diff options
Diffstat (limited to 'src/lib/libcrypto/mlkem/mlkem1024.c')
| -rw-r--r-- | src/lib/libcrypto/mlkem/mlkem1024.c | 71 |
1 files changed, 31 insertions, 40 deletions
diff --git a/src/lib/libcrypto/mlkem/mlkem1024.c b/src/lib/libcrypto/mlkem/mlkem1024.c index 26c4716539..8f4f41f8ff 100644 --- a/src/lib/libcrypto/mlkem/mlkem1024.c +++ b/src/lib/libcrypto/mlkem/mlkem1024.c | |||
| @@ -1,7 +1,7 @@ | |||
| 1 | /* $OpenBSD: mlkem1024.c,v 1.11 2025/05/21 02:18:11 kenjiro Exp $ */ | 1 | /* $OpenBSD: mlkem1024.c,v 1.12 2025/08/14 15:48:48 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2024, Google Inc. | 3 | * Copyright (c) 2024, Google Inc. |
| 4 | * Copyright (c) 2024, Bob Beck <beck@obtuse.com> | 4 | * Copyright (c) 2024, 2025 Bob Beck <beck@obtuse.com> |
| 5 | * | 5 | * |
| 6 | * Permission to use, copy, modify, and/or distribute this software for any | 6 | * Permission to use, copy, modify, and/or distribute this software for any |
| 7 | * purpose with or without fee is hereby granted, provided that the above | 7 | * purpose with or without fee is hereby granted, provided that the above |
| @@ -20,18 +20,14 @@ | |||
| 20 | #include <stdlib.h> | 20 | #include <stdlib.h> |
| 21 | #include <string.h> | 21 | #include <string.h> |
| 22 | 22 | ||
| 23 | #include "bytestring.h" | 23 | #include <openssl/mlkem.h> |
| 24 | #include "mlkem.h" | ||
| 25 | 24 | ||
| 25 | #include "bytestring.h" | ||
| 26 | #include "sha3_internal.h" | 26 | #include "sha3_internal.h" |
| 27 | #include "mlkem_internal.h" | 27 | #include "mlkem_internal.h" |
| 28 | #include "constant_time.h" | 28 | #include "constant_time.h" |
| 29 | #include "crypto_internal.h" | 29 | #include "crypto_internal.h" |
| 30 | 30 | ||
| 31 | /* Remove later */ | ||
| 32 | #undef LCRYPTO_ALIAS | ||
| 33 | #define LCRYPTO_ALIAS(A) | ||
| 34 | |||
| 35 | /* | 31 | /* |
| 36 | * See | 32 | * See |
| 37 | * https://csrc.nist.gov/pubs/fips/203/final | 33 | * https://csrc.nist.gov/pubs/fips/203/final |
| @@ -80,7 +76,6 @@ kdf(uint8_t out[MLKEM_SHARED_SECRET_BYTES], const uint8_t failure_secret[32], | |||
| 80 | } | 76 | } |
| 81 | 77 | ||
| 82 | #define DEGREE 256 | 78 | #define DEGREE 256 |
| 83 | #define RANK1024 4 | ||
| 84 | 79 | ||
| 85 | static const size_t kBarrettMultiplier = 5039; | 80 | static const size_t kBarrettMultiplier = 5039; |
| 86 | static const unsigned kBarrettShift = 24; | 81 | static const unsigned kBarrettShift = 24; |
| @@ -809,9 +804,11 @@ struct public_key { | |||
| 809 | CTASSERT(sizeof(struct MLKEM1024_public_key) == sizeof(struct public_key)); | 804 | CTASSERT(sizeof(struct MLKEM1024_public_key) == sizeof(struct public_key)); |
| 810 | 805 | ||
| 811 | static struct public_key * | 806 | static struct public_key * |
| 812 | public_key_1024_from_external(const struct MLKEM1024_public_key *external) | 807 | public_key_1024_from_external(const MLKEM_public_key *external) |
| 813 | { | 808 | { |
| 814 | return (struct public_key *)external; | 809 | if (external->rank != RANK1024) |
| 810 | return NULL; | ||
| 811 | return (struct public_key *)external->key_1024; | ||
| 815 | } | 812 | } |
| 816 | 813 | ||
| 817 | struct private_key { | 814 | struct private_key { |
| @@ -823,9 +820,11 @@ struct private_key { | |||
| 823 | CTASSERT(sizeof(struct MLKEM1024_private_key) == sizeof(struct private_key)); | 820 | CTASSERT(sizeof(struct MLKEM1024_private_key) == sizeof(struct private_key)); |
| 824 | 821 | ||
| 825 | static struct private_key * | 822 | static struct private_key * |
| 826 | private_key_1024_from_external(const struct MLKEM1024_private_key *external) | 823 | private_key_1024_from_external(const MLKEM_private_key *external) |
| 827 | { | 824 | { |
| 828 | return (struct private_key *)external; | 825 | if (external->rank != RANK1024) |
| 826 | return NULL; | ||
| 827 | return (struct private_key *)external->key_1024; | ||
| 829 | } | 828 | } |
| 830 | 829 | ||
| 831 | /* | 830 | /* |
| @@ -835,7 +834,7 @@ private_key_1024_from_external(const struct MLKEM1024_private_key *external) | |||
| 835 | int | 834 | int |
| 836 | MLKEM1024_generate_key(uint8_t out_encoded_public_key[MLKEM1024_PUBLIC_KEY_BYTES], | 835 | MLKEM1024_generate_key(uint8_t out_encoded_public_key[MLKEM1024_PUBLIC_KEY_BYTES], |
| 837 | uint8_t optional_out_seed[MLKEM_SEED_BYTES], | 836 | uint8_t optional_out_seed[MLKEM_SEED_BYTES], |
| 838 | struct MLKEM1024_private_key *out_private_key) | 837 | MLKEM_private_key *out_private_key) |
| 839 | { | 838 | { |
| 840 | uint8_t entropy_buf[MLKEM_SEED_BYTES]; | 839 | uint8_t entropy_buf[MLKEM_SEED_BYTES]; |
| 841 | uint8_t *entropy = optional_out_seed != NULL ? optional_out_seed : | 840 | uint8_t *entropy = optional_out_seed != NULL ? optional_out_seed : |
| @@ -845,10 +844,9 @@ MLKEM1024_generate_key(uint8_t out_encoded_public_key[MLKEM1024_PUBLIC_KEY_BYTES | |||
| 845 | return MLKEM1024_generate_key_external_entropy(out_encoded_public_key, | 844 | return MLKEM1024_generate_key_external_entropy(out_encoded_public_key, |
| 846 | out_private_key, entropy); | 845 | out_private_key, entropy); |
| 847 | } | 846 | } |
| 848 | LCRYPTO_ALIAS(MLKEM1024_generate_key); | ||
| 849 | 847 | ||
| 850 | int | 848 | int |
| 851 | MLKEM1024_private_key_from_seed(struct MLKEM1024_private_key *out_private_key, | 849 | MLKEM1024_private_key_from_seed(MLKEM_private_key *out_private_key, |
| 852 | const uint8_t *seed, size_t seed_len) | 850 | const uint8_t *seed, size_t seed_len) |
| 853 | { | 851 | { |
| 854 | uint8_t public_key_bytes[MLKEM1024_PUBLIC_KEY_BYTES]; | 852 | uint8_t public_key_bytes[MLKEM1024_PUBLIC_KEY_BYTES]; |
| @@ -859,7 +857,6 @@ MLKEM1024_private_key_from_seed(struct MLKEM1024_private_key *out_private_key, | |||
| 859 | return MLKEM1024_generate_key_external_entropy(public_key_bytes, | 857 | return MLKEM1024_generate_key_external_entropy(public_key_bytes, |
| 860 | out_private_key, seed); | 858 | out_private_key, seed); |
| 861 | } | 859 | } |
| 862 | LCRYPTO_ALIAS(MLKEM1024_private_key_from_seed); | ||
| 863 | 860 | ||
| 864 | static int | 861 | static int |
| 865 | mlkem_marshal_public_key(CBB *out, const struct public_key *pub) | 862 | mlkem_marshal_public_key(CBB *out, const struct public_key *pub) |
| @@ -872,7 +869,7 @@ mlkem_marshal_public_key(CBB *out, const struct public_key *pub) | |||
| 872 | int | 869 | int |
| 873 | MLKEM1024_generate_key_external_entropy( | 870 | MLKEM1024_generate_key_external_entropy( |
| 874 | uint8_t out_encoded_public_key[MLKEM1024_PUBLIC_KEY_BYTES], | 871 | uint8_t out_encoded_public_key[MLKEM1024_PUBLIC_KEY_BYTES], |
| 875 | struct MLKEM1024_private_key *out_private_key, | 872 | MLKEM_private_key *out_private_key, |
| 876 | const uint8_t entropy[MLKEM_SEED_BYTES]) | 873 | const uint8_t entropy[MLKEM_SEED_BYTES]) |
| 877 | { | 874 | { |
| 878 | struct private_key *priv = private_key_1024_from_external( | 875 | struct private_key *priv = private_key_1024_from_external( |
| @@ -920,8 +917,8 @@ MLKEM1024_generate_key_external_entropy( | |||
| 920 | } | 917 | } |
| 921 | 918 | ||
| 922 | void | 919 | void |
| 923 | MLKEM1024_public_from_private(struct MLKEM1024_public_key *out_public_key, | 920 | MLKEM1024_public_from_private(const MLKEM_private_key *private_key, |
| 924 | const struct MLKEM1024_private_key *private_key) | 921 | MLKEM_public_key *out_public_key) |
| 925 | { | 922 | { |
| 926 | struct public_key *const pub = public_key_1024_from_external( | 923 | struct public_key *const pub = public_key_1024_from_external( |
| 927 | out_public_key); | 924 | out_public_key); |
| @@ -930,7 +927,6 @@ MLKEM1024_public_from_private(struct MLKEM1024_public_key *out_public_key, | |||
| 930 | 927 | ||
| 931 | *pub = priv->pub; | 928 | *pub = priv->pub; |
| 932 | } | 929 | } |
| 933 | LCRYPTO_ALIAS(MLKEM1024_public_from_private); | ||
| 934 | 930 | ||
| 935 | /* | 931 | /* |
| 936 | * Encrypts a message with given randomness to the ciphertext in |out|. Without | 932 | * Encrypts a message with given randomness to the ciphertext in |out|. Without |
| @@ -972,9 +968,9 @@ encrypt_cpa(uint8_t out[MLKEM1024_CIPHERTEXT_BYTES], | |||
| 972 | 968 | ||
| 973 | /* Calls MLKEM1024_encap_external_entropy| with random bytes */ | 969 | /* Calls MLKEM1024_encap_external_entropy| with random bytes */ |
| 974 | void | 970 | void |
| 975 | MLKEM1024_encap(uint8_t out_ciphertext[MLKEM1024_CIPHERTEXT_BYTES], | 971 | MLKEM1024_encap(const MLKEM_public_key *public_key, |
| 976 | uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], | 972 | uint8_t out_ciphertext[MLKEM1024_CIPHERTEXT_BYTES], |
| 977 | const struct MLKEM1024_public_key *public_key) | 973 | uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES]) |
| 978 | { | 974 | { |
| 979 | uint8_t entropy[MLKEM_ENCAP_ENTROPY]; | 975 | uint8_t entropy[MLKEM_ENCAP_ENTROPY]; |
| 980 | 976 | ||
| @@ -982,14 +978,13 @@ MLKEM1024_encap(uint8_t out_ciphertext[MLKEM1024_CIPHERTEXT_BYTES], | |||
| 982 | MLKEM1024_encap_external_entropy(out_ciphertext, out_shared_secret, | 978 | MLKEM1024_encap_external_entropy(out_ciphertext, out_shared_secret, |
| 983 | public_key, entropy); | 979 | public_key, entropy); |
| 984 | } | 980 | } |
| 985 | LCRYPTO_ALIAS(MLKEM1024_encap); | ||
| 986 | 981 | ||
| 987 | /* See section 6.2 of the spec. */ | 982 | /* See section 6.2 of the spec. */ |
| 988 | void | 983 | void |
| 989 | MLKEM1024_encap_external_entropy( | 984 | MLKEM1024_encap_external_entropy( |
| 990 | uint8_t out_ciphertext[MLKEM1024_CIPHERTEXT_BYTES], | 985 | uint8_t out_ciphertext[MLKEM1024_CIPHERTEXT_BYTES], |
| 991 | uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], | 986 | uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], |
| 992 | const struct MLKEM1024_public_key *public_key, | 987 | const MLKEM_public_key *public_key, |
| 993 | const uint8_t entropy[MLKEM_ENCAP_ENTROPY]) | 988 | const uint8_t entropy[MLKEM_ENCAP_ENTROPY]) |
| 994 | { | 989 | { |
| 995 | const struct public_key *pub = public_key_1024_from_external(public_key); | 990 | const struct public_key *pub = public_key_1024_from_external(public_key); |
| @@ -1025,10 +1020,10 @@ decrypt_cpa(uint8_t out[32], const struct private_key *priv, | |||
| 1025 | 1020 | ||
| 1026 | /* See section 6.3 */ | 1021 | /* See section 6.3 */ |
| 1027 | int | 1022 | int |
| 1028 | MLKEM1024_decap(uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], | 1023 | MLKEM1024_decap(const MLKEM_private_key *private_key, |
| 1029 | const uint8_t *ciphertext, size_t ciphertext_len, | 1024 | const uint8_t *ciphertext, size_t ciphertext_len, |
| 1030 | const struct MLKEM1024_private_key *private_key) | 1025 | uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES]) |
| 1031 | { | 1026 | { |
| 1032 | const struct private_key *priv = private_key_1024_from_external( | 1027 | const struct private_key *priv = private_key_1024_from_external( |
| 1033 | private_key); | 1028 | private_key); |
| 1034 | uint8_t expected_ciphertext[MLKEM1024_CIPHERTEXT_BYTES]; | 1029 | uint8_t expected_ciphertext[MLKEM1024_CIPHERTEXT_BYTES]; |
| @@ -1059,11 +1054,10 @@ MLKEM1024_decap(uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], | |||
| 1059 | 1054 | ||
| 1060 | return 1; | 1055 | return 1; |
| 1061 | } | 1056 | } |
| 1062 | LCRYPTO_ALIAS(MLKEM1024_decap); | ||
| 1063 | 1057 | ||
| 1064 | int | 1058 | int |
| 1065 | MLKEM1024_marshal_public_key(uint8_t **output, size_t *output_len, | 1059 | MLKEM1024_marshal_public_key(const MLKEM_public_key *public_key, |
| 1066 | const struct MLKEM1024_public_key *public_key) | 1060 | uint8_t **output, size_t *output_len) |
| 1067 | { | 1061 | { |
| 1068 | int ret = 0; | 1062 | int ret = 0; |
| 1069 | CBB cbb; | 1063 | CBB cbb; |
| @@ -1083,7 +1077,6 @@ MLKEM1024_marshal_public_key(uint8_t **output, size_t *output_len, | |||
| 1083 | 1077 | ||
| 1084 | return ret; | 1078 | return ret; |
| 1085 | } | 1079 | } |
| 1086 | LCRYPTO_ALIAS(MLKEM1024_marshal_public_key); | ||
| 1087 | 1080 | ||
| 1088 | /* | 1081 | /* |
| 1089 | * mlkem_parse_public_key_no_hash parses |in| into |pub| but doesn't calculate | 1082 | * mlkem_parse_public_key_no_hash parses |in| into |pub| but doesn't calculate |
| @@ -1107,8 +1100,8 @@ mlkem_parse_public_key_no_hash(struct public_key *pub, CBS *in) | |||
| 1107 | } | 1100 | } |
| 1108 | 1101 | ||
| 1109 | int | 1102 | int |
| 1110 | MLKEM1024_parse_public_key(struct MLKEM1024_public_key *public_key, | 1103 | MLKEM1024_parse_public_key(const uint8_t *input, size_t input_len, |
| 1111 | const uint8_t *input, size_t input_len) | 1104 | MLKEM_public_key *public_key) |
| 1112 | { | 1105 | { |
| 1113 | struct public_key *pub = public_key_1024_from_external(public_key); | 1106 | struct public_key *pub = public_key_1024_from_external(public_key); |
| 1114 | CBS cbs; | 1107 | CBS cbs; |
| @@ -1123,10 +1116,9 @@ MLKEM1024_parse_public_key(struct MLKEM1024_public_key *public_key, | |||
| 1123 | 1116 | ||
| 1124 | return 1; | 1117 | return 1; |
| 1125 | } | 1118 | } |
| 1126 | LCRYPTO_ALIAS(MLKEM1024_parse_public_key); | ||
| 1127 | 1119 | ||
| 1128 | int | 1120 | int |
| 1129 | MLKEM1024_marshal_private_key(const struct MLKEM1024_private_key *private_key, | 1121 | MLKEM1024_marshal_private_key(const MLKEM_private_key *private_key, |
| 1130 | uint8_t **out_private_key, size_t *out_private_key_len) | 1122 | uint8_t **out_private_key, size_t *out_private_key_len) |
| 1131 | { | 1123 | { |
| 1132 | const struct private_key *const priv = private_key_1024_from_external( | 1124 | const struct private_key *const priv = private_key_1024_from_external( |
| @@ -1160,8 +1152,8 @@ MLKEM1024_marshal_private_key(const struct MLKEM1024_private_key *private_key, | |||
| 1160 | } | 1152 | } |
| 1161 | 1153 | ||
| 1162 | int | 1154 | int |
| 1163 | MLKEM1024_parse_private_key(struct MLKEM1024_private_key *out_private_key, | 1155 | MLKEM1024_parse_private_key(const uint8_t *input, size_t input_len, |
| 1164 | const uint8_t *input, size_t input_len) | 1156 | MLKEM_private_key *out_private_key) |
| 1165 | { | 1157 | { |
| 1166 | struct private_key *const priv = private_key_1024_from_external( | 1158 | struct private_key *const priv = private_key_1024_from_external( |
| 1167 | out_private_key); | 1159 | out_private_key); |
| @@ -1189,4 +1181,3 @@ MLKEM1024_parse_private_key(struct MLKEM1024_private_key *out_private_key, | |||
| 1189 | 1181 | ||
| 1190 | return 1; | 1182 | return 1; |
| 1191 | } | 1183 | } |
| 1192 | LCRYPTO_ALIAS(MLKEM1024_parse_private_key); | ||