| Robert Sloan | 11c28bd | 2018-12-17 12:09:20 -0800 | [diff] [blame] | 1 | /* Copyright (c) 2018, Google Inc. |
| 2 | * |
| 3 | * Permission to use, copy, modify, and/or distribute this software for any |
| 4 | * purpose with or without fee is hereby granted, provided that the above |
| 5 | * copyright notice and this permission notice appear in all copies. |
| 6 | * |
| 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
| 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
| 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY |
| 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
| 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION |
| 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN |
| 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ |
| 14 | |
| 15 | #ifndef OPENSSL_HEADER_HRSS_H |
| 16 | #define OPENSSL_HEADER_HRSS_H |
| 17 | |
| 18 | #include <openssl/base.h> |
| 19 | |
| 20 | #if defined(__cplusplus) |
| 21 | extern "C" { |
| 22 | #endif |
| 23 | |
| 24 | // HRSS |
| 25 | // |
| 26 | // HRSS is a structured-lattice-based post-quantum key encapsulation mechanism. |
| 27 | // The best exposition is https://eprint.iacr.org/2017/667.pdf although this |
| 28 | // implementation uses a different KEM construction based on |
| 29 | // https://eprint.iacr.org/2017/1005.pdf. |
| 30 | |
| 31 | struct HRSS_private_key { |
| 32 | uint8_t opaque[1808]; |
| 33 | }; |
| 34 | |
| 35 | struct HRSS_public_key { |
| 36 | uint8_t opaque[1424]; |
| 37 | }; |
| 38 | |
| 39 | // HRSS_SAMPLE_BYTES is the number of bytes of entropy needed to generate a |
| 40 | // short vector. There are 701 coefficients, but the final one is always set to |
| 41 | // zero when sampling. Otherwise, one byte of input is enough to generate two |
| 42 | // coefficients. |
| 43 | #define HRSS_SAMPLE_BYTES ((701 - 1) / 2) |
| 44 | // HRSS_GENERATE_KEY_BYTES is the number of bytes of entropy needed to generate |
| 45 | // an HRSS key pair. |
| 46 | #define HRSS_GENERATE_KEY_BYTES (HRSS_SAMPLE_BYTES + HRSS_SAMPLE_BYTES + 32) |
| 47 | // HRSS_ENCAP_BYTES is the number of bytes of entropy needed to encapsulate a |
| 48 | // session key. |
| 49 | #define HRSS_ENCAP_BYTES (HRSS_SAMPLE_BYTES + HRSS_SAMPLE_BYTES) |
| 50 | // HRSS_PUBLIC_KEY_BYTES is the number of bytes in a public key. |
| 51 | #define HRSS_PUBLIC_KEY_BYTES 1138 |
| 52 | // HRSS_CIPHERTEXT_BYTES is the number of bytes in a ciphertext. |
| 53 | #define HRSS_CIPHERTEXT_BYTES 1138 |
| 54 | // HRSS_KEY_BYTES is the number of bytes in a shared key. |
| 55 | #define HRSS_KEY_BYTES 32 |
| 56 | // HRSS_POLY3_BYTES is the number of bytes needed to serialise a mod 3 |
| 57 | // polynomial. |
| 58 | #define HRSS_POLY3_BYTES 140 |
| 59 | #define HRSS_PRIVATE_KEY_BYTES \ |
| 60 | (HRSS_POLY3_BYTES * 2 + HRSS_PUBLIC_KEY_BYTES + 2 + 32) |
| 61 | |
| 62 | // HRSS_generate_key is a deterministic function that outputs a public and |
| 63 | // private key based on the given entropy. |
| 64 | OPENSSL_EXPORT void HRSS_generate_key( |
| 65 | struct HRSS_public_key *out_pub, struct HRSS_private_key *out_priv, |
| 66 | const uint8_t input[HRSS_GENERATE_KEY_BYTES]); |
| 67 | |
| 68 | // HRSS_encap is a deterministic function the generates and encrypts a random |
| 69 | // session key from the given entropy, writing those values to |out_shared_key| |
| 70 | // and |out_ciphertext|, respectively. |
| 71 | OPENSSL_EXPORT void HRSS_encap(uint8_t out_ciphertext[HRSS_CIPHERTEXT_BYTES], |
| 72 | uint8_t out_shared_key[HRSS_KEY_BYTES], |
| 73 | const struct HRSS_public_key *in_pub, |
| 74 | const uint8_t in[HRSS_ENCAP_BYTES]); |
| 75 | |
| 76 | // HRSS_decap decrypts a session key from |ciphertext_len| bytes of |
| 77 | // |ciphertext|. If the ciphertext is valid, the decrypted key is written to |
| 78 | // |out_shared_key|. Otherwise the HMAC of |ciphertext| under a secret key (kept |
| 79 | // in |in_priv|) is written. If the ciphertext is the wrong length then it will |
| 80 | // leak which was done via side-channels. Otherwise it should perform either |
| 81 | // action in constant-time. |
| 82 | OPENSSL_EXPORT void HRSS_decap(uint8_t out_shared_key[HRSS_KEY_BYTES], |
| 83 | const struct HRSS_public_key *in_pub, |
| 84 | const struct HRSS_private_key *in_priv, |
| 85 | const uint8_t *ciphertext, |
| 86 | size_t ciphertext_len); |
| 87 | |
| 88 | // HRSS_marshal_public_key serialises |in_pub| to |out|. |
| 89 | OPENSSL_EXPORT void HRSS_marshal_public_key( |
| 90 | uint8_t out[HRSS_PUBLIC_KEY_BYTES], const struct HRSS_public_key *in_pub); |
| 91 | |
| 92 | // HRSS_parse_public_key sets |*out| to the public-key encoded in |in|. It |
| 93 | // returns true on success and zero on error. |
| 94 | OPENSSL_EXPORT int HRSS_parse_public_key( |
| 95 | struct HRSS_public_key *out, const uint8_t in[HRSS_PUBLIC_KEY_BYTES]); |
| 96 | |
| 97 | |
| 98 | #if defined(__cplusplus) |
| 99 | } // extern C |
| 100 | #endif |
| 101 | |
| 102 | #endif // OPENSSL_HEADER_HRSS_H |