diff options
Diffstat (limited to 'src/lib/libcrypto/mlkem/mlkem768.c')
| -rw-r--r-- | src/lib/libcrypto/mlkem/mlkem768.c | 73 |
1 files changed, 32 insertions, 41 deletions
diff --git a/src/lib/libcrypto/mlkem/mlkem768.c b/src/lib/libcrypto/mlkem/mlkem768.c index 653b92d8d8..1a44b9413f 100644 --- a/src/lib/libcrypto/mlkem/mlkem768.c +++ b/src/lib/libcrypto/mlkem/mlkem768.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: mlkem768.c,v 1.12 2025/05/20 00:30:38 beck Exp $ */ | 1 | /* $OpenBSD: mlkem768.c,v 1.13 2025/08/14 15:48:48 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2024, Google Inc. | 3 | * Copyright (c) 2024, Google Inc. |
| 4 | * Copyright (c) 2024, Bob Beck <beck@obtuse.com> | 4 | * Copyright (c) 2024, Bob Beck <beck@obtuse.com> |
| @@ -19,19 +19,16 @@ | |||
| 19 | #include <assert.h> | 19 | #include <assert.h> |
| 20 | #include <stdlib.h> | 20 | #include <stdlib.h> |
| 21 | #include <string.h> | 21 | #include <string.h> |
| 22 | #include <stdio.h> | ||
| 22 | 23 | ||
| 23 | #include "bytestring.h" | 24 | #include <openssl/mlkem.h> |
| 24 | #include "mlkem.h" | ||
| 25 | 25 | ||
| 26 | #include "bytestring.h" | ||
| 26 | #include "sha3_internal.h" | 27 | #include "sha3_internal.h" |
| 27 | #include "mlkem_internal.h" | 28 | #include "mlkem_internal.h" |
| 28 | #include "constant_time.h" | 29 | #include "constant_time.h" |
| 29 | #include "crypto_internal.h" | 30 | #include "crypto_internal.h" |
| 30 | 31 | ||
| 31 | /* Remove later */ | ||
| 32 | #undef LCRYPTO_ALIAS | ||
| 33 | #define LCRYPTO_ALIAS(A) | ||
| 34 | |||
| 35 | /* | 32 | /* |
| 36 | * See | 33 | * See |
| 37 | * https://csrc.nist.gov/pubs/fips/203/final | 34 | * https://csrc.nist.gov/pubs/fips/203/final |
| @@ -80,7 +77,6 @@ kdf(uint8_t out[MLKEM_SHARED_SECRET_BYTES], const uint8_t failure_secret[32], | |||
| 80 | } | 77 | } |
| 81 | 78 | ||
| 82 | #define DEGREE 256 | 79 | #define DEGREE 256 |
| 83 | #define RANK768 3 | ||
| 84 | 80 | ||
| 85 | static const size_t kBarrettMultiplier = 5039; | 81 | static const size_t kBarrettMultiplier = 5039; |
| 86 | static const unsigned kBarrettShift = 24; | 82 | static const unsigned kBarrettShift = 24; |
| @@ -809,9 +805,11 @@ struct public_key { | |||
| 809 | CTASSERT(sizeof(struct MLKEM768_public_key) == sizeof(struct public_key)); | 805 | CTASSERT(sizeof(struct MLKEM768_public_key) == sizeof(struct public_key)); |
| 810 | 806 | ||
| 811 | static struct public_key * | 807 | static struct public_key * |
| 812 | public_key_768_from_external(const struct MLKEM768_public_key *external) | 808 | public_key_768_from_external(const MLKEM_public_key *external) |
| 813 | { | 809 | { |
| 814 | return (struct public_key *)external; | 810 | if (external->rank != RANK768) |
| 811 | return NULL; | ||
| 812 | return (struct public_key *)external->key_768; | ||
| 815 | } | 813 | } |
| 816 | 814 | ||
| 817 | struct private_key { | 815 | struct private_key { |
| @@ -823,9 +821,11 @@ struct private_key { | |||
| 823 | CTASSERT(sizeof(struct MLKEM768_private_key) == sizeof(struct private_key)); | 821 | CTASSERT(sizeof(struct MLKEM768_private_key) == sizeof(struct private_key)); |
| 824 | 822 | ||
| 825 | static struct private_key * | 823 | static struct private_key * |
| 826 | private_key_768_from_external(const struct MLKEM768_private_key *external) | 824 | private_key_768_from_external(const MLKEM_private_key *external) |
| 827 | { | 825 | { |
| 828 | return (struct private_key *)external; | 826 | if (external->rank != RANK768) |
| 827 | return NULL; | ||
| 828 | return (struct private_key *)external->key_768; | ||
| 829 | } | 829 | } |
| 830 | 830 | ||
| 831 | /* | 831 | /* |
| @@ -835,7 +835,7 @@ private_key_768_from_external(const struct MLKEM768_private_key *external) | |||
| 835 | int | 835 | int |
| 836 | MLKEM768_generate_key(uint8_t out_encoded_public_key[MLKEM768_PUBLIC_KEY_BYTES], | 836 | MLKEM768_generate_key(uint8_t out_encoded_public_key[MLKEM768_PUBLIC_KEY_BYTES], |
| 837 | uint8_t optional_out_seed[MLKEM_SEED_BYTES], | 837 | uint8_t optional_out_seed[MLKEM_SEED_BYTES], |
| 838 | struct MLKEM768_private_key *out_private_key) | 838 | MLKEM_private_key *out_private_key) |
| 839 | { | 839 | { |
| 840 | uint8_t entropy_buf[MLKEM_SEED_BYTES]; | 840 | uint8_t entropy_buf[MLKEM_SEED_BYTES]; |
| 841 | uint8_t *entropy = optional_out_seed != NULL ? optional_out_seed : | 841 | uint8_t *entropy = optional_out_seed != NULL ? optional_out_seed : |
| @@ -845,12 +845,12 @@ MLKEM768_generate_key(uint8_t out_encoded_public_key[MLKEM768_PUBLIC_KEY_BYTES], | |||
| 845 | return MLKEM768_generate_key_external_entropy(out_encoded_public_key, | 845 | return MLKEM768_generate_key_external_entropy(out_encoded_public_key, |
| 846 | out_private_key, entropy); | 846 | out_private_key, entropy); |
| 847 | } | 847 | } |
| 848 | LCRYPTO_ALIAS(MLKEM768_generate_key); | ||
| 849 | 848 | ||
| 850 | int | 849 | int |
| 851 | MLKEM768_private_key_from_seed(struct MLKEM768_private_key *out_private_key, | 850 | MLKEM768_private_key_from_seed(const uint8_t *seed, size_t seed_len, |
| 852 | const uint8_t *seed, size_t seed_len) | 851 | MLKEM_private_key *out_private_key) |
| 853 | { | 852 | { |
| 853 | /* XXX stack */ | ||
| 854 | uint8_t public_key_bytes[MLKEM768_PUBLIC_KEY_BYTES]; | 854 | uint8_t public_key_bytes[MLKEM768_PUBLIC_KEY_BYTES]; |
| 855 | 855 | ||
| 856 | if (seed_len != MLKEM_SEED_BYTES) { | 856 | if (seed_len != MLKEM_SEED_BYTES) { |
| @@ -859,7 +859,6 @@ MLKEM768_private_key_from_seed(struct MLKEM768_private_key *out_private_key, | |||
| 859 | return MLKEM768_generate_key_external_entropy(public_key_bytes, | 859 | return MLKEM768_generate_key_external_entropy(public_key_bytes, |
| 860 | out_private_key, seed); | 860 | out_private_key, seed); |
| 861 | } | 861 | } |
| 862 | LCRYPTO_ALIAS(MLKEM768_private_key_from_seed); | ||
| 863 | 862 | ||
| 864 | static int | 863 | static int |
| 865 | mlkem_marshal_public_key(CBB *out, const struct public_key *pub) | 864 | mlkem_marshal_public_key(CBB *out, const struct public_key *pub) |
| @@ -872,7 +871,7 @@ mlkem_marshal_public_key(CBB *out, const struct public_key *pub) | |||
| 872 | int | 871 | int |
| 873 | MLKEM768_generate_key_external_entropy( | 872 | MLKEM768_generate_key_external_entropy( |
| 874 | uint8_t out_encoded_public_key[MLKEM768_PUBLIC_KEY_BYTES], | 873 | uint8_t out_encoded_public_key[MLKEM768_PUBLIC_KEY_BYTES], |
| 875 | struct MLKEM768_private_key *out_private_key, | 874 | MLKEM_private_key *out_private_key, |
| 876 | const uint8_t entropy[MLKEM_SEED_BYTES]) | 875 | const uint8_t entropy[MLKEM_SEED_BYTES]) |
| 877 | { | 876 | { |
| 878 | struct private_key *priv = private_key_768_from_external( | 877 | struct private_key *priv = private_key_768_from_external( |
| @@ -920,9 +919,8 @@ MLKEM768_generate_key_external_entropy( | |||
| 920 | } | 919 | } |
| 921 | 920 | ||
| 922 | void | 921 | void |
| 923 | MLKEM768_public_from_private(struct MLKEM768_public_key *out_public_key, | 922 | MLKEM768_public_from_private(const MLKEM_private_key *private_key, |
| 924 | const struct MLKEM768_private_key *private_key) | 923 | MLKEM_public_key *out_public_key) { |
| 925 | { | ||
| 926 | struct public_key *const pub = public_key_768_from_external( | 924 | struct public_key *const pub = public_key_768_from_external( |
| 927 | out_public_key); | 925 | out_public_key); |
| 928 | const struct private_key *const priv = private_key_768_from_external( | 926 | const struct private_key *const priv = private_key_768_from_external( |
| @@ -930,7 +928,6 @@ MLKEM768_public_from_private(struct MLKEM768_public_key *out_public_key, | |||
| 930 | 928 | ||
| 931 | *pub = priv->pub; | 929 | *pub = priv->pub; |
| 932 | } | 930 | } |
| 933 | LCRYPTO_ALIAS(MLKEM768_public_from_private); | ||
| 934 | 931 | ||
| 935 | /* | 932 | /* |
| 936 | * Encrypts a message with given randomness to the ciphertext in |out|. Without | 933 | * Encrypts a message with given randomness to the ciphertext in |out|. Without |
| @@ -972,9 +969,9 @@ encrypt_cpa(uint8_t out[MLKEM768_CIPHERTEXT_BYTES], | |||
| 972 | 969 | ||
| 973 | /* Calls MLKEM768_encap_external_entropy| with random bytes */ | 970 | /* Calls MLKEM768_encap_external_entropy| with random bytes */ |
| 974 | void | 971 | void |
| 975 | MLKEM768_encap(uint8_t out_ciphertext[MLKEM768_CIPHERTEXT_BYTES], | 972 | MLKEM768_encap(const MLKEM_public_key *public_key, |
| 976 | uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], | 973 | uint8_t out_ciphertext[MLKEM768_CIPHERTEXT_BYTES], |
| 977 | const struct MLKEM768_public_key *public_key) | 974 | uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES]) |
| 978 | { | 975 | { |
| 979 | uint8_t entropy[MLKEM_ENCAP_ENTROPY]; | 976 | uint8_t entropy[MLKEM_ENCAP_ENTROPY]; |
| 980 | 977 | ||
| @@ -982,14 +979,13 @@ MLKEM768_encap(uint8_t out_ciphertext[MLKEM768_CIPHERTEXT_BYTES], | |||
| 982 | MLKEM768_encap_external_entropy(out_ciphertext, | 979 | MLKEM768_encap_external_entropy(out_ciphertext, |
| 983 | out_shared_secret, public_key, entropy); | 980 | out_shared_secret, public_key, entropy); |
| 984 | } | 981 | } |
| 985 | LCRYPTO_ALIAS(MLKEM768_encap); | ||
| 986 | 982 | ||
| 987 | /* See section 6.2 of the spec. */ | 983 | /* See section 6.2 of the spec. */ |
| 988 | void | 984 | void |
| 989 | MLKEM768_encap_external_entropy( | 985 | MLKEM768_encap_external_entropy( |
| 990 | uint8_t out_ciphertext[MLKEM768_CIPHERTEXT_BYTES], | 986 | uint8_t out_ciphertext[MLKEM768_CIPHERTEXT_BYTES], |
| 991 | uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], | 987 | uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], |
| 992 | const struct MLKEM768_public_key *public_key, | 988 | const MLKEM_public_key *public_key, |
| 993 | const uint8_t entropy[MLKEM_ENCAP_ENTROPY]) | 989 | const uint8_t entropy[MLKEM_ENCAP_ENTROPY]) |
| 994 | { | 990 | { |
| 995 | const struct public_key *pub = public_key_768_from_external(public_key); | 991 | const struct public_key *pub = public_key_768_from_external(public_key); |
| @@ -1025,9 +1021,8 @@ decrypt_cpa(uint8_t out[32], const struct private_key *priv, | |||
| 1025 | 1021 | ||
| 1026 | /* See section 6.3 */ | 1022 | /* See section 6.3 */ |
| 1027 | int | 1023 | int |
| 1028 | MLKEM768_decap(uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], | 1024 | MLKEM768_decap(const MLKEM_private_key *private_key, const uint8_t *ciphertext, |
| 1029 | const uint8_t *ciphertext, size_t ciphertext_len, | 1025 | size_t ciphertext_len, uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES]) |
| 1030 | const struct MLKEM768_private_key *private_key) | ||
| 1031 | { | 1026 | { |
| 1032 | const struct private_key *priv = private_key_768_from_external( | 1027 | const struct private_key *priv = private_key_768_from_external( |
| 1033 | private_key); | 1028 | private_key); |
| @@ -1059,11 +1054,10 @@ MLKEM768_decap(uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], | |||
| 1059 | 1054 | ||
| 1060 | return 1; | 1055 | return 1; |
| 1061 | } | 1056 | } |
| 1062 | LCRYPTO_ALIAS(MLKEM768_decap); | ||
| 1063 | 1057 | ||
| 1064 | int | 1058 | int |
| 1065 | MLKEM768_marshal_public_key(uint8_t **output, size_t *output_len, | 1059 | MLKEM768_marshal_public_key(const MLKEM_public_key *public_key, |
| 1066 | const struct MLKEM768_public_key *public_key) | 1060 | uint8_t **output, size_t *output_len) |
| 1067 | { | 1061 | { |
| 1068 | int ret = 0; | 1062 | int ret = 0; |
| 1069 | CBB cbb; | 1063 | CBB cbb; |
| @@ -1083,7 +1077,6 @@ MLKEM768_marshal_public_key(uint8_t **output, size_t *output_len, | |||
| 1083 | 1077 | ||
| 1084 | return ret; | 1078 | return ret; |
| 1085 | } | 1079 | } |
| 1086 | LCRYPTO_ALIAS(MLKEM768_marshal_public_key); | ||
| 1087 | 1080 | ||
| 1088 | /* | 1081 | /* |
| 1089 | * mlkem_parse_public_key_no_hash parses |in| into |pub| but doesn't calculate | 1082 | * mlkem_parse_public_key_no_hash parses |in| into |pub| but doesn't calculate |
| @@ -1107,8 +1100,8 @@ mlkem_parse_public_key_no_hash(struct public_key *pub, CBS *in) | |||
| 1107 | } | 1100 | } |
| 1108 | 1101 | ||
| 1109 | int | 1102 | int |
| 1110 | MLKEM768_parse_public_key(struct MLKEM768_public_key *public_key, | 1103 | MLKEM768_parse_public_key(const uint8_t *input, size_t input_len, |
| 1111 | const uint8_t *input, size_t input_len) | 1104 | MLKEM_public_key *public_key) |
| 1112 | { | 1105 | { |
| 1113 | struct public_key *pub = public_key_768_from_external(public_key); | 1106 | struct public_key *pub = public_key_768_from_external(public_key); |
| 1114 | CBS cbs; | 1107 | CBS cbs; |
| @@ -1123,10 +1116,9 @@ MLKEM768_parse_public_key(struct MLKEM768_public_key *public_key, | |||
| 1123 | 1116 | ||
| 1124 | return 1; | 1117 | return 1; |
| 1125 | } | 1118 | } |
| 1126 | LCRYPTO_ALIAS(MLKEM768_parse_public_key); | ||
| 1127 | 1119 | ||
| 1128 | int | 1120 | int |
| 1129 | MLKEM768_marshal_private_key(const struct MLKEM768_private_key *private_key, | 1121 | MLKEM768_marshal_private_key(const MLKEM_private_key *private_key, |
| 1130 | uint8_t **out_private_key, size_t *out_private_key_len) | 1122 | uint8_t **out_private_key, size_t *out_private_key_len) |
| 1131 | { | 1123 | { |
| 1132 | const struct private_key *const priv = private_key_768_from_external( | 1124 | const struct private_key *const priv = private_key_768_from_external( |
| @@ -1160,8 +1152,8 @@ MLKEM768_marshal_private_key(const struct MLKEM768_private_key *private_key, | |||
| 1160 | } | 1152 | } |
| 1161 | 1153 | ||
| 1162 | int | 1154 | int |
| 1163 | MLKEM768_parse_private_key(struct MLKEM768_private_key *out_private_key, | 1155 | MLKEM768_parse_private_key(const uint8_t *input, size_t input_len, |
| 1164 | const uint8_t *input, size_t input_len) | 1156 | MLKEM_private_key *out_private_key) |
| 1165 | { | 1157 | { |
| 1166 | struct private_key *const priv = private_key_768_from_external( | 1158 | struct private_key *const priv = private_key_768_from_external( |
| 1167 | out_private_key); | 1159 | out_private_key); |
| @@ -1189,4 +1181,3 @@ MLKEM768_parse_private_key(struct MLKEM768_private_key *out_private_key, | |||
| 1189 | 1181 | ||
| 1190 | return 1; | 1182 | return 1; |
| 1191 | } | 1183 | } |
| 1192 | LCRYPTO_ALIAS(MLKEM768_parse_private_key); | ||