Ejemplo n.º 1
0
int pubkey::encrypt (const bvector&in, bvector&out, const bvector&errors)
{
	if (in.size() != plain_size() ) return 2;
	if (errors.size() != cipher_size() ) return 2;
	G.mult_vecT_left (in, out);
	out.add (errors);
	return 0;
}
Ejemplo n.º 2
0
int pubkey::encrypt (const bvector & in, bvector & out, const bvector&errors)
{
	uint t = 1 << T;
	bvector p, g, r, cksum;
	uint i, j;

	/*
	 * shortened checksum pair of G is computed blockwise accordingly to
	 * the t-sized square dyadic blocks.
	 */

	//some checks
	if (!qd_sigs.width() ) return 1;
	if (qd_sigs.height() % t) return 1;
	if (in.size() != plain_size() ) return 2;
	if (errors.size() != cipher_size() ) return 2;

	uint blocks = qd_sigs.height() / t;
	cksum.resize (qd_sigs.height(), 0);

	p.resize (t);
	g.resize (t);
	r.resize (t);

	std::vector<int> c1, c2, c3;
	c1.resize (t);
	c2.resize (t);
	c3.resize (t);

	for (i = 0; i < qd_sigs.size(); ++i) {
		//plaintext block
		in.get_block (i * t, t, p);

		for (j = 0; j < blocks; ++j) {
			//checksum block
			qd_sigs[i].get_block (j * t, t, g);

			//block result
			fwht_dyadic_multiply (p, g, r, c1, c2, c3);
			cksum.add_offset (r, t * j);
		}
	}

	//compute ciphertext
	out = in;
	out.insert (out.end(), cksum.begin(), cksum.end() );
	out.add (errors);

	return 0;
}
Ejemplo n.º 3
0
int privkey::sign (const bvector&in, bvector&out, uint delta, uint attempts, prng&rng)
{
	uint i, s, t;
	bvector p, e, synd, synd_orig, e2;
	std::vector<uint> epos;
	permutation hpermInv;
	polynomial loc, Synd;

	s = hash_size();

	if (in.size() != s) return 2;

	//first, prepare the codeword to canonical form for decoding
	Pinv.permute (in, e2);
	hperm.compute_inversion (hpermInv);
	hpermInv.permute (e2, p);

	//prepare extra error vector
	e.resize (s, 0);
	epos.resize (delta, 0);

	h.mult_vec_right (p, synd_orig);

	for (t = 0; t < attempts; ++t) {

		synd = synd_orig;

		for (i = 0; i < delta; ++i) {
			epos[i] = rng.random (s);
			/* we don't care about (unlikely) error bit collisions
			   (they actually don't harm anything) */
			if (!e[epos[i]]) synd.add (h[epos[i]]);
			e[epos[i]] = 1;
		}

		synd.to_poly (Synd, fld);
		compute_goppa_error_locator (Synd, fld, g, sqInv, loc);

		if (evaluate_error_locator_trace (loc, e2, fld) ) {

			//recreate the decodable codeword
			p.add (e);
			p.add (e2);

			hperm.permute (p, e2); //back to systematic
			e2.resize (signature_size() ); //strip to message
			Sinv.mult_vecT_left (e2, out); //signature
			return 0;
		}

		//if this round failed, we try a new error pattern.

		for (i = 0; i < delta; ++i) {
			//clear the errors for next cycle
			e[epos[i]] = 0;
		}
	}
	return 1; //couldn't decode
}
Ejemplo n.º 4
0
int pubkey::verify (const bvector&in, const bvector&hash, uint delta)
{
	bvector tmp;
	if (!G.mult_vecT_left (in, tmp) ) return 2; //wrong size of input
	if (hash.size() != tmp.size() ) return 1; //wrong size of hash, not a sig.
	tmp.add (hash);
	if (tmp.hamming_weight() > (t + delta) ) return 1; //not a signature
	return 0; //sig OK
}
Ejemplo n.º 5
0
int privkey::decrypt (const bvector & in, bvector & out, bvector & errors)
{
	if (in.size() != cipher_size() ) return 2;
	polynomial synd;
	uint i, j, tmp;

	/*
	 * compute the syndrome from alternant check matrix
	 * that is H_alt = Vdm(L) * Diag(g(L_i)^{-2})
	 */
	uint h_size = 1 << (T + 1); //= 2*block_size
	synd.clear();
	synd.resize (h_size, 0);
	for (i = 0; i < cipher_size(); ++i) if (in[i]) {
			tmp = fld.inv (g.eval (permuted_support[i], fld) );
			tmp = fld.mult (tmp, tmp); //g(Li)^{-2}
			synd[0] = fld.add (synd[0], tmp);
			for (j = 1; j < h_size; ++j) {
				tmp = fld.mult (tmp, permuted_support[i]);
				synd[j] = fld.add (synd[j], tmp);
			}
		}

	//decoding
	polynomial loc;
	compute_alternant_error_locator (synd, fld, 1 << T, loc);

	bvector ev;
	if (!evaluate_error_locator_trace (loc, ev, fld) )
		return 1; //couldn't decode
	//TODO evaluator should return error positions, not bvector. fix it everywhere!

	out = in;
	out.resize (plain_size() );
	errors.clear();
	errors.resize (cipher_size(), 0);
	//flip error positions of out.
	for (i = 0; i < ev.size(); ++i) if (ev[i]) {
			uint epos = support_pos[fld.inv (i)];
			if (epos == fld.n) {
				//found unexpected support, die.
				out.clear();
				return 1;
			}
			if (epos >= cipher_size() ) return 1;
			errors[epos] = 1;
			if (epos < plain_size() )
				out[epos] = !out[epos];
		}

	return 0;
}
Ejemplo n.º 6
0
/*
 * we expect correct parameter size and preallocated out. Last 3 parameters are
 * used as a cache - just supply the same vectors everytime when you're doing
 * this multiple times.
 */
void fwht_dyadic_multiply (const bvector& a, const bvector& b, bvector& out,
                           std::vector<int>&t,
                           std::vector<int>&A,
                           std::vector<int>&B)
{

	uint i;

	//lift everyting to Z.
	for (i = 0; i < a.size(); ++i) t[i] = a[i];
	fwht (t, A);

	for (i = 0; i < b.size(); ++i) t[i] = b[i];
	fwht (t, B);

	//multiply diagonals to A
	for (i = 0; i < A.size(); ++i) A[i] *= B[i];
	fwht (A, t);

	uint bitpos = a.size(); //no problem as a.size() == 1<<m == 2^m
	for (i = 0; i < t.size(); ++i) out[i] = (t[i] & bitpos) ? 1 : 0;
}
Ejemplo n.º 7
0
int privkey::decrypt (const bvector&in, bvector&out, bvector&errors)
{
	if (in.size() != cipher_size() ) return 2;

	//remove the P permutation
	bvector not_permuted;
	Pinv.permute (in, not_permuted);

	//prepare for decoding
	permutation hpermInv; //TODO pre-invert it in prepare()
	hperm.compute_inversion (hpermInv);

	bvector canonical, syndrome;
	hpermInv.permute (not_permuted, canonical);
	h.mult_vec_right (canonical, syndrome);

	//decode
	polynomial synd, loc;
	syndrome.to_poly (synd, fld);
	compute_goppa_error_locator (synd, fld, g, sqInv, loc);

	bvector ev;
	if (!evaluate_error_locator_trace (loc, ev, fld) )
		return 1; //if decoding somehow failed, fail as well.

	//correct the errors
	canonical.add (ev);

	//shuffle back into systematic order
	hperm.permute (canonical, not_permuted);
	hperm.permute (ev, errors);

	//get rid of redundancy bits
	not_permuted.resize (plain_size() );

	//unscramble the result
	Sinv.mult_vecT_left (not_permuted, out);

	return 0;
}