - */ - -extern void -ntru_indices_2_packed_trits( - uint16_t const *indices, /* in - pointer to indices */ - uint16_t num_plus1, /* in - no. of indices for +1 trits */ - uint16_t num_minus1, /* in - no. of indices for -1 trits */ - uint16_t num_trits, /* in - N, no. of trits in array */ - uint8_t *buf, /* in - temp buf, N octets */ - uint8_t *out); /* out - address for packed octets */ - - -/* ntru_elements_2_octets - * - * Packs an array of n-bit elements into an array of - * ((in_len * n_bits) + 7) / 8 octets, 8 < n_bits < 16. - */ - -extern void -ntru_elements_2_octets( - uint16_t in_len, /* in - no. of elements to be packed */ - uint16_t const *in, /* in - ptr to elements to be packed */ - uint8_t n_bits, /* in - no. of bits in input element */ - uint8_t *out); /* out - addr for output octets */ - - -/* ntru_octets_2_elements - * - * Unpacks an octet string into an array of ((in_len * 8) / n_bits) - * n-bit elements, 8 < n < 16. Any extra bits are discarded. - */ - -extern void -ntru_octets_2_elements( - uint16_t in_len, /* in - no. of octets to be unpacked */ - uint8_t const *in, /* in - ptr to octets to be unpacked */ - uint8_t n_bits, /* in - no. of bits in output element */ - uint16_t *out); /* out - addr for output elements */ - - -#endif /* NTRU_CRYPTO_NTRU_CONVERT_H */ - - diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt.c b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt.c deleted file mode 100644 index dba81915a..000000000 --- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt.c +++ /dev/null @@ -1,1034 +0,0 @@ -/****************************************************************************** - * NTRU Cryptography Reference Source Code - * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. - * - * ntru_crypto_ntru_encrypt.c is a component of ntru-crypto. - * - * Copyright (C) 2009-2013 Security Innovation - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - * - *****************************************************************************/ - -/****************************************************************************** - * - * File: ntru_crypto_ntru_encrypt.c - * - * Contents: Routines implementing NTRUEncrypt encryption and decryption and - * key generation. - * - *****************************************************************************/ - - -#include <stdlib.h> -#include <string.h> -#include <assert.h> -#include "ntru_crypto.h" -#include "ntru_crypto_ntru_encrypt_param_sets.h" -#include "ntru_crypto_ntru_encrypt_key.h" -#include "ntru_crypto_ntru_convert.h" -#include "ntru_crypto_ntru_poly.h" -# -#include "ntru_trits.h" -#include "ntru_poly.h" - -/* ntru_crypto_ntru_encrypt - * - * Implements NTRU encryption (SVES) for the parameter set specified in - * the public key blob. - * - * Before invoking this function, a DRBG must be instantiated using - * ntru_crypto_drbg_instantiate() to obtain a DRBG handle, and in that - * instantiation the requested security strength must be at least as large - * as the security strength of the NTRU parameter set being used. - * Failure to instantiate the DRBG with the proper security strength will - * result in this function returning DRBG_ERROR_BASE + DRBG_BAD_LENGTH. - * - * The required minimum size of the output ciphertext buffer (ct) may be - * queried by invoking this function with ct = NULL. In this case, no - * encryption is performed, NTRU_OK is returned, and the required minimum - * size for ct is returned in ct_len. - * - * When ct != NULL, at invocation *ct_len must be the size of the ct buffer. - * Upon return it is the actual size of the ciphertext. - * - * Returns NTRU_OK if successful. - * Returns NTRU_DRBG_FAIL if the DRBG handle is invalid. - * Returns NTRU_BAD_PARAMETER if an argument pointer (other than ct) is NULL. - * Returns NTRU_BAD_LENGTH if a length argument (pubkey_blob_len or pt_len) is - * zero, or if pt_len exceeds the maximum plaintext length for the parameter set. - * Returns NTRU_BAD_PUBLIC_KEY if the public-key blob is invalid - * (unknown format, corrupt, bad length). - * Returns NTRU_BUFFER_TOO_SMALL if the ciphertext buffer is too small. - * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap. - */ - -uint32_t -ntru_crypto_ntru_encrypt( - ntru_drbg_t *drbg, /* in - handle of DRBG */ - uint16_t pubkey_blob_len, /* in - no. of octets in public key - blob */ - uint8_t const *pubkey_blob, /* in - pointer to public key */ - uint16_t pt_len, /* in - no. of octets in plaintext */ - uint8_t const *pt, /* in - pointer to plaintext */ - uint16_t *ct_len, /* in/out - no. of octets in ct, addr for - no. of octets in ciphertext */ - uint8_t *ct) /* out - address for ciphertext */ -{ - NTRU_ENCRYPT_PARAM_SET *params = NULL; - uint8_t const *pubkey_packed = NULL; - uint8_t pubkey_pack_type = 0x00; - uint16_t packed_ct_len; - size_t scratch_buf_len; - uint32_t dr; - uint32_t dr1 = 0; - uint32_t dr2 = 0; - uint32_t dr3 = 0; - uint16_t ring_mult_tmp_len; - int16_t m1 = 0; - uint16_t *scratch_buf = NULL; - uint16_t *ringel_buf = NULL; - uint8_t *b_buf = NULL; - uint8_t *tmp_buf = NULL; - bool msg_rep_good = FALSE; - hash_algorithm_t hash_algid; - uint16_t mprime_len = 0; - uint16_t mod_q_mask; - uint32_t result = NTRU_OK; - ntru_trits_t *mask; - uint8_t *mask_trits; - chunk_t seed; - ntru_poly_t *r_poly; - - /* check for bad parameters */ - - if (!pubkey_blob || !pt || !ct_len) - { - return NTRU_BAD_PARAMETER; - } - if ((pubkey_blob_len == 0) || (pt_len == 0)) - { - return NTRU_BAD_LENGTH; - } - - /* get a pointer to the parameter-set parameters, the packing type for - * the public key, and a pointer to the packed public key - */ - - if (!ntru_crypto_ntru_encrypt_key_parse(TRUE /* pubkey */, pubkey_blob_len, - pubkey_blob, &pubkey_pack_type, - NULL, ¶ms, &pubkey_packed, - NULL)) - { - return NTRU_BAD_PUBLIC_KEY; - } - - /* return the ciphertext size if requested */ - - packed_ct_len = (params->N * params->q_bits + 7) >> 3; - if (!ct) - { - *ct_len = packed_ct_len; - return NTRU_OK; - } - - /* check the ciphertext buffer size */ - - if (*ct_len < packed_ct_len) - { - return NTRU_BUFFER_TOO_SMALL; - } - - /* check the plaintext length */ - - if (pt_len > params->m_len_max) - { - return NTRU_BAD_LENGTH; - } - - /* allocate memory for all operations */ - - if (params->is_product_form) - { - ring_mult_tmp_len = params->N << 1; /* 2N 16-bit word buffer */ - dr1 = params->dF_r & 0xff; - dr2 = (params->dF_r >> 8) & 0xff; - dr3 = (params->dF_r >> 16) & 0xff; - dr = dr1 + dr2 + dr3; - } - else - { - ring_mult_tmp_len = params->N; /* N 16-bit word buffer */ - dr = params->dF_r; - } - scratch_buf_len = (ring_mult_tmp_len << 1) + - /* X-byte temp buf for ring mult and - other intermediate results */ - (params->N << 1) + /* 2N-byte buffer for ring elements - and overflow from temp buffer */ - (dr << 2) + /* buffer for r indices */ - params->sec_strength_len; - /* buffer for b */ - scratch_buf = malloc(scratch_buf_len); - if (!scratch_buf) - { - return NTRU_OUT_OF_MEMORY; - } - ringel_buf = scratch_buf + ring_mult_tmp_len; - b_buf = (uint8_t *)(ringel_buf + params->N); - tmp_buf = (uint8_t *)scratch_buf; - - /* set hash algorithm based on security strength */ - hash_algid = (params->sec_strength_len <= 20) ? HASH_SHA1 : HASH_SHA256; - - /* set constants */ - mod_q_mask = params->q - 1; - - /* loop until a message representative with proper weight is achieved */ - - do { - uint8_t *ptr = tmp_buf; - - /* get b */ - if (drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE, - params->sec_strength_len, b_buf)) - { - result = NTRU_OK; - } - else - { - result = NTRU_FAIL; - } - - if (result == NTRU_OK) - { - - /* form sData (OID || m || b || hTrunc) */ - memcpy(ptr, params->OID, 3); - ptr += 3; - memcpy(ptr, pt, pt_len); - ptr += pt_len; - memcpy(ptr, b_buf, params->sec_strength_len); - ptr += params->sec_strength_len; - memcpy(ptr, pubkey_packed, params->sec_strength_len); - ptr += params->sec_strength_len; - - DBG2(DBG_LIB, "generate polynomial r"); - - seed = chunk_create(tmp_buf, ptr - tmp_buf); - r_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits, - params->N, params->q, - params->dF_r, params->dF_r, - params->is_product_form); - if (!r_poly) - { - result = NTRU_MGF1_FAIL; - } - } - - if (result == NTRU_OK) - { - uint16_t pubkey_packed_len; - - /* unpack the public key */ - assert(pubkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS); - pubkey_packed_len = (params->N * params->q_bits + 7) >> 3; - ntru_octets_2_elements(pubkey_packed_len, pubkey_packed, - params->q_bits, ringel_buf); - - /* form R = h * r */ - r_poly->ring_mult(r_poly, ringel_buf, ringel_buf); - r_poly->destroy(r_poly); - - /* form R mod 4 */ - ntru_coeffs_mod4_2_octets(params->N, ringel_buf, tmp_buf); - - /* form mask */ - seed = chunk_create(tmp_buf, (params->N + 3)/4); - mask = ntru_trits_create(params->N, hash_algid, seed); - if (!mask) - { - result = NTRU_MGF1_FAIL; - } - } - - if (result == NTRU_OK) - { - uint8_t *Mtrin_buf = tmp_buf + params->N; - uint8_t *M_buf = Mtrin_buf + params->N - - (params->sec_strength_len + params->m_len_len + - params->m_len_max + 2); - uint16_t i; - - /* form the padded message M */ - ptr = M_buf; - memcpy(ptr, b_buf, params->sec_strength_len); - ptr += params->sec_strength_len; - if (params->m_len_len == 2) - *ptr++ = (uint8_t)((pt_len >> 8) & 0xff); - *ptr++ = (uint8_t)(pt_len & 0xff); - memcpy(ptr, pt, pt_len); - ptr += pt_len; - - /* add an extra zero byte in case without it the bit string - * is not a multiple of 3 bits and therefore might not be - * able to produce enough trits - */ - - memset(ptr, 0, params->m_len_max - pt_len + 2); - - /* convert M to trits (Mbin to Mtrin) */ - mprime_len = params->N; - if (params->is_product_form) - { - --mprime_len; - } - - ntru_bits_2_trits(M_buf, mprime_len, Mtrin_buf); - mask_trits = mask->get_trits(mask); - - /* form the msg representative m' by adding Mtrin to mask, mod p */ - if (params->is_product_form) - { - for (i = 0; i < mprime_len; i++) - { - tmp_buf[i] = mask_trits[i] + Mtrin_buf[i]; - if (tmp_buf[i] >= 3) - { - tmp_buf[i] -= 3; - } - if (tmp_buf[i] == 1) - { - ++m1; - } - else if (tmp_buf[i] == 2) - { - --m1; - } - } - } - else - { - for (i = 0; i < mprime_len; i++) - { - tmp_buf[i] = mask_trits[i] + Mtrin_buf[i]; - if (tmp_buf[i] >= 3) - { - tmp_buf[i] -= 3; - } - } - } - mask->destroy(mask); - - /* check that message representative meets minimum weight - * requirements - */ - - if (params->is_product_form) - msg_rep_good = m1 < 0 ? (bool)(-m1 <= params->min_msg_rep_wt) : - (bool)( m1 <= params->min_msg_rep_wt); - else - msg_rep_good = ntru_poly_check_min_weight(mprime_len, tmp_buf, - params->min_msg_rep_wt); - msg_rep_good = TRUE; - } - } while ((result == NTRU_OK) && !msg_rep_good); - - if (result == NTRU_OK) - { - uint16_t i; - - /* form ciphertext e by adding m' to R mod q */ - - for (i = 0; i < mprime_len; i++) { - if (tmp_buf[i] == 1) - ringel_buf[i] = (ringel_buf[i] + 1) & mod_q_mask; - else if (tmp_buf[i] == 2) - ringel_buf[i] = (ringel_buf[i] - 1) & mod_q_mask; - } - if (params->is_product_form) - ringel_buf[i] = (ringel_buf[i] - m1) & mod_q_mask; - - /* pack ciphertext */ - ntru_elements_2_octets(params->N, ringel_buf, params->q_bits, ct); - *ct_len = packed_ct_len; - } - - /* cleanup */ - memset(scratch_buf, 0, scratch_buf_len); - free(scratch_buf); - - return result; -} - - -/* ntru_crypto_ntru_decrypt - * - * Implements NTRU decryption (SVES) for the parameter set specified in - * the private key blob. - * - * The maximum size of the output plaintext may be queried by invoking - * this function with pt = NULL. In this case, no decryption is performed, - * NTRU_OK is returned, and the maximum size the plaintext could be is - * returned in pt_len. - * Note that until the decryption is performed successfully, the actual size - * of the resulting plaintext cannot be known. - * - * When pt != NULL, at invocation *pt_len must be the size of the pt buffer. - * Upon return it is the actual size of the plaintext. - * - * Returns NTRU_OK if successful. - * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pt) is NULL. - * Returns NTRU_BAD_LENGTH if a length argument (privkey_blob) is zero, or if - * ct_len is invalid for the parameter set. - * Returns NTRU_BAD_PRIVATE_KEY if the private-key blob is invalid - * (unknown format, corrupt, bad length). - * Returns NTRU_BUFFER_TOO_SMALL if the plaintext buffer is too small. - * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap. - * Returns NTRU_FAIL if a decryption error occurs. - */ - -uint32_t -ntru_crypto_ntru_decrypt( - uint16_t privkey_blob_len, /* in - no. of octets in private key - blob */ - uint8_t const *privkey_blob, /* in - pointer to private key */ - uint16_t ct_len, /* in - no. of octets in ciphertext */ - uint8_t const *ct, /* in - pointer to ciphertext */ - uint16_t *pt_len, /* in/out - no. of octets in pt, addr for - no. of octets in plaintext */ - uint8_t *pt) /* out - address for plaintext */ -{ - NTRU_ENCRYPT_PARAM_SET *params = NULL; - uint8_t const *privkey_packed = NULL; - uint8_t const *pubkey_packed = NULL; - uint8_t privkey_pack_type = 0x00; - uint8_t pubkey_pack_type = 0x00; - size_t scratch_buf_len; - uint32_t dF_r; - uint32_t dF_r1 = 0; - uint32_t dF_r2 = 0; - uint32_t dF_r3 = 0; - uint16_t ring_mult_tmp_len; - int16_t m1 = 0; - uint16_t *scratch_buf = NULL; - uint16_t *ringel_buf1 = NULL; - uint16_t *ringel_buf2 = NULL; - uint16_t *i_buf = NULL; - uint8_t *m_buf = NULL; - uint8_t *tmp_buf = NULL; - uint8_t *Mtrin_buf = NULL; - uint8_t *M_buf = NULL; - uint8_t *ptr = NULL; - hash_algorithm_t hash_algid; - uint16_t cmprime_len; - uint16_t mod_q_mask; - uint16_t q_mod_p; - uint16_t cm_len = 0; - uint16_t num_zeros; - uint16_t i; - bool decryption_ok = TRUE; - uint32_t result = NTRU_OK; - ntru_trits_t *mask; - uint8_t *mask_trits; - chunk_t seed; - ntru_poly_t *F_poly, *r_poly; - - /* check for bad parameters */ - if (!privkey_blob || !ct || !pt_len) - { - return NTRU_BAD_PARAMETER; - } - if ((privkey_blob_len == 0) || (ct_len == 0)) - { - return NTRU_BAD_LENGTH; - } - - /* get a pointer to the parameter-set parameters, the packing types for - * the public and private keys, and pointers to the packed public and - * private keys - */ - - if (!ntru_crypto_ntru_encrypt_key_parse(FALSE /* privkey */, - privkey_blob_len, - privkey_blob, &pubkey_pack_type, - &privkey_pack_type, ¶ms, - &pubkey_packed, &privkey_packed)) - { - return NTRU_BAD_PRIVATE_KEY; - } - - /* return the max plaintext size if requested */ - - if (!pt) - { - *pt_len = params->m_len_max; - return NTRU_OK; - } - - /* cannot check the plaintext buffer size until after the plaintext - * is derived, if we allow plaintext buffers only as large as the - * actual plaintext - */ - - /* check the ciphertext length */ - - if (ct_len != (params->N * params->q_bits + 7) >> 3) - { - return NTRU_BAD_LENGTH; - } - - /* allocate memory for all operations */ - - if (params->is_product_form) - { - ring_mult_tmp_len = params->N << 1; /* 2N 16-bit word buffer */ - dF_r1 = params->dF_r & 0xff; - dF_r2 = (params->dF_r >> 8) & 0xff; - dF_r3 = (params->dF_r >> 16) & 0xff; - dF_r = dF_r1 + dF_r2 + dF_r3; - } else { - ring_mult_tmp_len = params->N; /* N 16-bit word buffer */ - dF_r = params->dF_r; - } - scratch_buf_len = (ring_mult_tmp_len << 1) + - /* X-byte temp buf for ring mult and - other intermediate results */ - (params->N << 2) + /* 2 2N-byte bufs for ring elements - and overflow from temp buffer */ - (dF_r << 2) + /* buffer for F, r indices */ - params->m_len_max; /* buffer for plaintext */ - scratch_buf = malloc(scratch_buf_len); - if (!scratch_buf) - { - return NTRU_OUT_OF_MEMORY; - } - ringel_buf1 = scratch_buf + ring_mult_tmp_len; - ringel_buf2 = ringel_buf1 + params->N; - i_buf = ringel_buf2 + params->N; - m_buf = (uint8_t *)(i_buf + (dF_r << 1)); - tmp_buf = (uint8_t *)scratch_buf; - Mtrin_buf = (uint8_t *)ringel_buf1; - M_buf = Mtrin_buf + params->N; - - /* set hash algorithm based on security strength */ - hash_algid = (params->sec_strength_len <= 20) ? HASH_SHA1 : HASH_SHA256; - - /* set constants */ - mod_q_mask = params->q - 1; - q_mod_p = params->q % 3; - - /* unpack the ciphertext */ - ntru_octets_2_elements(ct_len, ct, params->q_bits, ringel_buf2); - - /* unpack the private key */ - if (privkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_TRITS) - { - ntru_packed_trits_2_indices(privkey_packed, params->N, i_buf, - i_buf + dF_r); - - } - else if (privkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_INDICES) - { - ntru_octets_2_elements( - (((uint16_t)dF_r << 1) * params->N_bits + 7) >> 3, - privkey_packed, params->N_bits, i_buf); - - } - else - { - assert(FALSE); - } - - /* form cm': - * F * e - * A = e * (1 + pF) mod q = e + pFe mod q - * a = A in the range [-q/2, q/2) - * cm' = a mod p - */ - F_poly = ntru_poly_create_from_data(i_buf, params->N, params->q, - params->dF_r, params->dF_r, - params->is_product_form); - F_poly->ring_mult(F_poly, ringel_buf2, ringel_buf1); - F_poly->destroy(F_poly); - - cmprime_len = params->N; - if (params->is_product_form) - { - --cmprime_len; - for (i = 0; i < cmprime_len; i++) - { - ringel_buf1[i] = (ringel_buf2[i] + 3 * ringel_buf1[i]) & mod_q_mask; - if (ringel_buf1[i] >= (params->q >> 1)) - { - ringel_buf1[i] = ringel_buf1[i] - q_mod_p; - } - Mtrin_buf[i] = (uint8_t)(ringel_buf1[i] % 3); - if (Mtrin_buf[i] == 1) - { - ++m1; - } - else if (Mtrin_buf[i] == 2) - { - --m1; - } - } - } - else - { - for (i = 0; i < cmprime_len; i++) - { - ringel_buf1[i] = (ringel_buf2[i] + 3 * ringel_buf1[i]) & mod_q_mask; - if (ringel_buf1[i] >= (params->q >> 1)) - { - ringel_buf1[i] = ringel_buf1[i] - q_mod_p; - } - Mtrin_buf[i] = (uint8_t)(ringel_buf1[i] % 3); - } - } - - /* check that the candidate message representative meets minimum weight - * requirements - */ - - if (params->is_product_form) - { - decryption_ok = m1 < 0 ? (bool)(-m1 <= params->min_msg_rep_wt) : - (bool)( m1 <= params->min_msg_rep_wt); - } - else - { - decryption_ok = ntru_poly_check_min_weight(cmprime_len, Mtrin_buf, - params->min_msg_rep_wt); - } - - /* form cR = e - cm' mod q */ - for (i = 0; i < cmprime_len; i++) - { - if (Mtrin_buf[i] == 1) - { - ringel_buf2[i] = (ringel_buf2[i] - 1) & mod_q_mask; - } - else if (Mtrin_buf[i] == 2) - { - ringel_buf2[i] = (ringel_buf2[i] + 1) & mod_q_mask; - } - } - if (params->is_product_form) - { - ringel_buf2[i] = (ringel_buf2[i] + m1) & mod_q_mask; - } - - /* form cR mod 4 */ - ntru_coeffs_mod4_2_octets(params->N, ringel_buf2, tmp_buf); - - /* form mask */ - seed = chunk_create(tmp_buf, (params->N + 3)/4); - mask = ntru_trits_create(params->N, hash_algid, seed); - if (!mask) - { - result = NTRU_MGF1_FAIL; - } - else - { - mask_trits = mask->get_trits(mask); - - /* form cMtrin by subtracting mask from cm', mod p */ - for (i = 0; i < cmprime_len; i++) - { - Mtrin_buf[i] = Mtrin_buf[i] - mask_trits[i]; - if (Mtrin_buf[i] >= 3) - { - Mtrin_buf[i] += 3; - } - } - mask->destroy(mask); - - if (params->is_product_form) - - /* set the last trit to zero since that's what it was, and - * because it can't be calculated from (cm' - mask) since - * we don't have the correct value for the last cm' trit - */ - - Mtrin_buf[i] = 0; - - /* convert cMtrin to cM (Mtrin to Mbin) */ - - if (!ntru_trits_2_bits(Mtrin_buf, params->N, M_buf)) - decryption_ok = FALSE; - - /* validate the padded message cM and copy cm to m_buf */ - - ptr = M_buf + params->sec_strength_len; - if (params->m_len_len == 2) - cm_len = (uint16_t)(*ptr++) << 16; - cm_len |= (uint16_t)(*ptr++); - if (cm_len > params->m_len_max) { - cm_len = params->m_len_max; - decryption_ok = FALSE; - } - memcpy(m_buf, ptr, cm_len); - ptr += cm_len; - num_zeros = params->m_len_max - cm_len + 1; - for (i = 0; i < num_zeros; i++) { - if (ptr[i] != 0) - decryption_ok = FALSE; - } - - /* form sData (OID || m || b || hTrunc) */ - - ptr = tmp_buf; - memcpy(ptr, params->OID, 3); - ptr += 3; - memcpy(ptr, m_buf, cm_len); - ptr += cm_len; - memcpy(ptr, M_buf, params->sec_strength_len); - ptr += params->sec_strength_len; - memcpy(ptr, pubkey_packed, params->sec_strength_len); - ptr += params->sec_strength_len; - - /* generate cr */ - DBG2(DBG_LIB, "generate polynomial r"); - - seed = chunk_create(tmp_buf, ptr - tmp_buf); - r_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits, - params->N, params->q, - params->dF_r, params->dF_r, - params->is_product_form); - if (!r_poly) - { - result = NTRU_MGF1_FAIL; - } - } - - if (result == NTRU_OK) - { - /* unpack the public key */ - { - uint16_t pubkey_packed_len; - - assert(pubkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS); - pubkey_packed_len = (params->N * params->q_bits + 7) >> 3; - ntru_octets_2_elements(pubkey_packed_len, pubkey_packed, - params->q_bits, ringel_buf1); - } - - /* form cR' = h * cr */ - r_poly->ring_mult(r_poly, ringel_buf1, ringel_buf1); - r_poly->destroy(r_poly); - - /* compare cR' to cR */ - for (i = 0; i < params->N; i++) - { - if (ringel_buf1[i] != ringel_buf2[i]) - { - decryption_ok = FALSE; - } - } - - /* output plaintext and plaintext length */ - if (decryption_ok) - { - if (*pt_len < cm_len) - { - return NTRU_BUFFER_TOO_SMALL; - } - memcpy(pt, m_buf, cm_len); - *pt_len = cm_len; - } - } - - /* cleanup */ - memset(scratch_buf, 0, scratch_buf_len); - free(scratch_buf); - - if (!decryption_ok) - { - return NTRU_FAIL; - } - - return result; -} - - -/* ntru_crypto_ntru_encrypt_keygen - * - * Implements key generation for NTRUEncrypt for the parameter set specified. - * - * The required minimum size of the output public-key buffer (pubkey_blob) - * may be queried by invoking this function with pubkey_blob = NULL. - * In this case, no key generation is performed, NTRU_OK is returned, and - * the required minimum size for pubkey_blob is returned in pubkey_blob_len. - * - * The required minimum size of the output private-key buffer (privkey_blob) - * may be queried by invoking this function with privkey_blob = NULL. - * In this case, no key generation is performed, NTRU_OK is returned, and - * the required minimum size for privkey_blob is returned in privkey_blob_len. - * - * The required minimum sizes of both pubkey_blob and privkey_blob may be - * queried as described above, in a single invocation of this function. - * - * When pubkey_blob != NULL and privkey_blob != NULL, at invocation - * *pubkey_blob_len must be the size of the pubkey_blob buffer and - * *privkey_blob_len must be the size of the privkey_blob buffer. - * Upon return, *pubkey_blob_len is the actual size of the public-key blob - * and *privkey_blob_len is the actual size of the private-key blob. - * - * Returns NTRU_OK if successful. - * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pubkey_blob or - * privkey_blob) is NULL. - * Returns NTRU_INVALID_PARAMETER_SET if the parameter-set ID is invalid. - * Returns NTRU_BAD_LENGTH if a length argument is invalid. - * Returns NTRU_BUFFER_TOO_SMALL if either the pubkey_blob buffer or the - * privkey_blob buffer is too small. - * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap. - * Returns NTRU_FAIL if the polynomial generated for f is not invertible in - * (Z/qZ)[X]/(X^N - 1), which is extremely unlikely. - * Should this occur, this function should simply be invoked again. - */ - -uint32_t -ntru_crypto_ntru_encrypt_keygen( - ntru_drbg_t *drbg, /* in - handle of DRBG */ - NTRU_ENCRYPT_PARAM_SET_ID param_set_id, /* in - parameter set ID */ - uint16_t *pubkey_blob_len, /* in/out - no. of octets in - pubkey_blob, addr - for no. of octets - in pubkey_blob */ - uint8_t *pubkey_blob, /* out - address for - public key blob */ - uint16_t *privkey_blob_len, /* in/out - no. of octets in - privkey_blob, addr - for no. of octets - in privkey_blob */ - uint8_t *privkey_blob) /* out - address for - private key blob */ -{ - NTRU_ENCRYPT_PARAM_SET *params = NULL; - uint16_t public_key_blob_len; - uint16_t private_key_blob_len; - uint8_t pubkey_pack_type; - uint8_t privkey_pack_type; - size_t scratch_buf_len; - uint32_t dF; - uint32_t dF1 = 0; - uint32_t dF2 = 0; - uint32_t dF3 = 0; - uint16_t *scratch_buf = NULL; - uint16_t *ringel_buf1 = NULL; - uint16_t *ringel_buf2 = NULL; - uint8_t *tmp_buf = NULL; - uint16_t mod_q_mask; - hash_algorithm_t hash_algid; - uint16_t seed_len; - chunk_t seed; - uint32_t result = NTRU_OK; - ntru_poly_t *F_poly = NULL; - ntru_poly_t *g_poly = NULL; - uint16_t *F_indices; - - /* get a pointer to the parameter-set parameters */ - - if ((params = ntru_encrypt_get_params_with_id(param_set_id)) == NULL) - { - return NTRU_INVALID_PARAMETER_SET; - } - - /* check for bad parameters */ - - if (!pubkey_blob_len || !privkey_blob_len) - { - return NTRU_BAD_PARAMETER; - } - - /* get public and private key packing types and blob lengths */ - - ntru_crypto_ntru_encrypt_key_get_blob_params(params, &pubkey_pack_type, - &public_key_blob_len, - &privkey_pack_type, - &private_key_blob_len); - - /* return the pubkey_blob size and/or privkey_blob size if requested */ - - if (!pubkey_blob || !privkey_blob) - { - if (!pubkey_blob) - *pubkey_blob_len = public_key_blob_len; - if (!privkey_blob) - *privkey_blob_len = private_key_blob_len; - return NTRU_OK; - } - - /* check size of output buffers */ - - if ((*pubkey_blob_len < public_key_blob_len) || - (*privkey_blob_len < private_key_blob_len)) - { - return NTRU_BUFFER_TOO_SMALL; - } - - /* allocate memory for all operations */ - if (params->is_product_form) { - dF1 = params->dF_r & 0xff; - dF2 = (params->dF_r >> 8) & 0xff; - dF3 = (params->dF_r >> 16) & 0xff; - dF = dF1 + dF2 + dF3; - } else { - dF = params->dF_r; - } - - scratch_buf_len = (params->N * 8) + /* 4N-byte temp buffer for ring inv - and other intermediate results, - 2N-byte buffer for f, g indices - and overflow from temp buffer, - 2N-byte buffer for f^-1 */ - (dF << 2); /* buffer for F indices */ - scratch_buf = malloc(scratch_buf_len); - if (!scratch_buf) - { - return NTRU_OUT_OF_MEMORY; - } - ringel_buf1 = scratch_buf + (params->N << 1); - ringel_buf2 = ringel_buf1 + params->N; - tmp_buf = (uint8_t *)scratch_buf; - - /* set hash algorithm and seed length based on security strength */ - if (params->sec_strength_len <= 20) - { - hash_algid = HASH_SHA1; - } - else - { - hash_algid = HASH_SHA256; - } - seed_len = params->sec_strength_len + 8; - - /* set constants */ - - mod_q_mask = params->q - 1; - - /* get random bytes for seed for generating trinary F - * as a list of indices - */ - - if (drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE, - seed_len, tmp_buf)) - { - result = NTRU_OK; - } - else - { - result = NTRU_DRBG_FAIL; - } - - if (result == NTRU_OK) - { - DBG2(DBG_LIB, "generate polynomial F"); - - seed = chunk_create(tmp_buf, seed_len); - F_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits, - params->N, params->q, - params->dF_r, params->dF_r, - params->is_product_form); - if (!F_poly) - { - result = NTRU_MGF1_FAIL; - } - } - - if (result == NTRU_OK) - { - int i; - - F_poly->get_array(F_poly, ringel_buf1); - - /* form f = 1 + pF */ - for (i = 0; i < params->N; i++) - { - ringel_buf1[i] = (ringel_buf1[i] * 3) & mod_q_mask; - } - ringel_buf1[0] = (ringel_buf1[0] + 1) & mod_q_mask; - - /* find f^-1 in (Z/qZ)[X]/(X^N - 1) */ - if (!ntru_ring_inv(ringel_buf1, params->N, params->q, - scratch_buf, ringel_buf2)) - { - result = NTRU_FAIL; - } - } - - if (result == NTRU_OK) - { - - /* get random bytes for seed for generating trinary polynomial g - * as a list of indices - */ - if (!drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE, - seed_len, tmp_buf)) - { - result = NTRU_DRBG_FAIL; - } - } - - if (result == NTRU_OK) - { - DBG2(DBG_LIB, "generate polynomial g"); - - seed = chunk_create(tmp_buf, seed_len); - g_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits, - params->N, params->q, - params->dg + 1, params->dg, FALSE); - if (!g_poly) - { - result = NTRU_MGF1_FAIL; - } - } - - if (result == NTRU_OK) - { - uint16_t i; - - /* compute h = p * (f^-1 * g) mod q */ - g_poly->ring_mult(g_poly, ringel_buf2, ringel_buf2); - g_poly->destroy(g_poly); - - for (i = 0; i < params->N; i++) - { - ringel_buf2[i] = (ringel_buf2[i] * 3) & mod_q_mask; - } - - /* create public key blob */ - ntru_crypto_ntru_encrypt_key_create_pubkey_blob(params, ringel_buf2, - pubkey_pack_type, - pubkey_blob); - *pubkey_blob_len = public_key_blob_len; - - /* create private key blob */ - F_indices = F_poly->get_indices(F_poly); - ntru_crypto_ntru_encrypt_key_create_privkey_blob(params, ringel_buf2, - F_indices, - privkey_pack_type, - tmp_buf, privkey_blob); - *privkey_blob_len = private_key_blob_len; - } - - /* cleanup */ - DESTROY_IF(F_poly); - memset(scratch_buf, 0, scratch_buf_len); - free(scratch_buf); - - return result; -} diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.c b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.c deleted file mode 100644 index 90baaadf3..000000000 --- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.c +++ /dev/null @@ -1,360 +0,0 @@ -/****************************************************************************** - * NTRU Cryptography Reference Source Code - * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. - * - * ntru_crypto_ntru_encrypt_key.c is a component of ntru-crypto. - * - * Copyright (C) 2009-2013 Security Innovation - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - * - *****************************************************************************/ - -/****************************************************************************** - * - * File: ntru_crypto_ntru_encrypt_key.c - * - * Contents: Routines for exporting and importing public and private keys - * for NTRUEncrypt. - * - *****************************************************************************/ - - -#include <stdlib.h> -#include <string.h> -#include <assert.h> -#include "ntru_crypto_ntru_encrypt_key.h" - - -/* ntru_crypto_ntru_encrypt_key_parse - * - * Parses an NTRUEncrypt key blob. - * If the blob is not corrupt, returns packing types for public and private - * keys, a pointer to the parameter set, a pointer to the public key, and - * a pointer to the private key if it exists. - * - * Returns TRUE if successful. - * Returns FALSE if the blob is invalid. - */ - -bool -ntru_crypto_ntru_encrypt_key_parse( - bool pubkey_parse, /* in - if parsing pubkey - blob */ - uint16_t key_blob_len, /* in - no. octets in key - blob */ - uint8_t const *key_blob, /* in - pointer to key blob */ - uint8_t *pubkey_pack_type, /* out - addr for pubkey - packing type */ - uint8_t *privkey_pack_type, /* out - addr for privkey - packing type */ - NTRU_ENCRYPT_PARAM_SET **params, /* out - addr for ptr to - parameter set */ - uint8_t const **pubkey, /* out - addr for ptr to - packed pubkey */ - uint8_t const **privkey) /* out - addr for ptr to - packed privkey */ -{ - uint8_t tag; - - assert(key_blob_len); - assert(key_blob); - assert(pubkey_pack_type); - assert(params); - assert(pubkey); - - /* parse key blob based on tag */ - - tag = key_blob[0]; - switch (tag) { - case NTRU_ENCRYPT_PUBKEY_TAG: - if (!pubkey_parse) - return FALSE; - break; - case NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG: - case NTRU_ENCRYPT_PRIVKEY_TRITS_TAG: - case NTRU_ENCRYPT_PRIVKEY_INDICES_TAG: - assert(privkey_pack_type); - assert(privkey); - if (pubkey_parse) - return FALSE; - break; - default: - return FALSE; - } - - switch (tag) { - case NTRU_ENCRYPT_PUBKEY_TAG: - case NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG: - case NTRU_ENCRYPT_PRIVKEY_TRITS_TAG: - case NTRU_ENCRYPT_PRIVKEY_INDICES_TAG: - - /* Version 0: - * byte 0: tag - * byte 1: no. of octets in OID - * bytes 2-4: OID - * bytes 5- : packed pubkey - * [packed privkey] - */ - - { - NTRU_ENCRYPT_PARAM_SET *p = NULL; - uint16_t pubkey_packed_len; - - /* check OID length and minimum blob length for tag and OID */ - - if ((key_blob_len < 5) || (key_blob[1] != 3)) - return FALSE; - - /* get a pointer to the parameter set corresponding to the OID */ - - if ((p = ntru_encrypt_get_params_with_OID(key_blob + 2)) == NULL) - return FALSE; - - /* check blob length and assign pointers to blob fields */ - - pubkey_packed_len = (p->N * p->q_bits + 7) / 8; - if (pubkey_parse) { /* public-key parsing */ - if (key_blob_len != 5 + pubkey_packed_len) - return FALSE; - - *pubkey = key_blob + 5; - - } else { /* private-key parsing */ - uint16_t privkey_packed_len; - uint16_t privkey_packed_trits_len = (p->N + 4) / 5; - uint16_t privkey_packed_indices_len; - uint16_t dF; - - /* check packing type for product-form private keys */ - - if (p->is_product_form && - (tag == NTRU_ENCRYPT_PRIVKEY_TRITS_TAG)) - return FALSE; - - /* set packed-key length for packed indices */ - - if (p->is_product_form) - dF = (uint16_t)( (p->dF_r & 0xff) + /* df1 */ - ((p->dF_r >> 8) & 0xff) + /* df2 */ - ((p->dF_r >> 16) & 0xff)); /* df3 */ - else - dF = (uint16_t)p->dF_r; - privkey_packed_indices_len = ((dF << 1) * p->N_bits + 7) >> 3; - - /* set private-key packing type if defaulted */ - - if (tag == NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG) { - if (p->is_product_form || - (privkey_packed_indices_len <= - privkey_packed_trits_len)) - tag = NTRU_ENCRYPT_PRIVKEY_INDICES_TAG; - else - tag = NTRU_ENCRYPT_PRIVKEY_TRITS_TAG; - } - - if (tag == NTRU_ENCRYPT_PRIVKEY_TRITS_TAG) - privkey_packed_len = privkey_packed_trits_len; - else - privkey_packed_len = privkey_packed_indices_len; - - if (key_blob_len != 5 + pubkey_packed_len + privkey_packed_len) - return FALSE; - - *pubkey = key_blob + 5; - *privkey = *pubkey + pubkey_packed_len; - *privkey_pack_type = (tag == NTRU_ENCRYPT_PRIVKEY_TRITS_TAG) ? - NTRU_ENCRYPT_KEY_PACKED_TRITS : - NTRU_ENCRYPT_KEY_PACKED_INDICES; - } - - /* return parameter set pointer */ - - *pubkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS; - *params = p; - } - default: - break; /* can't get here */ - } - return TRUE; -} - - -/* ntru_crypto_ntru_encrypt_key_get_blob_params - * - * Returns public and private key packing types and blob lengths given - * a packing format. For now, only a default packing format exists. - * - * Only public-key params may be returned by setting privkey_pack_type - * and privkey_blob_len to NULL. - */ - -void -ntru_crypto_ntru_encrypt_key_get_blob_params( - NTRU_ENCRYPT_PARAM_SET const *params, /* in - pointer to - param set - parameters */ - uint8_t *pubkey_pack_type, /* out - addr for pubkey - packing type */ - uint16_t *pubkey_blob_len, /* out - addr for no. of - bytes in - pubkey blob */ - uint8_t *privkey_pack_type, /* out - addr for privkey - packing type */ - uint16_t *privkey_blob_len) /* out - addr for no. of - bytes in - privkey blob */ -{ - uint16_t pubkey_packed_len = (params->N * params->q_bits + 7) >> 3; - - assert(params); - assert(pubkey_pack_type); - assert(pubkey_blob_len); - - *pubkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS; - *pubkey_blob_len = 5 + pubkey_packed_len; - - if (privkey_pack_type && privkey_blob_len) { - uint16_t privkey_packed_trits_len = (params->N + 4) / 5; - uint16_t privkey_packed_indices_len; - uint16_t dF; - - if (params->is_product_form) - dF = (uint16_t)( (params->dF_r & 0xff) + /* df1 */ - ((params->dF_r >> 8) & 0xff) + /* df2 */ - ((params->dF_r >> 16) & 0xff)); /* df3 */ - else - dF = (uint16_t)params->dF_r; - privkey_packed_indices_len = ((dF << 1) * params->N_bits + 7) >> 3; - - if (params->is_product_form || - (privkey_packed_indices_len <= privkey_packed_trits_len)) { - *privkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_INDICES; - *privkey_blob_len = - 5 + pubkey_packed_len + privkey_packed_indices_len; - } else { - *privkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_TRITS; - *privkey_blob_len = - 5 + pubkey_packed_len + privkey_packed_trits_len; - } - } -} - - -/* ntru_crypto_ntru_encrypt_key_create_pubkey_blob - * - * Returns a public key blob, packed according to the packing type provided. - */ - -void -ntru_crypto_ntru_encrypt_key_create_pubkey_blob( - NTRU_ENCRYPT_PARAM_SET const *params, /* in - pointer to - param set - parameters */ - uint16_t const *pubkey, /* in - pointer to the - coefficients - of the pubkey */ - uint8_t pubkey_pack_type, /* out - pubkey packing - type */ - uint8_t *pubkey_blob) /* out - addr for the - pubkey blob */ -{ - assert(params); - assert(pubkey); - assert(pubkey_blob); - - switch (pubkey_pack_type) { - case NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS: - *pubkey_blob++ = NTRU_ENCRYPT_PUBKEY_TAG; - *pubkey_blob++ = (uint8_t)sizeof(params->OID); - memcpy(pubkey_blob, params->OID, sizeof(params->OID)); - pubkey_blob += sizeof(params->OID); - ntru_elements_2_octets(params->N, pubkey, params->q_bits, - pubkey_blob); - break; - default: - assert(FALSE); - } -} - - -/* ntru_crypto_ntru_encrypt_key_create_privkey_blob - * - * Returns a private key blob, packed according to the packing type provided. - */ - -void -ntru_crypto_ntru_encrypt_key_create_privkey_blob( - NTRU_ENCRYPT_PARAM_SET const *params, /* in - pointer to - param set - parameters */ - uint16_t const *pubkey, /* in - pointer to the - coefficients - of the pubkey */ - uint16_t const *privkey, /* in - pointer to the - indices of the - privkey */ - uint8_t privkey_pack_type, /* in - privkey packing - type */ - uint8_t *buf, /* in - temp, N bytes */ - uint8_t *privkey_blob) /* out - addr for the - privkey blob */ -{ - assert(params); - assert(pubkey); - assert(privkey); - assert(privkey_blob); - - switch (privkey_pack_type) { - case NTRU_ENCRYPT_KEY_PACKED_TRITS: - case NTRU_ENCRYPT_KEY_PACKED_INDICES: - - /* format header and packed public key */ - - *privkey_blob++ = NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG; - *privkey_blob++ = (uint8_t)sizeof(params->OID); - memcpy(privkey_blob, params->OID, sizeof(params->OID)); - privkey_blob += sizeof(params->OID); - ntru_elements_2_octets(params->N, pubkey, params->q_bits, - privkey_blob); - privkey_blob += (params->N * params->q_bits + 7) >> 3; - - /* add packed private key */ - - if (privkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_TRITS) { - ntru_indices_2_packed_trits(privkey, (uint16_t)params->dF_r, - (uint16_t)params->dF_r, - params->N, buf, privkey_blob); - } else { - uint32_t dF; - - if (params->is_product_form) { - dF = (params->dF_r & 0xff) + - ((params->dF_r >> 8) & 0xff) + - ((params->dF_r >> 16) & 0xff); - } else { - dF = params->dF_r; - } - ntru_elements_2_octets((uint16_t)dF << 1, privkey, - params->N_bits, privkey_blob); - } - break; - default: - assert(FALSE); - break; - } -} - - diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.h deleted file mode 100644 index 6734f2a4c..000000000 --- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.h +++ /dev/null @@ -1,167 +0,0 @@ -/****************************************************************************** - * NTRU Cryptography Reference Source Code - * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. - * - * ntru_crypto_ntru_cencrypt_key.h is a component of ntru-crypto. - * - * Copyright (C) 2009-2013 Security Innovation - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - * - *****************************************************************************/ - - -#ifndef NTRU_CRYPTO_NTRU_ENCRYPT_KEY_H -#define NTRU_CRYPTO_NTRU_ENCRYPT_KEY_H - -#include "ntru_crypto_ntru_convert.h" -#include "ntru_crypto_ntru_encrypt_param_sets.h" - - -/* key-blob definitions */ - -#define NTRU_ENCRYPT_PUBKEY_TAG 0x01 -#define NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG 0x02 -#define NTRU_ENCRYPT_PRIVKEY_TRITS_TAG 0xfe -#define NTRU_ENCRYPT_PRIVKEY_INDICES_TAG 0xff - -/* packing types */ - -#define NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS 0x01 -#define NTRU_ENCRYPT_KEY_PACKED_INDICES 0x02 -#define NTRU_ENCRYPT_KEY_PACKED_TRITS 0x03 - -/* function declarations */ - - -/* ntru_crypto_ntru_encrypt_key_parse - * - * Parses an NTRUEncrypt key blob. - * If the blob is not corrupt, returns packing types for public and private - * keys, a pointer to the parameter set, a pointer to the public key, and - * a pointer to the private key if it exists. - * - * Returns TRUE if successful. - * Returns FALSE if the blob is invalid. - */ - -extern bool -ntru_crypto_ntru_encrypt_key_parse( - bool pubkey_parse, /* in - if parsing pubkey - blob */ - uint16_t key_blob_len, /* in - no. octets in key - blob */ - uint8_t const *key_blob, /* in - pointer to key blob */ - uint8_t *pubkey_pack_type, /* out - addr for pubkey - packing type */ - uint8_t *privkey_pack_type, /* out - addr for privkey - packing type */ - NTRU_ENCRYPT_PARAM_SET **params, /* out - addr for ptr to - parameter set */ - uint8_t const **pubkey, /* out - addr for ptr to - packed pubkey */ - uint8_t const **privkey); /* out - addr for ptr to - packed privkey */ - - -/* ntru_crypto_ntru_encrypt_key_get_blob_params - * - * Returns public and private key packing types and blob lengths given - * a packing format. For now, only a default packing format exists. - * - * Only public-key params may be returned by setting privkey_pack_type - * and privkey_blob_len to NULL. - */ - -extern void -ntru_crypto_ntru_encrypt_key_get_blob_params( - NTRU_ENCRYPT_PARAM_SET const *params, /* in - pointer to - param set - parameters */ - uint8_t *pubkey_pack_type, /* out - addr for pubkey - packing type */ - uint16_t *pubkey_blob_len, /* out - addr for no. of - bytes in - pubkey blob */ - uint8_t *privkey_pack_type, /* out - addr for privkey - packing type */ - uint16_t *privkey_blob_len); /* out - addr for no. of - bytes in - privkey blob */ - - -/* ntru_crypto_ntru_encrypt_key_create_pubkey_blob - * - * Returns a public key blob, packed according to the packing type provided. - */ - -extern void -ntru_crypto_ntru_encrypt_key_create_pubkey_blob( - NTRU_ENCRYPT_PARAM_SET const *params, /* in - pointer to - param set - parameters */ - uint16_t const *pubkey, /* in - pointer to the - coefficients - of the pubkey */ - uint8_t pubkey_pack_type, /* out - addr for pubkey - packing type */ - uint8_t *pubkey_blob); /* out - addr for the - pubkey blob */ - - -/* ntru_crypto_ntru_encrypt_key_recreate_pubkey_blob - * - * Returns a public key blob, recreated from an already-packed public key. - */ - -extern void -ntru_crypto_ntru_encrypt_key_recreate_pubkey_blob( - NTRU_ENCRYPT_PARAM_SET const *params, /* in - pointer to - param set - parameters */ - uint16_t packed_pubkey_len, /* in - no. octets in - packed pubkey */ - uint8_t const *packed_pubkey, /* in - pointer to the - packed pubkey */ - uint8_t pubkey_pack_type, /* out - pubkey packing - type */ - uint8_t *pubkey_blob); /* out - addr for the - pubkey blob */ - - -/* ntru_crypto_ntru_encrypt_key_create_privkey_blob - * - * Returns a privlic key blob, packed according to the packing type provided. - */ - -extern void -ntru_crypto_ntru_encrypt_key_create_privkey_blob( - NTRU_ENCRYPT_PARAM_SET const *params, /* in - pointer to - param set - parameters */ - uint16_t const *pubkey, /* in - pointer to the - coefficients - of the pubkey */ - uint16_t const *privkey, /* in - pointer to the - indices of the - privkey */ - uint8_t privkey_pack_type, /* in - privkey packing - type */ - uint8_t *buf, /* in - temp, N bytes */ - uint8_t *privkey_blob); /* out - addr for the - privkey blob */ - - -#endif /* NTRU_CRYPTO_NTRU_ENCRYPT_KEY_H */ diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.h deleted file mode 100644 index e5e977a0e..000000000 --- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.h +++ /dev/null @@ -1,101 +0,0 @@ -/****************************************************************************** - * NTRU Cryptography Reference Source Code - * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. - * - * ntru_crypto_ntru_encrypt_param_sets.h is a component of ntru-crypto. - * - * Copyright (C) 2009-2013 Security Innovation - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - * - *****************************************************************************/ - -/****************************************************************************** - * - * File: ntru_crypto_ntru_encrypt_param_sets.h - * - * Contents: Definitions and declarations for the NTRUEncrypt parameter sets. - * - *****************************************************************************/ - -#ifndef NTRU_CRYPTO_NTRU_ENCRYPT_PARAM_SETS_H -#define NTRU_CRYPTO_NTRU_ENCRYPT_PARAM_SETS_H - -#include "ntru_crypto.h" - -/* structures */ - -typedef struct _NTRU_ENCRYPT_PARAM_SET { - NTRU_ENCRYPT_PARAM_SET_ID id; /* parameter-set ID */ - uint8_t const OID[3]; /* pointer to OID */ - uint8_t der_id; /* parameter-set DER id */ - uint8_t N_bits; /* no. of bits in N (i.e. in - an index */ - uint16_t N; /* ring dimension */ - uint16_t sec_strength_len; /* no. of octets of - security strength */ - uint16_t q; /* big modulus */ - uint8_t q_bits; /* no. of bits in q (i.e. in - a coefficient */ - bool is_product_form; /* if product form used */ - uint32_t dF_r; /* no. of 1 or -1 coefficients - in ring elements F, r */ - uint16_t dg; /* no. - 1 of 1 coefficients - or no. of -1 coefficients - in ring element g */ - uint16_t m_len_max; /* max no. of plaintext - octets */ - uint16_t min_msg_rep_wt; /* min. message - representative weight */ - uint8_t c_bits; /* no. bits in candidate for - deriving an index in - IGF-2 */ - uint8_t m_len_len; /* no. of octets to hold - mLenOctets */ -} NTRU_ENCRYPT_PARAM_SET; - - - -/* function declarations */ - -/* ntru_encrypt_get_params_with_id - * - * Looks up a set of NTRU Encrypt parameters based on the id of the - * parameter set. - * - * Returns a pointer to the parameter set parameters if successful. - * Returns NULL if the parameter set cannot be found. - */ - -extern NTRU_ENCRYPT_PARAM_SET * -ntru_encrypt_get_params_with_id( - NTRU_ENCRYPT_PARAM_SET_ID id); /* in - parameter-set id */ - - -/* ntru_encrypt_get_params_with_OID - * - * Looks up a set of NTRU Encrypt parameters based on the OID of the - * parameter set. - * - * Returns a pointer to the parameter set parameters if successful. - * Returns NULL if the parameter set cannot be found. - */ - -extern NTRU_ENCRYPT_PARAM_SET * -ntru_encrypt_get_params_with_OID( - uint8_t const *oid); /* in - pointer to parameter-set OID */ - -#endif /* NTRU_CRYPTO_NTRU_ENCRYPT_PARAM_SETS_H */ - diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.c b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.c deleted file mode 100644 index 8e4eede87..000000000 --- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.c +++ /dev/null @@ -1,242 +0,0 @@ -/****************************************************************************** - * NTRU Cryptography Reference Source Code - * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. - * - * ntru_crypto_ntru_poly.c is a component of ntru-crypto. - * - * Copyright (C) 2009-2013 Security Innovation - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - * - *****************************************************************************/ - -#include <stdlib.h> -#include <string.h> -#include "ntru_crypto_ntru_poly.h" - -/* ntru_poly_check_min_weight - * - * Checks that the number of 0, +1, and -1 trinary ring elements meet or exceed - * a minimum weight. - */ - -bool -ntru_poly_check_min_weight( - uint16_t num_els, /* in - degree of polynomial */ - uint8_t *ringels, /* in - pointer to trinary ring elements */ - uint16_t min_wt) /* in - minimum weight */ -{ - uint16_t wt[3]; - uint16_t i; - - wt[0] = wt[1] = wt[2] = 0; - for (i = 0; i < num_els; i++) { - ++wt[ringels[i]]; - } - if ((wt[0] < min_wt) || (wt[1] < min_wt) || (wt[2] < min_wt)) { - return FALSE; - } - return TRUE; -} - -/* ntru_ring_mult_coefficients - * - * Multiplies ring element (polynomial) "a" by ring element (polynomial) "b" - * to produce ring element (polynomial) "c" in (Z/qZ)[X]/(X^N - 1). - * This is a convolution operation. - * - * Ring element "b" has coefficients in the range [0,N). - * - * This assumes q is 2^r where 8 < r < 16, so that overflow of the sum - * beyond 16 bits does not matter. - */ - -void -ntru_ring_mult_coefficients( - uint16_t const *a, /* in - pointer to polynomial a */ - uint16_t const *b, /* in - pointer to polynomial b */ - uint16_t N, /* in - no. of coefficients in a, b, c */ - uint16_t q, /* in - large modulus */ - uint16_t *c) /* out - address for polynomial c */ -{ - uint16_t const *bptr = b; - uint16_t mod_q_mask = q - 1; - uint16_t i, k; - - /* c[k] = sum(a[i] * b[k-i]) mod q */ - memset(c, 0, N * sizeof(uint16_t)); - for (k = 0; k < N; k++) { - i = 0; - while (i <= k) - c[k] += a[i++] * *bptr--; - bptr += N; - while (i < N) - c[k] += a[i++] * *bptr--; - c[k] &= mod_q_mask; - ++bptr; - } -} - - -/* ntru_ring_inv - * - * Finds the inverse of a polynomial, a, in (Z/2^rZ)[X]/(X^N - 1). - * - * This assumes q is 2^r where 8 < r < 16, so that operations mod q can - * wait until the end, and only 16-bit arrays need to be used. - */ - -bool -ntru_ring_inv( - uint16_t *a, /* in - pointer to polynomial a */ - uint16_t N, /* in - no. of coefficients in a */ - uint16_t q, /* in - large modulus */ - uint16_t *t, /* in - temp buffer of 2N elements */ - uint16_t *a_inv) /* out - address for polynomial a^-1 */ -{ - uint8_t *b = (uint8_t *)t; /* b cannot be in a_inv since it must be - rotated and copied there as a^-1 mod 2 */ - uint8_t *c = b + N; /* c cannot be in a_inv since it exchanges - with b, and b cannot be in a_inv */ - uint8_t *f = c + N; - uint8_t *g = (uint8_t *)a_inv; /* g needs N + 1 bytes */ - uint16_t *t2 = t + N; - uint16_t deg_b; - uint16_t deg_c; - uint16_t deg_f; - uint16_t deg_g; - uint16_t k = 0; - bool done = FALSE; - uint16_t i, j; - - /* form a^-1 in (Z/2Z)[X]/X^N - 1) */ - memset(b, 0, (N << 1)); /* clear to init b, c */ - - /* b(X) = 1 */ - b[0] = 1; - deg_b = 0; - - /* c(X) = 0 (cleared above) */ - deg_c = 0; - - /* f(X) = a(X) mod 2 */ - for (i = 0; i < N; i++) - f[i] = (uint8_t)(a[i] & 1); - deg_f = N - 1; - - /* g(X) = X^N - 1 */ - g[0] = 1; - memset(g + 1, 0, N - 1); - g[N] = 1; - deg_g = N; - - /* until f(X) = 1 */ - - while (!done) - { - - /* while f[0] = 0, f(X) /= X, c(X) *= X, k++ */ - - for (i = 0; (i <= deg_f) && (f[i] == 0); ++i); - if (i > deg_f) - return FALSE; - if (i) { - f = f + i; - deg_f = deg_f - i; - deg_c = deg_c + i; - for (j = deg_c; j >= i; j--) - c[j] = c[j-i]; - for (j = 0; j < i; j++) - c[j] = 0; - k = k + i; - } - - /* adjust degree of f(X) if the highest coefficients are zero - * Note: f[0] = 1 from above so the loop will terminate. - */ - - while (f[deg_f] == 0) - --deg_f; - - /* if f(X) = 1, done - * Note: f[0] = 1 from above, so only check the x term and up - */ - - for (i = 1; (i <= deg_f) && (f[i] == 0); ++i); - if (i > deg_f) { - done = TRUE; - break; - } - - /* if deg_f < deg_g, f <-> g, b <-> c */ - - if (deg_f < deg_g) { - uint8_t *x; - - x = f; - f = g; - g = x; - deg_f ^= deg_g; - deg_g ^= deg_f; - deg_f ^= deg_g; - x = b; - b = c; - c = x; - deg_b ^= deg_c; - deg_c ^= deg_b; - deg_b ^= deg_c; - } - - /* f(X) += g(X), b(X) += c(X) */ - - for (i = 0; i <= deg_g; i++) - f[i] ^= g[i]; - - if (deg_c > deg_b) - deg_b = deg_c; - for (i = 0; i <= deg_c; i++) - b[i] ^= c[i]; - } - - /* a^-1 in (Z/2Z)[X]/(X^N - 1) = b(X) shifted left k coefficients */ - - j = 0; - if (k >= N) - k = k - N; - for (i = k; i < N; i++) - a_inv[j++] = (uint16_t)(b[i]); - for (i = 0; i < k; i++) - a_inv[j++] = (uint16_t)(b[i]); - - /* lift a^-1 in (Z/2Z)[X]/(X^N - 1) to a^-1 in (Z/qZ)[X]/(X^N -1) */ - - for (j = 0; j < 4; ++j) { /* assumes 256 < q <= 65536 */ - - /* a^-1 = a^-1 * (2 - a * a^-1) mod q */ - - memcpy(t2, a_inv, N * sizeof(uint16_t)); - ntru_ring_mult_coefficients(a, t2, N, q, t); - for (i = 0; i < N; ++i) - t[i] = q - t[i]; - t[0] = t[0] + 2; - ntru_ring_mult_coefficients(t2, t, N, q, a_inv); - } - - return TRUE; - - -} - - diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.h deleted file mode 100644 index 1e9d467ed..000000000 --- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.h +++ /dev/null @@ -1,96 +0,0 @@ -/****************************************************************************** - * NTRU Cryptography Reference Source Code - * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. - * - * ntru_crypto_ntru_poly.h is a component of ntru-crypto. - * - * Copyright (C) 2009-2013 Security Innovation - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - * - *****************************************************************************/ - -/****************************************************************************** - * - * File: ntru_crypto_ntru_poly.h - * - * Contents: Public header file for generating and operating on polynomials - * in the NTRU algorithm. - * - *****************************************************************************/ - - -#ifndef NTRU_CRYPTO_NTRU_POLY_H -#define NTRU_CRYPTO_NTRU_POLY_H - - -#include "ntru_crypto.h" - -#include <crypto/hashers/hasher.h> - - -/* function declarations */ - -/* ntru_poly_check_min_weight - * - * Checks that the number of 0, +1, and -1 trinary ring elements meet or exceed - * a minimum weight. - */ - -extern bool -ntru_poly_check_min_weight( - uint16_t num_els, /* in - degree of polynomial */ - uint8_t *ringels, /* in - pointer to trinary ring elements */ - uint16_t min_wt); /* in - minimum weight */ - -/* ntru_ring_mult_coefficients - * - * Multiplies ring element (polynomial) "a" by ring element (polynomial) "b" - * to produce ring element (polynomial) "c" in (Z/qZ)[X]/(X^N - 1). - * This is a convolution operation. - * - * Ring element "b" has coefficients in the range [0,N). - * - * This assumes q is 2^r where 8 < r < 16, so that overflow of the sum - * beyond 16 bits does not matter. - */ - -extern void -ntru_ring_mult_coefficients( - uint16_t const *a, /* in - pointer to polynomial a */ - uint16_t const *b, /* in - pointer to polynomial b */ - uint16_t N, /* in - no. of coefficients in a, b, c */ - uint16_t q, /* in - large modulus */ - uint16_t *c); /* out - address for polynomial c */ - - -/* ntru_ring_inv - * - * Finds the inverse of a polynomial, a, in (Z/2^rZ)[X]/(X^N - 1). - * - * This assumes q is 2^r where 8 < r < 16, so that operations mod q can - * wait until the end, and only 16-bit arrays need to be used. - */ - -extern bool -ntru_ring_inv( - uint16_t *a, /* in - pointer to polynomial a */ - uint16_t N, /* in - no. of coefficients in a */ - uint16_t q, /* in - large modulus */ - uint16_t *t, /* in - temp buffer of 2N elements */ - uint16_t *a_inv); /* out - address for polynomial a^-1 */ - - -#endif /* NTRU_CRYPTO_NTRU_POLY_H */ diff --git a/src/libstrongswan/plugins/ntru/ntru_drbg.c b/src/libstrongswan/plugins/ntru/ntru_drbg.c index 181a58939..ef0d3d9c8 100644 --- a/src/libstrongswan/plugins/ntru/ntru_drbg.c +++ b/src/libstrongswan/plugins/ntru/ntru_drbg.c @@ -67,6 +67,10 @@ struct private_ntru_drbg_t { */ chunk_t value; + /** + * reference count + */ + refcount_t ref; }; /** @@ -180,13 +184,23 @@ METHOD(ntru_drbg_t, generate, bool, return TRUE; } +METHOD(ntru_drbg_t, get_ref, ntru_drbg_t*, + private_ntru_drbg_t *this) +{ + ref_get(&this->ref); + return &this->public; +} + METHOD(ntru_drbg_t, destroy, void, private_ntru_drbg_t *this) { - this->hmac->destroy(this->hmac); - chunk_clear(&this->key); - chunk_clear(&this->value); - free(this); + if (ref_put(&this->ref)) + { + this->hmac->destroy(this->hmac); + chunk_clear(&this->key); + chunk_clear(&this->value); + free(this); + } } /* @@ -238,6 +252,7 @@ ntru_drbg_t *ntru_drbg_create(u_int32_t strength, chunk_t pers_str, .get_strength = _get_strength, .reseed = _reseed, .generate = _generate, + .get_ref = _get_ref, .destroy = _destroy, }, .strength = strength, @@ -247,6 +262,7 @@ ntru_drbg_t *ntru_drbg_create(u_int32_t strength, chunk_t pers_str, .value = chunk_alloc(hmac->get_block_size(hmac)), .max_requests = max_requests, .reseed_counter = 1, + .ref = 1, ); memset(this->key.ptr, 0x00, this->key.len); diff --git a/src/libstrongswan/plugins/ntru/ntru_drbg.h b/src/libstrongswan/plugins/ntru/ntru_drbg.h index 38ac718ae..83cef11be 100644 --- a/src/libstrongswan/plugins/ntru/ntru_drbg.h +++ b/src/libstrongswan/plugins/ntru/ntru_drbg.h @@ -58,6 +58,13 @@ struct ntru_drbg_t { u_int8_t *out); /** + * Get a reference on an ntru_drbg_t object increasing the count by one + * + * @return reference to the ntru_drbg_t object + */ + ntru_drbg_t* (*get_ref)(ntru_drbg_t *this); + + /** * Uninstantiate and destroy the DRBG object */ void (*destroy)(ntru_drbg_t *this); diff --git a/src/libstrongswan/plugins/ntru/ntru_ke.c b/src/libstrongswan/plugins/ntru/ntru_ke.c index 39fb261cd..abaa22336 100644 --- a/src/libstrongswan/plugins/ntru/ntru_ke.c +++ b/src/libstrongswan/plugins/ntru/ntru_ke.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Andreas Steffen + * Copyright (C) 2013-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -15,54 +15,33 @@ #include "ntru_ke.h" #include "ntru_drbg.h" - -#include "ntru_crypto/ntru_crypto.h" +#include "ntru_param_set.h" +#include "ntru_private_key.h" +#include "ntru_public_key.h" #include <crypto/diffie_hellman.h> #include <utils/debug.h> typedef struct private_ntru_ke_t private_ntru_ke_t; -typedef struct param_set_t param_set_t; - -/** - * Defines an NTRU parameter set by ID or OID - */ -struct param_set_t { - NTRU_ENCRYPT_PARAM_SET_ID id; - char oid[3]; - char *name; -}; /* Best bandwidth and speed, no X9.98 compatibility */ -static param_set_t param_sets_optimum[] = { - { NTRU_EES401EP2, {0x00, 0x02, 0x10}, "ees401ep2" }, - { NTRU_EES439EP1, {0x00, 0x03, 0x10}, "ees439ep1" }, - { NTRU_EES593EP1, {0x00, 0x05, 0x10}, "ees593ep1" }, - { NTRU_EES743EP1, {0x00, 0x06, 0x10}, "ees743ep1" } +static ntru_param_set_id_t param_sets_optimum[] = { + NTRU_EES401EP2, NTRU_EES439EP1, NTRU_EES593EP1, NTRU_EES743EP1 }; /* X9.98/IEEE 1363.1 parameter sets for best speed */ -static param_set_t param_sets_x9_98_speed[] = { - { NTRU_EES659EP1, {0x00, 0x02, 0x06}, "ees659ep1" }, - { NTRU_EES761EP1, {0x00, 0x03, 0x05}, "ees761ep1" }, - { NTRU_EES1087EP1, {0x00, 0x05, 0x05}, "ees1087ep1" }, - { NTRU_EES1499EP1, {0x00, 0x06, 0x05}, "ees1499ep1" } +static ntru_param_set_id_t param_sets_x9_98_speed[] = { + NTRU_EES659EP1, NTRU_EES761EP1, NTRU_EES1087EP1, NTRU_EES1499EP1 }; /* X9.98/IEEE 1363.1 parameter sets for best bandwidth (smallest size) */ -static param_set_t param_sets_x9_98_bandwidth[] = { - { NTRU_EES401EP1, {0x00, 0x02, 0x04}, "ees401ep1" }, - { NTRU_EES449EP1, {0x00, 0x03, 0x03}, "ees449ep1" }, - { NTRU_EES677EP1, {0x00, 0x05, 0x03}, "ees677ep1" }, - { NTRU_EES1087EP2, {0x00, 0x06, 0x03}, "ees1087ep2" } +static ntru_param_set_id_t param_sets_x9_98_bandwidth[] = { + NTRU_EES401EP1, NTRU_EES449EP1, NTRU_EES677EP1, NTRU_EES1087EP2 }; /* X9.98/IEEE 1363.1 parameter sets balancing speed and bandwidth */ -static param_set_t param_sets_x9_98_balance[] = { - { NTRU_EES541EP1, {0x00, 0x02, 0x05}, "ees541ep1" }, - { NTRU_EES613EP1, {0x00, 0x03, 0x04}, "ees613ep1" }, - { NTRU_EES887EP1, {0x00, 0x05, 0x04}, "ees887ep1" }, - { NTRU_EES1171EP1, {0x00, 0x06, 0x04}, "ees1171ep1" } +static ntru_param_set_id_t param_sets_x9_98_balance[] = { + NTRU_EES541EP1, NTRU_EES613EP1, NTRU_EES887EP1, NTRU_EES1171EP1 }; /** @@ -82,7 +61,7 @@ struct private_ntru_ke_t { /** * NTRU Parameter Set */ - param_set_t *param_set; + ntru_param_set_t *param_set; /** * Cryptographical strength in bits of the NTRU Parameter Set @@ -92,12 +71,12 @@ struct private_ntru_ke_t { /** * NTRU Public Key */ - chunk_t pub_key; + ntru_public_key_t *pubkey; /** * NTRU Private Key */ - chunk_t priv_key; + ntru_private_key_t *privkey; /** * NTRU encrypted shared secret @@ -133,8 +112,6 @@ struct private_ntru_ke_t { METHOD(diffie_hellman_t, get_my_public_value, void, private_ntru_ke_t *this, chunk_t *value) { - uint16_t pub_key_len, priv_key_len; - *value = chunk_empty; if (this->responder) @@ -146,34 +123,19 @@ METHOD(diffie_hellman_t, get_my_public_value, void, } else { - if (this->pub_key.len == 0) + if (!this->pubkey) { - /* determine the NTRU public and private key sizes */ - if (ntru_crypto_ntru_encrypt_keygen(this->drbg, this->param_set->id, - &pub_key_len, NULL, - &priv_key_len, NULL) != NTRU_OK) - { - DBG1(DBG_LIB, "error determining NTRU public and private key " - "sizes"); - return; - } - this->pub_key = chunk_alloc(pub_key_len); - this->priv_key = chunk_alloc(priv_key_len); - /* generate a random NTRU public/private key pair */ - if (ntru_crypto_ntru_encrypt_keygen(this->drbg, this->param_set->id, - &pub_key_len, this->pub_key.ptr, - &priv_key_len, this->priv_key.ptr) != NTRU_OK) + this->privkey = ntru_private_key_create(this->drbg, this->param_set); + if (!this->privkey) { DBG1(DBG_LIB, "NTRU keypair generation failed"); - chunk_free(&this->priv_key); - chunk_free(&this->pub_key); return; } - DBG3(DBG_LIB, "NTRU public key: %B", &this->pub_key); - DBG4(DBG_LIB, "NTRU private key: %B", &this->priv_key); + this->pubkey = this->privkey->get_public_key(this->privkey); } - *value = chunk_clone(this->pub_key); + *value = chunk_clone(this->pubkey->get_encoding(this->pubkey)); + DBG3(DBG_LIB, "NTRU public key: %B", value); } } @@ -194,9 +156,7 @@ METHOD(diffie_hellman_t, get_shared_secret, status_t, METHOD(diffie_hellman_t, set_other_public_value, void, private_ntru_ke_t *this, chunk_t value) { - u_int16_t plaintext_len, ciphertext_len; - - if (this->priv_key.len) + if (this->privkey) { /* initiator decrypting shared secret */ if (value.len == 0) @@ -204,48 +164,36 @@ METHOD(diffie_hellman_t, set_other_public_value, void, DBG1(DBG_LIB, "empty NTRU ciphertext"); return; } - this->ciphertext = chunk_clone(value); - DBG3(DBG_LIB, "NTRU ciphertext: %B", &this->ciphertext); - - /* determine the size of the maximum plaintext */ - if (ntru_crypto_ntru_decrypt(this->priv_key.len, this->priv_key.ptr, - this->ciphertext.len, this->ciphertext.ptr, - &plaintext_len, NULL) != NTRU_OK) - { - DBG1(DBG_LIB, "error determining maximum plaintext size"); - return; - } - this->shared_secret = chunk_alloc(plaintext_len); + DBG3(DBG_LIB, "NTRU ciphertext: %B", &value); /* decrypt the shared secret */ - if (ntru_crypto_ntru_decrypt(this->priv_key.len, this->priv_key.ptr, - this->ciphertext.len, this->ciphertext.ptr, - &plaintext_len, this->shared_secret.ptr) != NTRU_OK) + if (!this->privkey->decrypt(this->privkey, value, &this->shared_secret)) { DBG1(DBG_LIB, "NTRU decryption of shared secret failed"); - chunk_free(&this->shared_secret); return; } - this->shared_secret.len = plaintext_len; this->computed = TRUE; } else { + ntru_public_key_t *pubkey; + /* responder generating and encrypting the shared secret */ this->responder = TRUE; - /* check the NTRU public key format */ - if (value.len < 5 || value.ptr[0] != 1 || value.ptr[1] != 3) + DBG3(DBG_LIB, "NTRU public key: %B", &value); + pubkey = ntru_public_key_create_from_data(this->drbg, value); + if (!pubkey) { - DBG1(DBG_LIB, "received NTRU public key with invalid header"); return; } - if (!memeq(value.ptr + 2, this->param_set->oid, 3)) + if (pubkey->get_id(pubkey) != this->param_set->id) { - DBG1(DBG_LIB, "received NTRU public key with wrong OID"); + DBG1(DBG_LIB, "received NTRU public key with wrong OUI"); + pubkey->destroy(pubkey); return; } - this->pub_key = chunk_clone(value); + this->pubkey = pubkey; /* shared secret size is chosen as twice the cryptographical strength */ this->shared_secret = chunk_alloc(2 * this->strength / BITS_PER_BYTE); @@ -260,25 +208,10 @@ METHOD(diffie_hellman_t, set_other_public_value, void, } this->computed = TRUE; - /* determine the size of the ciphertext */ - if (ntru_crypto_ntru_encrypt(this->drbg, - this->pub_key.len, this->pub_key.ptr, - this->shared_secret.len, this->shared_secret.ptr, - &ciphertext_len, NULL) != NTRU_OK) - { - DBG1(DBG_LIB, "error determining ciphertext size"); - return; - } - this->ciphertext = chunk_alloc(ciphertext_len); - /* encrypt the shared secret */ - if (ntru_crypto_ntru_encrypt(this->drbg, - this->pub_key.len, this->pub_key.ptr, - this->shared_secret.len, this->shared_secret.ptr, - &ciphertext_len, this->ciphertext.ptr) != NTRU_OK) + if (!pubkey->encrypt(pubkey, this->shared_secret, &this->ciphertext)) { DBG1(DBG_LIB, "NTRU encryption of shared secret failed"); - chunk_free(&this->ciphertext); return; } DBG3(DBG_LIB, "NTRU ciphertext: %B", &this->ciphertext); @@ -294,11 +227,11 @@ METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t, METHOD(diffie_hellman_t, destroy, void, private_ntru_ke_t *this) { + DESTROY_IF(this->privkey); + DESTROY_IF(this->pubkey); this->drbg->destroy(this->drbg); this->entropy->destroy(this->entropy); - chunk_free(&this->pub_key); chunk_free(&this->ciphertext); - chunk_clear(&this->priv_key); chunk_clear(&this->shared_secret); free(this); } @@ -309,7 +242,7 @@ METHOD(diffie_hellman_t, destroy, void, ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p) { private_ntru_ke_t *this; - param_set_t *param_sets, *param_set; + ntru_param_set_id_t *param_sets, param_set_id; rng_t *entropy; ntru_drbg_t *drbg; char *parameter_set; @@ -339,25 +272,25 @@ ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p) { case NTRU_112_BIT: strength = 112; - param_set = ¶m_sets[0]; + param_set_id = param_sets[0]; break; case NTRU_128_BIT: strength = 128; - param_set = ¶m_sets[1]; + param_set_id = param_sets[1]; break; case NTRU_192_BIT: strength = 192; - param_set = ¶m_sets[2]; + param_set_id = param_sets[2]; break; case NTRU_256_BIT: strength = 256; - param_set = ¶m_sets[3]; + param_set_id = param_sets[3]; break; default: return NULL; } - DBG1(DBG_LIB, "%u bit %s NTRU parameter set %s selected", strength, - parameter_set, param_set->name); + DBG1(DBG_LIB, "%u bit %s NTRU parameter set %N selected", strength, + parameter_set, ntru_param_set_id_names, param_set_id); entropy = lib->crypto->create_rng(lib->crypto, RNG_TRUE); if (!entropy) @@ -385,7 +318,7 @@ ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p) }, }, .group = group, - .param_set = param_set, + .param_set = ntru_param_set_get_by_id(param_set_id), .strength = strength, .entropy = entropy, .drbg = drbg, diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.c b/src/libstrongswan/plugins/ntru/ntru_param_set.c index 5ddf91d2a..4af1e3091 100644 --- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_param_sets.c +++ b/src/libstrongswan/plugins/ntru/ntru_param_set.c @@ -1,44 +1,49 @@ -/****************************************************************************** - * NTRU Cryptography Reference Source Code - * Copyright (c) 2009-2013, by Security Innovation, Inc. All rights reserved. - * - * ntru_crypto_ntru_param_sets.c is a component of ntru-crypto. +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil * * Copyright (C) 2009-2013 Security Innovation - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - * - *****************************************************************************/ - -/****************************************************************************** - * - * File: ntru_crypto_ntru_encrypt_param_sets.c * - * Contents: Defines the NTRUEncrypt parameter sets. + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. * - *****************************************************************************/ - -#include <stdlib.h> -#include <string.h> -#include "ntru_crypto_ntru_encrypt_param_sets.h" - - -/* parameter sets */ + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ -static NTRU_ENCRYPT_PARAM_SET ntruParamSets[] = { +#include "ntru_param_set.h" + +#include <utils/test.h> + +ENUM(ntru_param_set_id_names, NTRU_EES401EP1, NTRU_EES743EP1, + "ees401ep1", + "ees449ep1", + "ees677ep1", + "ees1087ep2", + "ees541ep1", + "ees613ep1", + "ees887ep1", + "ees1171ep1", + "ees659ep1", + "ees761ep1", + "ees1087ep1", + "ees1499ep1", + "ees401ep2", + "ees439ep1", + "ees593ep1", + "ees743ep1" +); + +/** + * NTRU encryption parameter set definitions + */ +static ntru_param_set_t ntru_param_sets[] = { + /* X9.98/IEEE 1363.1 parameter sets for best bandwidth (smallest size) */ { NTRU_EES401EP1, /* parameter-set id */ {0x00, 0x02, 0x04}, /* OID */ @@ -97,7 +102,7 @@ static NTRU_ENCRYPT_PARAM_SET ntruParamSets[] = { NTRU_EES1087EP2, /* parameter-set id */ {0x00, 0x06, 0x03}, /* OID */ 0x25, /* DER id */ - 10, /* no. of bits in N (i.e., in an index) */ + 11, /* no. of bits in N (i.e., in an index) */ 1087, /* N */ 32, /* security strength in octets */ 2048, /* q */ @@ -111,6 +116,7 @@ static NTRU_ENCRYPT_PARAM_SET ntruParamSets[] = { 1, /* lLen */ }, + /* X9.98/IEEE 1363.1 parameter sets balancing speed and bandwidth */ { NTRU_EES541EP1, /* parameter-set id */ {0x00, 0x02, 0x05}, /* OID */ @@ -183,6 +189,7 @@ static NTRU_ENCRYPT_PARAM_SET ntruParamSets[] = { 1, /* lLen */ }, + /* X9.98/IEEE 1363.1 parameter sets for best speed */ { NTRU_EES659EP1, /* parameter-set id */ {0x00, 0x02, 0x06}, /* OID */ @@ -255,6 +262,7 @@ static NTRU_ENCRYPT_PARAM_SET ntruParamSets[] = { 1, /* lLen */ }, + /* Best bandwidth and speed, no X9.98 compatibility */ { NTRU_EES401EP2, /* parameter-set id */ {0x00, 0x02, 0x10}, /* OID */ @@ -329,56 +337,39 @@ static NTRU_ENCRYPT_PARAM_SET ntruParamSets[] = { }; -static size_t numParamSets = - sizeof(ntruParamSets)/sizeof(NTRU_ENCRYPT_PARAM_SET); - - -/* functions */ - -/* ntru_encrypt_get_params_with_id - * - * Looks up a set of NTRUEncrypt parameters based on the id of the - * parameter set. - * - * Returns a pointer to the parameter set parameters if successful. - * Returns NULL if the parameter set cannot be found. +/** + * See header. */ - -NTRU_ENCRYPT_PARAM_SET * -ntru_encrypt_get_params_with_id( - NTRU_ENCRYPT_PARAM_SET_ID id) /* in - parameter-set id */ +ntru_param_set_t* ntru_param_set_get_by_id(ntru_param_set_id_t id) { - size_t i; - - for (i = 0; i < numParamSets; i++) { - if (ntruParamSets[i].id == id) { - return &(ntruParamSets[i]); - } - } - return NULL; + int i; + + for (i = 0; i < countof(ntru_param_sets); i++) + { + if (ntru_param_sets[i].id == id) + { + return &ntru_param_sets[i]; + } + } + return NULL; } -/* ntru_encrypt_get_params_with_OID - * - * Looks up a set of NTRUEncrypt parameters based on the OID of the - * parameter set. - * - * Returns a pointer to the parameter set parameters if successful. - * Returns NULL if the parameter set cannot be found. +/** + * See header. */ - -NTRU_ENCRYPT_PARAM_SET * -ntru_encrypt_get_params_with_OID( - uint8_t const *oid) /* in - pointer to parameter-set OID */ +ntru_param_set_t* ntru_param_set_get_by_oid(uint8_t const *oid) { - size_t i; - - for (i = 0; i < numParamSets; i++) { - if (!memcmp(ntruParamSets[i].OID, oid, 3)) { - return &(ntruParamSets[i]); - } - } - return NULL; + int i; + + for (i = 0; i < countof(ntru_param_sets); i++) + { + if (memeq(ntru_param_sets[i].oid, oid, 3)) + { + return &ntru_param_sets[i]; + } + } + return NULL; } +EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_param_set_get_by_id); diff --git a/src/libstrongswan/plugins/ntru/ntru_param_set.h b/src/libstrongswan/plugins/ntru/ntru_param_set.h new file mode 100644 index 000000000..df4e55333 --- /dev/null +++ b/src/libstrongswan/plugins/ntru/ntru_param_set.h @@ -0,0 +1,118 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * Copyright (C) 2009-2013 Security Innovation + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup ntru_param_set ntru_param_set + * @{ @ingroup ntru_p + */ + +#ifndef NTRU_PARAM_SET_H_ +#define NTRU_PARAM_SET_H_ + +typedef enum ntru_param_set_id_t ntru_param_set_id_t; +typedef struct ntru_param_set_t ntru_param_set_t; + +#include <library.h> + +/** + * Encoding types for NTRU encryption public/private key blobs + */ +#define NTRU_PUBKEY_TAG 0x01 +#define NTRU_PRIVKEY_DEFAULT_TAG 0x02 +#define NTRU_PRIVKEY_TRITS_TAG 0xfe +#define NTRU_PRIVKEY_INDICES_TAG 0xff + +/** + * Size in octets of the OID designating the NTRU encryption parameter set + */ +#define NTRU_OID_LEN 3 + +/** + * Packing types for NTRU encryption public/private keys + */ +#define NTRU_KEY_PACKED_COEFFICIENTS 0x01 +#define NTRU_KEY_PACKED_INDICES 0x02 +#define NTRU_KEY_PACKED_TRITS 0x03 + +/** + * NTRU encryption parameter set ID list + */ +enum ntru_param_set_id_t { + /* X9.98/IEEE 1363.1 parameter sets for best bandwidth (smallest size) */ + NTRU_EES401EP1, + NTRU_EES449EP1, + NTRU_EES677EP1, + NTRU_EES1087EP2, + /* X9.98/IEEE 1363.1 parameter sets balancing speed and bandwidth */ + NTRU_EES541EP1, + NTRU_EES613EP1, + NTRU_EES887EP1, + NTRU_EES1171EP1, + /* X9.98/IEEE 1363.1 parameter sets for best speed */ + NTRU_EES659EP1, + NTRU_EES761EP1, + NTRU_EES1087EP1, + NTRU_EES1499EP1, + /* Best bandwidth and speed, no X9.98 compatibility */ + NTRU_EES401EP2, + NTRU_EES439EP1, + NTRU_EES593EP1, + NTRU_EES743EP1, +}; + +extern enum_name_t *ntru_param_set_id_names; + +/** + * NTRU encryption parameter set definitions + */ +struct ntru_param_set_t { + ntru_param_set_id_t id; /* NTRU parameter set ID */ + uint8_t oid[NTRU_OID_LEN]; /* pointer to OID */ + uint8_t der_id; /* parameter-set DER id */ + uint8_t N_bits; /* no. of bits in N (i.e. in an index */ + uint16_t N; /* ring dimension */ + uint16_t sec_strength_len; /* no. of octets of security strength */ + uint16_t q; /* big modulus */ + uint8_t q_bits; /* no. of bits in q (i.e. in a coefficient */ + bool is_product_form; /* if product form used */ + uint32_t dF_r; /* no. of +1 or -1 coefficients in ring elements + F, r */ + uint16_t dg; /* no. - 1 of +1 coefficients or + no. of -1 coefficients in ring element g */ + uint16_t m_len_max; /* max no. of plaintext octets */ + uint16_t min_msg_rep_wt; /* min. message representative weight */ + uint8_t c_bits; /* no. bits in candidate for deriving an index */ + uint8_t m_len_len; /* no. of octets to hold mLenOctets */ +}; + +/** + * Get NTRU encryption parameter set by NTRU parameter set ID + * + * @param id NTRU parameter set ID + * @return NTRU parameter set +*/ +ntru_param_set_t* ntru_param_set_get_by_id(ntru_param_set_id_t id); + +/** + * Get NTRU encryption parameter set by NTRU parameter set OID + * + * @param oid NTRU parameter set OID + * @return NTRU parameter set +*/ +ntru_param_set_t* ntru_param_set_get_by_oid(uint8_t const *oid); + +#endif /** NTRU_PARAM_SET_H_ @}*/ diff --git a/src/libstrongswan/plugins/ntru/ntru_poly.c b/src/libstrongswan/plugins/ntru/ntru_poly.c index 3f754f2a0..77ab54a5c 100644 --- a/src/libstrongswan/plugins/ntru/ntru_poly.c +++ b/src/libstrongswan/plugins/ntru/ntru_poly.c @@ -239,11 +239,29 @@ METHOD(ntru_poly_t, destroy, void, free(this); } -static void init_indices(private_ntru_poly_t *this, bool is_product_form, - uint32_t indices_len_p, uint32_t indices_len_m) +/** + * Creates an empty ntru_poly_t object with space allocated for indices + */ +static private_ntru_poly_t* ntru_poly_create(uint16_t N, uint16_t q, + uint32_t indices_len_p, + uint32_t indices_len_m, + bool is_product_form) { + private_ntru_poly_t *this; int n; + INIT(this, + .public = { + .get_size = _get_size, + .get_indices = _get_indices, + .get_array = _get_array, + .ring_mult = _ring_mult, + .destroy = _destroy, + }, + .N = N, + .q = q, + ); + if (is_product_form) { this->num_polynomials = 3; @@ -265,6 +283,8 @@ static void init_indices(private_ntru_poly_t *this, bool is_product_form, this->num_indices = indices_len_p + indices_len_m; } this->indices = malloc(sizeof(uint16_t) * this->num_indices); + + return this; } /* @@ -291,19 +311,8 @@ ntru_poly_t *ntru_poly_create_from_seed(hash_algorithm_t alg, chunk_t seed, } i = hash_len = mgf1->get_hash_size(mgf1); - INIT(this, - .public = { - .get_size = _get_size, - .get_indices = _get_indices, - .get_array = _get_array, - .ring_mult = _ring_mult, - .destroy = _destroy, - }, - .N = N, - .q = q, - ); + this = ntru_poly_create(N, q, indices_len_p, indices_len_m, is_product_form); - init_indices(this, is_product_form, indices_len_p, indices_len_m); used = malloc(N); limit = N * ((1 << c_bits) / N); @@ -390,19 +399,8 @@ ntru_poly_t *ntru_poly_create_from_data(uint16_t *data, uint16_t N, uint16_t q, private_ntru_poly_t *this; int i; - INIT(this, - .public = { - .get_size = _get_size, - .get_indices = _get_indices, - .get_array = _get_array, - .ring_mult = _ring_mult, - .destroy = _destroy, - }, - .N = N, - .q = q, - ); + this = ntru_poly_create(N, q, indices_len_p, indices_len_m, is_product_form); - init_indices(this, is_product_form, indices_len_p, indices_len_m); for (i = 0; i < this->num_indices; i++) { this->indices[i] = data[i]; diff --git a/src/libstrongswan/plugins/ntru/ntru_private_key.c b/src/libstrongswan/plugins/ntru/ntru_private_key.c new file mode 100644 index 000000000..fa87fe9c3 --- /dev/null +++ b/src/libstrongswan/plugins/ntru/ntru_private_key.c @@ -0,0 +1,892 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * Copyright (C) 2009-2013 Security Innovation + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "ntru_private_key.h" +#include "ntru_trits.h" +#include "ntru_poly.h" +#include "ntru_convert.h" + +#include <utils/debug.h> +#include <utils/test.h> + +typedef struct private_ntru_private_key_t private_ntru_private_key_t; + +/** + * Private data of an ntru_private_key_t object. + */ +struct private_ntru_private_key_t { + + /** + * Public ntru_private_key_t interface. + */ + ntru_private_key_t public; + + /** + * NTRU Parameter Set + */ + ntru_param_set_t *params; + + /** + * Polynomial F which is the private key + */ + ntru_poly_t *privkey; + + /** + * Polynomial h which is the public key + */ + uint16_t *pubkey; + + /** + * Encoding of the private key + */ + chunk_t encoding; + + /** + * Deterministic Random Bit Generator + */ + ntru_drbg_t *drbg; + +}; + +METHOD(ntru_private_key_t, get_id, ntru_param_set_id_t, + private_ntru_private_key_t *this) +{ + return this->params->id; +} + +METHOD(ntru_private_key_t, get_public_key, ntru_public_key_t*, + private_ntru_private_key_t *this) +{ + return ntru_public_key_create(this->drbg, this->params, this->pubkey); +} + +/** + * Generate NTRU encryption private key encoding + */ +static void generate_encoding(private_ntru_private_key_t *this) +{ + size_t pubkey_len, privkey_len, privkey_trits_len, privkey_indices_len; + int privkey_pack_type; + uint16_t *indices; + uint8_t *trits; + u_char *enc; + + /* compute public key length encoded as packed coefficients */ + pubkey_len = (this->params->N * this->params->q_bits + 7) / 8; + + /* compute private key length encoded as packed trits coefficients */ + privkey_trits_len = (this->params->N + 4) / 5; + + /* compute private key length encoded as packed indices */ + privkey_indices_len = (this->privkey->get_size(this->privkey) * + this->params->N_bits + 7) / 8; + + if (this->params->is_product_form || + privkey_indices_len <= privkey_trits_len) + { + privkey_pack_type = NTRU_KEY_PACKED_INDICES; + privkey_len = privkey_indices_len; + } + else + { + privkey_pack_type = NTRU_KEY_PACKED_TRITS; + privkey_len = privkey_trits_len; + } + + /* allocate memory for private key encoding */ + this->encoding = chunk_alloc(2 + NTRU_OID_LEN + pubkey_len + privkey_len); + enc = this->encoding.ptr; + + /* format header and packed public key */ + *enc++ = NTRU_PRIVKEY_DEFAULT_TAG; + *enc++ = NTRU_OID_LEN; + memcpy(enc, this->params->oid, NTRU_OID_LEN); + enc += NTRU_OID_LEN; + ntru_elements_2_octets(this->params->N, this->pubkey, + this->params->q_bits, enc); + enc += pubkey_len; + + /* add packed private key */ + indices = this->privkey->get_indices(this->privkey); + + if (privkey_pack_type == NTRU_KEY_PACKED_TRITS) + { + /* encode private key as packed trits */ + trits = malloc(this->params->N); + ntru_indices_2_packed_trits(indices, this->params->dF_r, + this->params->dF_r, this->params->N, trits, enc); + memwipe(trits, this->params->N); + free(trits); + } + else + { + /* encode private key as packed indices */ + ntru_elements_2_octets(this->privkey->get_size(this->privkey), + indices, this->params->N_bits, enc); + } +} + +METHOD(ntru_private_key_t, get_encoding, chunk_t, + private_ntru_private_key_t *this) +{ + return this->encoding; +} + +/** + * Checks that the number of 0, +1, and -1 trinary ring elements meet or exceed + * a minimum weight. + * + * @param N degree of polynomial + * @param t array of trinary ring elements + * @param min_wt minimum weight + * @return TRUE if minimum weight met or exceeded + */ +bool ntru_check_min_weight(uint16_t N, uint8_t *t, uint16_t min_wt) +{ + uint16_t wt[3]; + bool success; + int i; + + wt[0] = wt[1] = wt[2] = 0; + + for (i = 0; i < N; i++) + { + ++wt[t[i]]; + } + success = (wt[0] >= min_wt) && (wt[1] >= min_wt) && (wt[2] >= min_wt); + + DBG2(DBG_LIB, "minimum weight = %u, so -1: %u, 0: %u, +1: %u is %sok", + min_wt, wt[2], wt[0], wt[1], success ? "" : "not "); + + return success; +} + +METHOD(ntru_private_key_t, decrypt, bool, + private_ntru_private_key_t *this, chunk_t ciphertext, chunk_t *plaintext) +{ + hash_algorithm_t hash_algid; + size_t t_len, seed1_len, seed2_len; + uint16_t *t1, *t2, *t = NULL; + uint16_t mod_q_mask, q_mod_p, cmprime_len, cm_len = 0, num_zeros; + uint8_t *Mtrin, *M, *cm, *mask_trits, *ptr; + int16_t m1 = 0; + chunk_t seed = chunk_empty; + ntru_trits_t *mask; + ntru_poly_t *r_poly; + bool msg_rep_good, success = TRUE; + int i; + + *plaintext = chunk_empty; + + if (ciphertext.len != (this->params->N * this->params->q_bits + 7) / 8) + { + DBG1(DBG_LIB, "wrong NTRU ciphertext length"); + return FALSE; + } + + /* allocate temporary array t */ + t_len = 2 * this->params->N * sizeof(uint16_t); + t = malloc(t_len); + t1 = t; + t2 = t + this->params->N; + Mtrin = (uint8_t *)t1; + M = Mtrin + this->params->N; + + /* set hash algorithm based on security strength */ + hash_algid = (this->params->sec_strength_len <= 20) ? HASH_SHA1 : + HASH_SHA256; + + /* set constants */ + mod_q_mask = this->params->q - 1; + q_mod_p = this->params->q % 3; + + /* unpack the ciphertext */ + ntru_octets_2_elements(ciphertext.len, ciphertext.ptr, + this->params->q_bits, t2); + + /* form cm': + * F * e + * A = e * (1 + pF) mod q = e + pFe mod q + * a = A in the range [-q/2, q/2) + * cm' = a mod p + */ + this->privkey->ring_mult(this->privkey, t2, t1); + + cmprime_len = this->params->N; + if (this->params->is_product_form) + { + --cmprime_len; + for (i = 0; i < cmprime_len; i++) + { + t1[i] = (t2[i] + 3 * t1[i]) & mod_q_mask; + if (t1[i] >= (this->params->q / 2)) + { + t1[i] -= q_mod_p; + } + Mtrin[i] = (uint8_t)(t1[i] % 3); + if (Mtrin[i] == 1) + { + ++m1; + } + else if (Mtrin[i] == 2) + { + --m1; + } + } + } + else + { + for (i = 0; i < cmprime_len; i++) + { + t1[i] = (t2[i] + 3 * t1[i]) & mod_q_mask; + if (t1[i] >= (this->params->q / 2)) + { + t1[i] -= q_mod_p; + } + Mtrin[i] = (uint8_t)(t1[i] % 3); + } + } + + /** + * check that the candidate message representative meets + * minimum weight requirements + */ + if (this->params->is_product_form) + { + msg_rep_good = (abs(m1) <= this->params->min_msg_rep_wt); + } + else + { + msg_rep_good = ntru_check_min_weight(cmprime_len, Mtrin, + this->params->min_msg_rep_wt); + } + if (!msg_rep_good) + { + DBG1(DBG_LIB, "decryption failed due to unsufficient minimum weight"); + success = FALSE; + } + + /* form cR = e - cm' mod q */ + for (i = 0; i < cmprime_len; i++) + { + if (Mtrin[i] == 1) + { + t2[i] = (t2[i] - 1) & mod_q_mask; + } + else if (Mtrin[i] == 2) + { + t2[i] = (t2[i] + 1) & mod_q_mask; + } + } + if (this->params->is_product_form) + { + t2[i] = (t2[i] + m1) & mod_q_mask; + } + + /* allocate memory for the larger of the two seeds */ + seed1_len = (this->params->N + 3)/4; + seed2_len = 3 + 2*this->params->sec_strength_len + this->params->m_len_max; + seed = chunk_alloc(max(seed1_len, seed2_len)); + seed.len = seed1_len; + + /* form cR mod 4 */ + ntru_coeffs_mod4_2_octets(this->params->N, t2, seed.ptr); + + /* form mask */ + mask = ntru_trits_create(this->params->N, hash_algid, seed); + if (!mask) + { + DBG1(DBG_LIB, "mask creation failed"); + success = FALSE; + goto err; + } + + mask_trits = mask->get_trits(mask); + + /* form cMtrin by subtracting mask from cm', mod p */ + for (i = 0; i < cmprime_len; i++) + { + Mtrin[i] -= mask_trits[i]; + if (Mtrin[i] >= 3) + { + Mtrin[i] += 3; + } + } + mask->destroy(mask); + + if (this->params->is_product_form) + { + /* set the last trit to zero since that's what it was, and + * because it can't be calculated from (cm' - mask) since + * we don't have the correct value for the last cm' trit + */ + Mtrin[i] = 0; + } + + /* convert cMtrin to cM (Mtrin to Mbin) */ + if (!ntru_trits_2_bits(Mtrin, this->params->N, M)) + { + success = FALSE; + goto err; + } + + /* skip the random padding */ + ptr = M + this->params->sec_strength_len; + + /* validate the padded message cM and copy cm to m_buf */ + if (this->params->m_len_len == 2) + { + cm_len = (uint16_t)(*ptr++) << 16; + } + cm_len |= (uint16_t)(*ptr++); + + if (cm_len > this->params->m_len_max) + { + cm_len = this->params->m_len_max; + DBG1(DBG_LIB, "NTRU message length is larger than maximum length"); + success = FALSE; + } + cm = ptr; + ptr += cm_len; + + /* check if the remaining padding consists of zeros */ + num_zeros = this->params->m_len_max - cm_len + 1; + for (i = 0; i < num_zeros; i++) + { + if (ptr[i] != 0) + { + DBG1(DBG_LIB, "non-zero trailing padding detected"); + success = FALSE; + break; + } + } + + /* form sData (OID || m || b || hTrunc) */ + ptr = seed.ptr; + memcpy(ptr, this->params->oid, 3); + ptr += 3; + memcpy(ptr, cm, cm_len); + ptr += cm_len; + memcpy(ptr, M, this->params->sec_strength_len); + ptr += this->params->sec_strength_len; + memcpy(ptr, this->encoding.ptr + 2 + NTRU_OID_LEN, + this->params->sec_strength_len); + ptr += this->params->sec_strength_len; + seed.len = ptr - seed.ptr; + + /* generate cr */ + DBG2(DBG_LIB, "generate polynomial r"); + r_poly = ntru_poly_create_from_seed(hash_algid, seed, + this->params->c_bits, this->params->N, + this->params->q, this->params->dF_r, + this->params->dF_r, this->params->is_product_form); + if (!r_poly) + { + success = FALSE; + goto err; + } + + /* output plaintext in allocated chunk */ + *plaintext = chunk_clone(chunk_create(cm, cm_len)); + + /* form cR' = h * cr */ + r_poly->ring_mult(r_poly, this->pubkey, t1); + r_poly->destroy(r_poly); + + /* compare cR' to cR */ + for (i = 0; i < this->params->N; i++) + { + if (t[i] != t2[i]) + { + DBG1(DBG_LIB, "cR' does not equal cR'"); + chunk_clear(plaintext); + success = FALSE; + break; + } + } + memwipe(t, t_len); + +err: + /* cleanup */ + chunk_clear(&seed); + free(t); + + return success; +} + +METHOD(ntru_private_key_t, destroy, void, + private_ntru_private_key_t *this) +{ + DESTROY_IF(this->privkey); + this->drbg->destroy(this->drbg); + chunk_clear(&this->encoding); + free(this->pubkey); + free(this); +} + +/** + * Multiplies ring element (polynomial) "a" by ring element (polynomial) "b" + * to produce ring element (polynomial) "c" in (Z/qZ)[X]/(X^N - 1). + * This is a convolution operation. + * + * Ring element "b" has coefficients in the range [0,N). + * + * This assumes q is 2^r where 8 < r < 16, so that overflow of the sum + * beyond 16 bits does not matter. + * + * @param a polynomial a + * @param b polynomial b + * @param N no. of coefficients in a, b, c + * @param q large modulus + * @param c polynomial c = a * b + */ +static void ring_mult_c(uint16_t *a, uint16_t *b, uint16_t N, uint16_t q, + uint16_t *c) +{ + uint16_t *bptr = b; + uint16_t mod_q_mask = q - 1; + int i, k; + + /* c[k] = sum(a[i] * b[k-i]) mod q */ + memset(c, 0, N * sizeof(uint16_t)); + for (k = 0; k < N; k++) + { + i = 0; + while (i <= k) + { + c[k] += a[i++] * *bptr--; + } + bptr += N; + while (i < N) + { + c[k] += a[i++] * *bptr--; + } + c[k] &= mod_q_mask; + ++bptr; + } +} + +/** + * Finds the inverse of a polynomial a in (Z/2^rZ)[X]/(X^N - 1). + * + * This assumes q is 2^r where 8 < r < 16, so that operations mod q can + * wait until the end, and only 16-bit arrays need to be used. + * + * @param a polynomial a + * @param N no. of coefficients in a + * @param q large modulus + * @param t temporary buffer of size 2N elements + * @param a_inv polynomial for inverse of a + */ +static bool ring_inv(uint16_t *a, uint16_t N, uint16_t q, uint16_t *t, + uint16_t *a_inv) +{ + uint8_t *b = (uint8_t *)t; + uint8_t *c = b + N; + uint8_t *f = c + N; + uint8_t *g = (uint8_t *)a_inv; + uint16_t *t2 = t + N; + uint16_t deg_b, deg_c, deg_f, deg_g; + bool done = FALSE; + int i, j, k = 0; + + /* form a^-1 in (Z/2Z)[X]/X^N - 1) */ + memset(b, 0, 2 * N); /* clear to init b, c */ + + /* b(X) = 1 */ + b[0] = 1; + deg_b = 0; + + /* c(X) = 0 (cleared above) */ + deg_c = 0; + + /* f(X) = a(X) mod 2 */ + for (i = 0; i < N; i++) + { + f[i] = (uint8_t)(a[i] & 1); + } + deg_f = N - 1; + + /* g(X) = X^N - 1 */ + g[0] = 1; + memset(g + 1, 0, N - 1); + g[N] = 1; + deg_g = N; + + /* until f(X) = 1 */ + while (!done) + { + /* while f[0] = 0, f(X) /= X, c(X) *= X, k++ */ + for (i = 0; (i <= deg_f) && (f[i] == 0); ++i); + + if (i > deg_f) + { + return FALSE; + } + if (i) + { + f = f + i; + deg_f = deg_f - i; + deg_c = deg_c + i; + for (j = deg_c; j >= i; j--) + { + c[j] = c[j-i]; + } + for (j = 0; j < i; j++) + { + c[j] = 0; + } + k = k + i; + } + + /* adjust degree of f(X) if the highest coefficients are zero + * Note: f[0] = 1 from above so the loop will terminate. + */ + while (f[deg_f] == 0) + { + --deg_f; + } + + /* if f(X) = 1, done + * Note: f[0] = 1 from above, so only check the x term and up + */ + for (i = 1; (i <= deg_f) && (f[i] == 0); ++i); + + if (i > deg_f) + { + done = TRUE; + break; + } + + /* if deg_f < deg_g, f <-> g, b <-> c */ + if (deg_f < deg_g) + { + uint8_t *x; + + x = f; + f = g; + g = x; + deg_f ^= deg_g; + deg_g ^= deg_f; + deg_f ^= deg_g; + x = b; + b = c; + c = x; + deg_b ^= deg_c; + deg_c ^= deg_b; + deg_b ^= deg_c; + } + + /* f(X) += g(X), b(X) += c(X) */ + for (i = 0; i <= deg_g; i++) + { + f[i] ^= g[i]; + } + if (deg_c > deg_b) + { + deg_b = deg_c; + } + for (i = 0; i <= deg_c; i++) + { + b[i] ^= c[i]; + } + } + + /* a^-1 in (Z/2Z)[X]/(X^N - 1) = b(X) shifted left k coefficients */ + j = 0; + if (k >= N) + { + k = k - N; + } + for (i = k; i < N; i++) + { + a_inv[j++] = (uint16_t)(b[i]); + } + for (i = 0; i < k; i++) + { + a_inv[j++] = (uint16_t)(b[i]); + } + + /* lift a^-1 in (Z/2Z)[X]/(X^N - 1) to a^-1 in (Z/qZ)[X]/(X^N -1) */ + for (j = 0; j < 4; ++j) /* assumes 256 < q <= 65536 */ + { + /* a^-1 = a^-1 * (2 - a * a^-1) mod q */ + memcpy(t2, a_inv, N * sizeof(uint16_t)); + ring_mult_c(a, t2, N, q, t); + for (i = 0; i < N; ++i) + { + t[i] = q - t[i]; + } + t[0] = t[0] + 2; + ring_mult_c(t2, t, N, q, a_inv); + } + + return TRUE; +} + +/* + * Described in header. + */ +ntru_private_key_t *ntru_private_key_create(ntru_drbg_t *drbg, + ntru_param_set_t *params) +{ + private_ntru_private_key_t *this; + size_t t_len; + uint16_t *t1, *t2, *t = NULL; + uint16_t mod_q_mask; + hash_algorithm_t hash_algid; + ntru_poly_t *g_poly; + chunk_t seed; + int i; + + INIT(this, + .public = { + .get_id = _get_id, + .get_public_key = _get_public_key, + .get_encoding = _get_encoding, + .decrypt = _decrypt, + .destroy = _destroy, + }, + .params = params, + .pubkey = malloc(params->N * sizeof(uint16_t)), + .drbg = drbg->get_ref(drbg), + ); + + /* set hash algorithm and seed length based on security strength */ + if (params->sec_strength_len <= 20) + { + hash_algid = HASH_SHA1; + } + else + { + hash_algid = HASH_SHA256; + } + seed =chunk_alloc(params->sec_strength_len + 8); + + /* get random seed for generating trinary F as a list of indices */ + if (!drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE, + seed.len, seed.ptr)) + { + goto err; + } + + DBG2(DBG_LIB, "generate polynomial F"); + this->privkey = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits, + params->N, params->q, + params->dF_r, params->dF_r, + params->is_product_form); + if (!this->privkey) + { + goto err; + } + + /* allocate temporary array t */ + t_len = 3 * params->N * sizeof(uint16_t); + t = malloc(t_len); + t1 = t + 2 * params->N; + + /* extend sparse private key polynomial f to N array elements */ + this->privkey->get_array(this->privkey, t1); + + /* set mask for large modulus */ + mod_q_mask = params->q - 1; + + /* form f = 1 + pF */ + for (i = 0; i < params->N; i++) + { + t1[i] = (t1[i] * 3) & mod_q_mask; + } + t1[0] = (t1[0] + 1) & mod_q_mask; + + /* use the public key array as a temporary buffer */ + t2 = this->pubkey; + + /* find f^-1 in (Z/qZ)[X]/(X^N - 1) */ + if (!ring_inv(t1, params->N, params->q, t, t2)) + { + goto err; + } + + /* get random seed for generating trinary g as a list of indices */ + if (!drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE, + seed.len, seed.ptr)) + { + goto err; + } + + DBG2(DBG_LIB, "generate polynomial g"); + g_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits, + params->N, params->q, params->dg + 1, + params->dg, FALSE); + if (!g_poly) + { + goto err; + } + + /* compute public key polynomial h = p * (f^-1 * g) mod q */ + g_poly->ring_mult(g_poly, t2, t2); + g_poly->destroy(g_poly); + + for (i = 0; i < params->N; i++) + { + this->pubkey[i] = (t2[i] * 3) & mod_q_mask; + } + + /* cleanup temporary storage */ + chunk_clear(&seed); + memwipe(t, t_len); + free(t); + + /* generate private key encoding */ + generate_encoding(this); + + return &this->public; + +err: + chunk_free(&seed); + free(t); + destroy(this); + + return NULL; +} + +/* + * Described in header. + */ +ntru_private_key_t *ntru_private_key_create_from_data(ntru_drbg_t *drbg, + chunk_t data) +{ + private_ntru_private_key_t *this; + size_t header_len, pubkey_packed_len, privkey_packed_len; + size_t privkey_packed_trits_len, privkey_packed_indices_len; + uint8_t *privkey_packed, tag; + uint16_t *indices, dF; + ntru_param_set_t *params; + + header_len = 2 + NTRU_OID_LEN; + + /* check the NTRU public key header format */ + if (data.len < header_len || + !(data.ptr[0] == NTRU_PRIVKEY_DEFAULT_TAG || + data.ptr[0] == NTRU_PRIVKEY_TRITS_TAG || + data.ptr[0] == NTRU_PRIVKEY_INDICES_TAG) || + data.ptr[1] != NTRU_OID_LEN) + { + DBG1(DBG_LIB, "loaded NTRU private key with invalid header"); + return NULL; + } + tag = data.ptr[0]; + params = ntru_param_set_get_by_oid(data.ptr + 2); + + if (!params) + { + DBG1(DBG_LIB, "loaded NTRU private key with unknown OID"); + return NULL; + } + + pubkey_packed_len = (params->N * params->q_bits + 7) / 8; + privkey_packed_trits_len = (params->N + 4) / 5; + + /* check packing type for product-form private keys */ + if (params->is_product_form && tag == NTRU_PRIVKEY_TRITS_TAG) + { + DBG1(DBG_LIB, "a product-form NTRU private key cannot be trits-encoded"); + return NULL; + } + + /* set packed-key length for packed indices */ + if (params->is_product_form) + { + dF = (uint16_t)((params->dF_r & 0xff) + /* df1 */ + ((params->dF_r >> 8) & 0xff) + /* df2 */ + ((params->dF_r >> 16) & 0xff)); /* df3 */ + } + else + { + dF = (uint16_t)params->dF_r; + } + privkey_packed_indices_len = (2 * dF * params->N_bits + 7) / 8; + + /* set private-key packing type if defaulted */ + if (tag == NTRU_PRIVKEY_DEFAULT_TAG) + { + if (params->is_product_form || + privkey_packed_indices_len <= privkey_packed_trits_len) + { + tag = NTRU_PRIVKEY_INDICES_TAG; + } + else + { + tag = NTRU_PRIVKEY_TRITS_TAG; + } + } + privkey_packed_len = (tag == NTRU_PRIVKEY_TRITS_TAG) ? + privkey_packed_trits_len : privkey_packed_indices_len; + + if (data.len < header_len + pubkey_packed_len + privkey_packed_len) + { + DBG1(DBG_LIB, "loaded NTRU private key with wrong packed key size"); + return NULL; + } + + INIT(this, + .public = { + .get_id = _get_id, + .get_public_key = _get_public_key, + .get_encoding = _get_encoding, + .decrypt = _decrypt, + .destroy = _destroy, + }, + .params = params, + .pubkey = malloc(params->N * sizeof(uint16_t)), + .encoding = chunk_clone(data), + .drbg = drbg->get_ref(drbg), + ); + + /* unpack the encoded public key */ + ntru_octets_2_elements(pubkey_packed_len, data.ptr + header_len, + params->q_bits, this->pubkey); + + /* allocate temporary memory for indices */ + indices = malloc(2 * dF * sizeof(uint16_t)); + + /* unpack the private key */ + privkey_packed = data.ptr + header_len + pubkey_packed_len; + if (tag == NTRU_PRIVKEY_TRITS_TAG) + { + ntru_packed_trits_2_indices(privkey_packed, params->N, + indices, indices + dF); + } + else + { + ntru_octets_2_elements(privkey_packed_indices_len, privkey_packed, + params->N_bits, indices); + } + this->privkey = ntru_poly_create_from_data(indices, params->N, params->q, + params->dF_r, params->dF_r, + params->is_product_form); + + /* cleanup */ + memwipe(indices, 2 * dF * sizeof(uint16_t)); + free(indices); + + return &this->public; +} + +EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_private_key_create); + +EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_private_key_create_from_data); diff --git a/src/libstrongswan/plugins/ntru/ntru_private_key.h b/src/libstrongswan/plugins/ntru/ntru_private_key.h new file mode 100644 index 000000000..c6f08440f --- /dev/null +++ b/src/libstrongswan/plugins/ntru/ntru_private_key.h @@ -0,0 +1,92 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup ntru_private_key ntru_private_key + * @{ @ingroup ntru_p + */ + +#ifndef NTRU_PRIVATE_KEY_H_ +#define NTRU_PRIVATE_KEY_H_ + +typedef struct ntru_private_key_t ntru_private_key_t; + +#include "ntru_drbg.h" +#include "ntru_param_set.h" +#include "ntru_public_key.h" + +#include <library.h> + +/** + * Implements an NTRU encryption public/private key pair + */ +struct ntru_private_key_t { + + /** + * Returns NTRU parameter set ID of the private key + * + * @return NTRU parameter set ID + */ + ntru_param_set_id_t (*get_id)(ntru_private_key_t *this); + + /** + * Returns the NTRU encryption public key as an encoded binary blob + * + * @return NTRU encryption public key (must be freed after use) + */ + ntru_public_key_t* (*get_public_key)(ntru_private_key_t *this); + + /** + * Returns the packed encoding of the NTRU encryption private key + * + * @return Packed encoding of NTRU encryption private key + */ + chunk_t (*get_encoding)(ntru_private_key_t *this); + + /** + * Decrypts an NTRU ciphertext + * + * @param ciphertext NTRU Ciphertext + * @param plaintext Plaintext + * @return TRUE if decryption was successful + */ + bool (*decrypt)(ntru_private_key_t *this, chunk_t ciphertext, + chunk_t *plaintext); + + /** + * Destroy ntru_private_key_t object + */ + void (*destroy)(ntru_private_key_t *this); +}; + +/** + * Creates an NTRU encryption public/private key pair using a NIST DRBG + * + * @param drbg Digital Random Bit Generator used for key generation + * @param params NTRU encryption parameter set to be used + */ +ntru_private_key_t *ntru_private_key_create(ntru_drbg_t *drbg, ntru_param_set_t *params); + +/** + * Creates an NTRU encryption private key from encoding + * + * @param drbg Deterministic random bit generator + * @param data Encoded NTRU private key + */ +ntru_private_key_t *ntru_private_key_create_from_data(ntru_drbg_t *drbg, + chunk_t data); + +#endif /** NTRU_PRIVATE_KEY_H_ @}*/ + diff --git a/src/libstrongswan/plugins/ntru/ntru_public_key.c b/src/libstrongswan/plugins/ntru/ntru_public_key.c new file mode 100644 index 000000000..a2ff1b2b0 --- /dev/null +++ b/src/libstrongswan/plugins/ntru/ntru_public_key.c @@ -0,0 +1,408 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * Copyright (C) 2009-2013 Security Innovation + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "ntru_public_key.h" +#include "ntru_trits.h" +#include "ntru_poly.h" +#include "ntru_convert.h" + +#include <utils/debug.h> +#include <utils/test.h> + +typedef struct private_ntru_public_key_t private_ntru_public_key_t; + +/** + * Private data of an ntru_public_key_t object. + */ +struct private_ntru_public_key_t { + /** + * Public ntru_public_key_t interface. + */ + ntru_public_key_t public; + + /** + * NTRU Parameter Set + */ + ntru_param_set_t *params; + + /** + * Polynomial h which is the public key + */ + uint16_t *pubkey; + + /** + * Encoding of the public key + */ + chunk_t encoding; + + /** + * Deterministic Random Bit Generator + */ + ntru_drbg_t *drbg; + +}; + +METHOD(ntru_public_key_t, get_id, ntru_param_set_id_t, + private_ntru_public_key_t *this) +{ + return this->params->id; +} + +/** + * Generate NTRU encryption public key encoding + */ +static void generate_encoding(private_ntru_public_key_t *this) +{ + size_t pubkey_len; + u_char *enc; + + /* compute public key length encoded as packed coefficients */ + pubkey_len = (this->params->N * this->params->q_bits + 7) / 8; + + /* allocate memory for public key encoding */ + this->encoding = chunk_alloc(2 + NTRU_OID_LEN + pubkey_len); + enc = this->encoding.ptr; + + /* format header and packed public key */ + *enc++ = NTRU_PUBKEY_TAG; + *enc++ = NTRU_OID_LEN; + memcpy(enc, this->params->oid, NTRU_OID_LEN); + enc += NTRU_OID_LEN; + ntru_elements_2_octets(this->params->N, this->pubkey, + this->params->q_bits, enc); +} + +METHOD(ntru_public_key_t, get_encoding, chunk_t, + private_ntru_public_key_t *this) +{ + return this->encoding; +} + +#define MAX_SEC_STRENGTH_LEN 32 /* bytes */ + +/** + * Shared with ntru_private_key.c + */ +extern bool ntru_check_min_weight(uint16_t N, uint8_t *t, uint16_t min_wt); + +METHOD(ntru_public_key_t, encrypt, bool, + private_ntru_public_key_t *this, chunk_t plaintext, chunk_t *ciphertext) +{ + hash_algorithm_t hash_algid; + size_t t_len, seed1_len, seed2_len; + uint16_t *t1, *t = NULL; + uint8_t b[MAX_SEC_STRENGTH_LEN]; + uint8_t *t2, *Mtrin, *M, *mask_trits, *ptr; + uint16_t mod_q_mask, mprime_len = 0; + int16_t m1 = 0; + chunk_t seed = chunk_empty; + ntru_trits_t *mask; + ntru_poly_t *r_poly; + bool msg_rep_good, success = FALSE; + int i; + + *ciphertext = chunk_empty; + + if (plaintext.len > this->params->m_len_max) + { + DBG1(DBG_LIB, "plaintext exceeds maximum size"); + return FALSE; + } + + if (this->params->sec_strength_len > MAX_SEC_STRENGTH_LEN) + { + DBG1(DBG_LIB, "required security strength exceeds %d bits", + MAX_SEC_STRENGTH_LEN * BITS_PER_BYTE); + return FALSE; + } + + /* allocate temporary array t */ + t_len = (sizeof(uint16_t) + 3*sizeof(uint8_t)) * this->params->N; + t = malloc(t_len); + t1 = t; + t2 = (uint8_t *)(t1 + this->params->N); + Mtrin = t2 + this->params->N; + M = Mtrin + this->params->N; + + /* set hash algorithm based on security strength */ + hash_algid = (this->params->sec_strength_len <= 20) ? HASH_SHA1 : + HASH_SHA256; + /* set constants */ + mod_q_mask = this->params->q - 1; + + /* allocate memory for the larger of the two seeds */ + seed1_len = (this->params->N + 3)/4; + seed2_len = 3 + 2*this->params->sec_strength_len + plaintext.len; + seed = chunk_alloc(max(seed1_len, seed2_len)); + + /* loop until a message representative with proper weight is achieved */ + do + { + if (!this->drbg->generate(this->drbg, + this->params->sec_strength_len * BITS_PER_BYTE, + this->params->sec_strength_len, b)) + { + goto err; + } + + /* form sData (OID || m || b || hTrunc) */ + ptr = seed.ptr; + memcpy(ptr, this->params->oid, NTRU_OID_LEN); + ptr += NTRU_OID_LEN; + memcpy(ptr, plaintext.ptr, plaintext.len); + ptr += plaintext.len; + memcpy(ptr, b, this->params->sec_strength_len); + ptr += this->params->sec_strength_len; + memcpy(ptr, this->encoding.ptr + 2 + NTRU_OID_LEN, + this->params->sec_strength_len); + ptr += this->params->sec_strength_len; + seed.len = seed2_len; + + DBG2(DBG_LIB, "generate polynomial r"); + r_poly = ntru_poly_create_from_seed(hash_algid, seed, this->params->c_bits, + this->params->N, this->params->q, + this->params->dF_r, this->params->dF_r, + this->params->is_product_form); + if (!r_poly) + { + goto err; + } + + /* form R = h * r */ + r_poly->ring_mult(r_poly, this->pubkey, t1); + r_poly->destroy(r_poly); + + /* form R mod 4 */ + ntru_coeffs_mod4_2_octets(this->params->N, t1, seed.ptr); + seed.len = seed1_len; + + /* form mask */ + mask = ntru_trits_create(this->params->N, hash_algid, seed); + if (!mask) + { + DBG1(DBG_LIB, "mask creation failed"); + goto err; + } + + /* form the padded message M */ + ptr = M; + memcpy(ptr, b, this->params->sec_strength_len); + ptr += this->params->sec_strength_len; + if (this->params->m_len_len == 2) + { + *ptr++ = (uint8_t)((plaintext.len >> 8) & 0xff); + } + *ptr++ = (uint8_t)(plaintext.len & 0xff); + memcpy(ptr, plaintext.ptr, plaintext.len); + ptr += plaintext.len; + + /* add an extra zero byte in case without it the bit string + * is not a multiple of 3 bits and therefore might not be + * able to produce enough trits + */ + memset(ptr, 0, this->params->m_len_max - plaintext.len + 2); + + /* convert M to trits (Mbin to Mtrin) */ + mprime_len = this->params->N; + if (this->params->is_product_form) + { + --mprime_len; + } + ntru_bits_2_trits(M, mprime_len, Mtrin); + mask_trits = mask->get_trits(mask); + + + /* form the msg representative m' by adding Mtrin to mask, mod p */ + if (this->params->is_product_form) + { + m1 = 0; + for (i = 0; i < mprime_len; i++) + { + t2[i] = mask_trits[i] + Mtrin[i]; + if (t2[i] >= 3) + { + t2[i] -= 3; + } + if (t2[i] == 1) + { + ++m1; + } + else if (t2[i] == 2) + { + --m1; + } + } + } + else + { + for (i = 0; i < mprime_len; i++) + { + t2[i] = mask_trits[i] + Mtrin[i]; + if (t2[i] >= 3) + { + t2[i] -= 3; + } + } + } + mask->destroy(mask); + + /* check that message representative meets minimum weight + * requirements + */ + if (this->params->is_product_form) + { + msg_rep_good = (abs(m1) <= this->params->min_msg_rep_wt); + } + else + { + msg_rep_good = ntru_check_min_weight(mprime_len, t2, + this->params->min_msg_rep_wt); + } + } + while (!msg_rep_good); + + /* form ciphertext e by adding m' to R mod q */ + for (i = 0; i < mprime_len; i++) + { + if (t2[i] == 1) + { + t1[i] = (t1[i] + 1) & mod_q_mask; + } + else if (t2[i] == 2) + { + t1[i] = (t1[i] - 1) & mod_q_mask; + } + } + if (this->params->is_product_form) + { + t1[i] = (t1[i] - m1) & mod_q_mask; + } + + /* pack ciphertext */ + *ciphertext = chunk_alloc((this->params->N * this->params->q_bits + 7) / 8); + ntru_elements_2_octets(this->params->N, t1, this->params->q_bits, + ciphertext->ptr); + + memwipe(t, t_len); + success = TRUE; + +err: + /* cleanup */ + chunk_clear(&seed); + free(t); + + return success; +} +METHOD(ntru_public_key_t, destroy, void, + private_ntru_public_key_t *this) +{ + this->drbg->destroy(this->drbg); + chunk_clear(&this->encoding); + free(this->pubkey); + free(this); +} + +/* + * Described in header. + */ +ntru_public_key_t *ntru_public_key_create(ntru_drbg_t *drbg, + ntru_param_set_t *params, + uint16_t *pubkey) +{ + private_ntru_public_key_t *this; + int i; + + INIT(this, + .public = { + .get_id = _get_id, + .get_encoding = _get_encoding, + .encrypt = _encrypt, + .destroy = _destroy, + }, + .params = params, + .pubkey = malloc(params->N * sizeof(uint16_t)), + .drbg = drbg->get_ref(drbg), + ); + + for (i = 0; i < params->N; i++) + { + this->pubkey[i] = pubkey[i]; + } + + /* generate public key encoding */ + generate_encoding(this); + + return &this->public; +} + +/* + * Described in header. + */ +ntru_public_key_t *ntru_public_key_create_from_data(ntru_drbg_t *drbg, + chunk_t data) +{ + private_ntru_public_key_t *this; + size_t header_len, pubkey_packed_len; + ntru_param_set_t *params; + + header_len = 2 + NTRU_OID_LEN; + + /* check the NTRU public key header format */ + if (data.len < header_len || + data.ptr[0] != NTRU_PUBKEY_TAG || + data.ptr[1] != NTRU_OID_LEN) + { + DBG1(DBG_LIB, "received NTRU public key with invalid header"); + return NULL; + } + params = ntru_param_set_get_by_oid(data.ptr + 2); + + if (!params) + { + DBG1(DBG_LIB, "received NTRU public key with unknown OID"); + return NULL; + } + + pubkey_packed_len = (params->N * params->q_bits + 7) / 8; + + if (data.len < header_len + pubkey_packed_len) + { + DBG1(DBG_LIB, "received NTRU public key with wrong packed key size"); + return NULL; + } + + INIT(this, + .public = { + .get_id = _get_id, + .get_encoding = _get_encoding, + .encrypt = _encrypt, + .destroy = _destroy, + }, + .params = params, + .pubkey = malloc(params->N * sizeof(uint16_t)), + .encoding = chunk_clone(data), + .drbg = drbg->get_ref(drbg), + ); + + /* unpack the encoded public key */ + ntru_octets_2_elements(pubkey_packed_len, data.ptr + header_len, + params->q_bits, this->pubkey); + + return &this->public; +} + +EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_public_key_create_from_data); diff --git a/src/libstrongswan/plugins/ntru/ntru_public_key.h b/src/libstrongswan/plugins/ntru/ntru_public_key.h new file mode 100644 index 000000000..baa8eabcd --- /dev/null +++ b/src/libstrongswan/plugins/ntru/ntru_public_key.h @@ -0,0 +1,88 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup ntru_public_key ntru_public_key + * @{ @ingroup ntru_p + */ + +#ifndef NTRU_PUBLIC_KEY_H_ +#define NTRU_PUBLIC_KEY_H_ + +typedef struct ntru_public_key_t ntru_public_key_t; + +#include "ntru_param_set.h" +#include "ntru_drbg.h" + +#include <library.h> + +/** + * Implements an NTRU encryption public key + */ +struct ntru_public_key_t { + + /** + * Returns NTRU parameter set ID of the public key + * + * @return NTRU parameter set ID + */ + ntru_param_set_id_t (*get_id)(ntru_public_key_t *this); + + /** + * Returns the packed encoding of the NTRU encryption public key + * + * @return Packed encoding of NTRU encryption public key + */ + chunk_t (*get_encoding)(ntru_public_key_t *this); + + /** + * Encrypts a plaintext with the NTRU public key + * + * @param ciphertext Plaintext + * @param plaintext Ciphertext + * @return TRUE if encryption was successful + */ + bool (*encrypt)(ntru_public_key_t *this, chunk_t plaintext, + chunk_t *ciphertext); + + /** + * Destroy ntru_public_key_t object + */ + void (*destroy)(ntru_public_key_t *this); +}; + +/** + * Creates an NTRU encryption public key from coefficients + * + * @param drbg Deterministic random bit generator + * @param params NTRU encryption parameter set to be used + * @param pubkey Coefficients of public key polynomial h + */ +ntru_public_key_t *ntru_public_key_create(ntru_drbg_t *drbg, + ntru_param_set_t *params, + uint16_t *pubkey); + +/** + * Creates an NTRU encryption public key from encoding + * + * @param drbg Deterministic random bit generator + * @param data Encoded NTRU public key + */ +ntru_public_key_t *ntru_public_key_create_from_data(ntru_drbg_t *drbg, + chunk_t data); + + +#endif /** NTRU_PUBLIC_KEY_H_ @}*/ + diff --git a/src/libstrongswan/plugins/ntru/ntru_trits.c b/src/libstrongswan/plugins/ntru/ntru_trits.c index f82501629..1abb7671c 100644 --- a/src/libstrongswan/plugins/ntru/ntru_trits.c +++ b/src/libstrongswan/plugins/ntru/ntru_trits.c @@ -15,8 +15,7 @@ #include "ntru_trits.h" #include "ntru_mgf1.h" - -#include "ntru_crypto/ntru_crypto_ntru_convert.h" +#include "ntru_convert.h" #include <utils/debug.h> #include <utils/test.h> |