uint8_t test_keygen() { NtruEncParams param_arr[] = ALL_PARAM_SETS; uint8_t valid = 1; uint8_t i; NtruRandGen rng = NTRU_RNG_DEFAULT; for (i=0; i<sizeof(param_arr)/sizeof(param_arr[0]); i++) { NtruEncParams params = param_arr[i]; NtruEncKeyPair kp; NtruRandContext rand_ctx; ntru_rand_init(&rand_ctx, &rng); valid &= ntru_gen_key_pair(¶ms, &kp, &rand_ctx) == NTRU_SUCCESS; /* encrypt a random message */ NtruTernPoly m; ntru_rand_tern(params.N, params.N/3, params.N/3, &m, &rand_ctx); NtruIntPoly m_int; ntru_tern_to_int(&m, &m_int); NtruTernPoly r; ntru_rand_tern(params.N, params.N/3, params.N/3, &r, &rand_ctx); ntru_rand_release(&rand_ctx); NtruIntPoly e; encrypt_poly(&m_int, &r, &kp.pub.h, &e, params.q); /* decrypt and verify */ NtruIntPoly c; decrypt_poly(&e, &kp.priv, &c, params.q); valid &= ntru_equals_int(&m_int, &c); /* test deterministic key generation */ valid &= gen_key_pair("my test password", ¶ms, &kp) == NTRU_SUCCESS; char seed2_char[19]; strcpy(seed2_char, "my test password"); uint8_t seed2[strlen(seed2_char)]; str_to_uint8(seed2_char, seed2); NtruEncKeyPair kp2; NtruRandGen rng = NTRU_RNG_IGF2; NtruRandContext rand_ctx2; ntru_rand_init_det(&rand_ctx2, &rng, seed2, strlen(seed2_char)); valid &= ntru_gen_key_pair(¶ms, &kp2, &rand_ctx2) == NTRU_SUCCESS; ntru_rand_release(&rand_ctx2); valid &= equals_key_pair(&kp, &kp2); } print_result("test_keygen", valid); return valid; }
/* tests ntru_encrypt() with a deterministic RNG */ uint8_t test_encr_decr_det(NtruEncParams *params, uint8_t *digest_expected) { NtruEncKeyPair kp; uint8_t valid = gen_key_pair("seed value for key generation", params, &kp) == NTRU_SUCCESS; uint8_t pub_arr[ntru_pub_len(params)]; ntru_export_pub(&kp.pub, pub_arr); NtruEncPubKey pub2; ntru_import_pub(pub_arr, &pub2); valid &= ntru_equals_int(&kp.pub.h, &pub2.h); NtruRandContext rand_ctx_plaintext; uint16_t max_len = ntru_max_msg_len(params); uint8_t plain[max_len]; NtruRandGen rng_plaintext = NTRU_RNG_IGF2; char plain_seed_char[25]; strcpy(plain_seed_char, "seed value for plaintext"); uint8_t plain_seed[25]; str_to_uint8(plain_seed_char, plain_seed); valid &= ntru_rand_init_det(&rand_ctx_plaintext, &rng_plaintext, plain_seed, strlen(plain_seed_char)) == NTRU_SUCCESS; valid &= ntru_rand_generate(plain, max_len, &rand_ctx_plaintext) == NTRU_SUCCESS; valid &= ntru_rand_release(&rand_ctx_plaintext) == NTRU_SUCCESS; uint8_t plain2[max_len]; memcpy(plain2, plain, max_len); uint16_t enc_len = ntru_enc_len(params); uint8_t encrypted[enc_len]; uint8_t encrypted2[enc_len]; char seed_char[11]; strcpy(seed_char, "seed value"); uint8_t seed[11]; str_to_uint8(seed_char, seed); char seed2_char[11]; strcpy(seed2_char, "seed value"); uint8_t seed2[11]; str_to_uint8(seed2_char, seed2); NtruRandContext rand_ctx; NtruRandGen rng = NTRU_RNG_IGF2; valid &= ntru_rand_init_det(&rand_ctx, &rng, seed, strlen(seed_char)) == NTRU_SUCCESS; NtruRandContext rand_ctx2; NtruRandGen rng2 = NTRU_RNG_IGF2; valid &= ntru_rand_init_det(&rand_ctx2, &rng2, seed2, strlen(seed2_char)) == NTRU_SUCCESS; uint8_t decrypted[max_len]; uint16_t plain_len; uint16_t dec_len; for (plain_len=0; plain_len<=max_len; plain_len++) { valid &= ntru_encrypt((uint8_t*)&plain, plain_len, &kp.pub, params, &rand_ctx, (uint8_t*)&encrypted) == NTRU_SUCCESS; valid &= ntru_encrypt((uint8_t*)&plain2, plain_len, &pub2, params, &rand_ctx2, (uint8_t*)&encrypted2) == NTRU_SUCCESS; valid &= memcmp(encrypted, encrypted2, enc_len) == 0; valid &= ntru_decrypt((uint8_t*)&encrypted, &kp, params, (uint8_t*)&decrypted, &dec_len) == NTRU_SUCCESS; valid &= equals_arr((uint8_t*)&plain, (uint8_t*)&decrypted, plain_len); } uint8_t digest[20]; ntru_sha1(encrypted, enc_len, digest); valid &= memcmp(digest, digest_expected, 20) == 0; valid &= ntru_rand_release(&rand_ctx) == NTRU_SUCCESS; valid &= ntru_rand_release(&rand_ctx2) == NTRU_SUCCESS; return valid; }
uint8_t ntru_decrypt(uint8_t *enc, NtruEncKeyPair *kp, const NtruEncParams *params, uint8_t *dec, uint16_t *dec_len) { ntru_set_optimized_impl(); uint16_t N = params->N; uint16_t q = params->q; uint16_t db = params->db; uint16_t max_len_bytes = ntru_max_msg_len(params); uint16_t dm0 = params->dm0; if (q & (q-1)) /* check that modulus is a power of 2 */ return NTRU_ERR_INVALID_PARAM; if (max_len_bytes > 255) return NTRU_ERR_INVALID_MAX_LEN; uint16_t blen = db / 8; uint8_t retcode = NTRU_SUCCESS; NtruIntPoly e; ntru_from_arr(enc, N, q, &e); NtruIntPoly ci; ntru_decrypt_poly(&e, &kp->priv, q, &ci); if (!ntru_check_rep_weight(&ci, dm0) && retcode==NTRU_SUCCESS) retcode = NTRU_ERR_DM0_VIOLATION; NtruIntPoly cR = e; ntru_sub(&cR, &ci); ntru_mod_mask(&cR, q-1); uint16_t coR4_len = (N*2+7) / 8; uint8_t coR4[coR4_len]; ntru_to_arr4(&cR, (uint8_t*)&coR4); NtruIntPoly mask; ntru_MGF((uint8_t*)&coR4, coR4_len, params, &mask); NtruIntPoly cmtrin = ci; ntru_sub(&cmtrin, &mask); ntru_mod3(&cmtrin); uint16_t cM_len_bits = (N*3+1) / 2; uint16_t cM_len_bytes = (cM_len_bits+7) / 8; uint8_t cM[cM_len_bytes+3]; /* 3 extra bytes for ntru_to_sves() */ if (!ntru_to_sves(&cmtrin, (uint8_t*)&cM) && retcode==NTRU_SUCCESS) retcode = NTRU_ERR_INVALID_ENCODING; uint8_t cb[blen]; uint8_t *cM_head = cM; memcpy(cb, cM_head, blen); cM_head += blen; uint8_t cl = *cM_head; /* llen=1, so read one byte */ cM_head++; if (cl > max_len_bytes) { if (retcode == NTRU_SUCCESS) retcode = NTRU_ERR_MSG_TOO_LONG; cl = max_len_bytes; /* prevent buffer overrun in memcpy below */ } memcpy(dec, cM_head, cl); cM_head += cl; uint8_t *i; for (i=cM_head; i<cM+cM_len_bytes; i++) if (*i && retcode==NTRU_SUCCESS) retcode = NTRU_ERR_NO_ZERO_PAD; uint16_t sdata_len = sizeof(params->oid) + cl + blen + db/8; uint8_t sdata[sdata_len]; ntru_get_seed(dec, cl, &kp->pub.h, (uint8_t*)&cb, params, (uint8_t*)&sdata); NtruPrivPoly cr; ntru_gen_blind_poly((uint8_t*)&sdata, sdata_len, params, &cr); NtruIntPoly cR_prime; ntru_mult_priv(&cr, &kp->pub.h, &cR_prime, q-1); if (!ntru_equals_int(&cR_prime, &cR) && retcode==NTRU_SUCCESS) retcode = NTRU_ERR_INVALID_ENCODING; *dec_len = cl; return retcode; }