int pq_gen_key( PQ_PARAM_SET *P, size_t *privkey_blob_len, unsigned char *privkey_blob, size_t *pubkey_blob_len, unsigned char *pubkey_blob) { uint16_t i; uint16_t m; uint16_t N; uint16_t padN; int64_t q; int8_t p; uint16_t d1; uint16_t d2; uint16_t d3; size_t private_key_blob_len; size_t public_key_blob_len; uint16_t *f; uint16_t *g; int64_t *h; size_t scratch_len; size_t offset; unsigned char *scratch; int64_t *a1; int64_t *a2; int64_t *tmpx3; if(!P || !privkey_blob_len || !pubkey_blob_len) { return PQNTRU_ERROR; } N = P->N; padN = P->padded_N; q = P->q; p = P->p; d1 = P->d1; d2 = P->d2; d3 = P->d3; /* TODO: Standardize packed key formats */ private_key_blob_len = PRIVKEY_PACKED_BYTES(P); public_key_blob_len = PUBKEY_PACKED_BYTES(P); if(!privkey_blob || !pubkey_blob) { if(!privkey_blob && privkey_blob_len != NULL) { *privkey_blob_len = private_key_blob_len; } if(!pubkey_blob && pubkey_blob_len != NULL) { *pubkey_blob_len = public_key_blob_len; } return PQNTRU_OK; } if((*privkey_blob_len != private_key_blob_len) || (*pubkey_blob_len != public_key_blob_len)) { return PQNTRU_ERROR; } scratch_len = 2 * PRODUCT_FORM_BYTES(P) + 6 * POLYNOMIAL_BYTES(P); if(!(scratch = malloc(scratch_len))) { return PQNTRU_ERROR; } memset(scratch, 0, scratch_len); offset = 0; f = (uint16_t*)(scratch); offset += PRODUCT_FORM_BYTES(P); g = (uint16_t*)(scratch + offset); offset += PRODUCT_FORM_BYTES(P); h = (int64_t*)(scratch + offset); offset += POLYNOMIAL_BYTES(P); a1 = (int64_t*)(scratch + offset); offset += POLYNOMIAL_BYTES(P); a2 = (int64_t*)(scratch + offset); offset += POLYNOMIAL_BYTES(P); tmpx3 = (int64_t*)(scratch + offset); /* Find invertible pf mod q */ /* TODO: Better sampling of product form keys * Try to avoid keys with f(1) = 0 */ do { pol_gen_product(f, d1, d2, d3, N); /* f = p * (1 + product form poly) */ memset(a1, 0, POLYNOMIAL_BYTES(P)); a1[0] = p; pol_mul_product(a1, a1, d1, d2, d3, f, N, tmpx3); a1[0] += p; } while(PQNTRU_ERROR == pol_inv_mod2(a2, a1, N)); /* Lift from (Z/2Z)[X]/(X^N - 1) to (Z/qZ)[X]/(X^N -1) */ for (m = 0; m < 5; ++m) /* assumes 2^16 < q <= 2^32 */ { /* a^-1 = a^-1 * (2 - a * a^-1) mod q */ pol_mul_product(a1, a2, d1, d2, d3, f, N, tmpx3); for (i = 0; i < N; ++i) { a1[i] = -p*(a1[i] + a2[i]); } a1[0] = a1[0] + 2; pol_mul_coefficients(a2, a2, a1, N, padN, q, tmpx3); } /* Find invertible g mod p */ do { /* Generate product form g, * then expand it to find inverse mod p */ pol_gen_product(g, d1, d2, d3, N); memset(a1, 0, POLYNOMIAL_BYTES(P)); a1[0] = 1; pol_mul_product(a1, a1, d1, d2, d3, g, N, tmpx3); a1[0] += 1; } while(PQNTRU_ERROR == pol_inv_modp(tmpx3, a1, N, p)); pack_private_key(P, f, g, tmpx3, private_key_blob_len, privkey_blob); /* Calculate public key, h = g/f mod q */ pol_mul_product(h, a2, d1, d2, d3, g, N, tmpx3); for(i=0; i<N; i++) { h[i] = cmod(h[i] + a2[i], q); } /* int j; for (i=0; i<d1; i++) { for (j=d1; j<2*d1; j++) { if (f[i] == f[j]) { printf("stupid key f: %d, %d, %d!\n", i, j, f[i]); break; } if (g[i] == g[j]) { printf("stupid key g: %d, %d, %d!\n", i, j, g[i]); break; } } } for (i=2*d1; i<2*d1+d2; i++) { for (j=2*d1+d2; j<2*(d1+d2); j++) { if (f[i] == f[j]) { printf("stupid key f: %d, %d, %d!\n", i, j, f[i]); break; } if (g[i] == g[j]) { printf("stupid key g: %d, %d, %d!\n", i, j, g[i]); break; } } } for (i=2*(d1+d2); i<2*(d1+d2)+d3; i++) { for (j=2*(d1+d2)+d3; j<2*(d1+d2+d3); j++) { if (f[i] == f[j]) { printf("stupid key f: %d, %d, %d!\n", i, j, f[i]); break; } if (g[i] == g[j]) { printf("stupid key g: %d, %d, %d!\n", i, j, g[i]); break; } } }*/ pack_public_key(P, h, public_key_blob_len, pubkey_blob); shred(scratch, scratch_len); free(scratch); return PQNTRU_OK; }
static int testKeyGen(PQ_PARAM_SET_ID id) { uint16_t i; uint16_t j; PQ_PARAM_SET *P; size_t privkey_blob_len; size_t pubkey_blob_len; unsigned char *privkey_blob; unsigned char *pubkey_blob; unsigned char *scratch; size_t scratch_len; int rc; if(!(P = pq_get_param_set_by_id(id))) { return -1; } size_t prod = 2*(P->d1 + P->d2 + P->d3)*sizeof(uint16_t); size_t full = POLYNOMIAL_BYTES(P); scratch_len = 2*prod + 6*full; scratch = malloc(scratch_len); size_t offset = 0; uint16_t *f = (uint16_t*)(scratch); offset += prod; uint16_t *g = (uint16_t*)(scratch+offset); offset += prod; int64_t *ginv = (int64_t*)(scratch+offset); offset += full; int64_t *h = (int64_t*)(scratch+offset); offset += full; int64_t *a1 = (int64_t*)(scratch+offset); offset += full; int64_t *a2 = (int64_t*)(scratch+offset); offset += 3*full; for(i=0; i<TIMES; i++) { memset(scratch, 0, scratch_len); /* Generate a key */ pq_gen_key(P, &privkey_blob_len, NULL, &pubkey_blob_len, NULL); privkey_blob = malloc(privkey_blob_len); pubkey_blob = malloc(pubkey_blob_len); if(PQNTRU_ERROR == pq_gen_key(P, &privkey_blob_len, privkey_blob, &pubkey_blob_len, pubkey_blob)) { fprintf(stderr, "\t fail in keygen\n"); } /* Unpack the key */ rc = unpack_private_key(P, f, g, ginv, privkey_blob_len, privkey_blob); if(PQNTRU_ERROR == rc) { printf("Private key unpack error\n"); return -1; } rc = unpack_public_key(P, h, pubkey_blob_len, pubkey_blob); if(PQNTRU_ERROR == rc) { printf("Public key unpack error\n"); return -1; } /* Multiply h by f mod q, should have g in a1 */ pol_mul_product(a1, h, P->d1, P->d2, P->d3, f, P->N, a2); for(j=0; j<P->N; j++) { a1[j] = cmod(P->p * (h[j] + a1[j]), P->q); } /* Multiply a1 by g inverse mod p, should have 1 in a2 */ pol_mul_coefficients(a2, a1, ginv, P->N, P->padded_N, P->p, a2); for(j=1; j<P->N; j++) { if(a2[0] != 1 || a2[j] != 0) { fprintf(stderr, "\t bad key"); free(privkey_blob); free(pubkey_blob); free(scratch); return -1; } } free(privkey_blob); free(pubkey_blob); } free(scratch); return 0; }
int pq_sign( size_t *packed_sig_len, unsigned char *packed_sig, const size_t private_key_len, const unsigned char *private_key_blob, const size_t public_key_len, const unsigned char *public_key_blob, const size_t msg_len, const unsigned char *msg) { uint16_t i; int error = 0; uint16_t N; uint16_t padN; int64_t q; int8_t p; uint16_t d1; uint16_t d2; uint16_t d3; int64_t m; size_t scratch_len; unsigned char *scratch; size_t offset; uint16_t *f; /* Private key product form f indices */ uint16_t *g; /* .. product form g indices */ int64_t *ginv; /* Private key; coefficients of g^{-1} */ int64_t *h; /* Public key coefficients */ int64_t *s0; /* scratch space for random lattice point */ int64_t *t0; int64_t *a; /* scratch space for 3 polynomials */ int64_t *tmpx2;/* scratch space for 2 polynomials (aliased by a) */ int8_t *sp; /* Document hash */ int8_t *tp; PQ_PARAM_SET *P; int rc = PQNTRU_OK; if(!private_key_blob || !public_key_blob || !packed_sig_len) { return PQNTRU_ERROR; } rc = get_blob_params(&P, private_key_len, private_key_blob); if(PQNTRU_ERROR == rc) { return PQNTRU_ERROR; } if(!packed_sig) /* Return signature size in packed_sig_len */ { *packed_sig_len = SIGNATURE_BYTES(P); return PQNTRU_OK; } if(!msg || msg_len == 0) { return PQNTRU_ERROR; } N = P->N; padN = P->padded_N; q = P->q; p = P->p; d1 = P->d1; d2 = P->d2; d3 = P->d3; scratch_len = 2 * PRODUCT_FORM_BYTES(P) /* f and g */ + 7 * POLYNOMIAL_BYTES(P) /* h, ginv, and 5 scratch polys */ + 2 * N; /* sp, tp */ if(!(scratch = malloc(scratch_len))) { return PQNTRU_ERROR; } memset(scratch, 0, scratch_len); offset = 0; f = (uint16_t*)(scratch); offset += PRODUCT_FORM_BYTES(P); g = (uint16_t*)(scratch + offset); offset += PRODUCT_FORM_BYTES(P); h = (int64_t*)(scratch + offset); offset += POLYNOMIAL_BYTES(P); ginv = (int64_t*)(scratch + offset); offset += POLYNOMIAL_BYTES(P); s0 = (int64_t*)(scratch + offset); offset += POLYNOMIAL_BYTES(P); t0 = (int64_t*)(scratch + offset); offset += POLYNOMIAL_BYTES(P); /* a is treated as 3 polynomials, aliases tmpx2 */ a = (int64_t*)(scratch + offset); offset += POLYNOMIAL_BYTES(P); tmpx2= (int64_t*)(scratch + offset); offset += 2* POLYNOMIAL_BYTES(P); sp = (int8_t*)(scratch + offset); offset += N; tp = (int8_t*)(scratch + offset); /* Unpack the keys */ rc = unpack_private_key(P, f, g, ginv, private_key_len, private_key_blob); if(PQNTRU_ERROR == rc) { shred(scratch, scratch_len); free(scratch); return PQNTRU_ERROR; } rc = unpack_public_key(P, h, public_key_len, public_key_blob); if(PQNTRU_ERROR == rc) { shred(scratch, scratch_len); free(scratch); return PQNTRU_ERROR; } /* Generate a document hash to sign */ challenge(sp, tp, public_key_len, public_key_blob, msg_len, msg); int64_t *t = (int64_t *)malloc(N*sizeof(int64_t)); int64_t *s = (int64_t *)malloc(N*sizeof(int64_t)); do { error = 0; /* Choose random s0 satisfying s0 = sp (mod p) */ pol_unidrnd_pZ(s0, N, q, p); for(i=0; i<N; i++) { s0[i] += sp[i]; } /* Load h into a zero padded polynomial */ memcpy(t0, h, N*sizeof(int64_t)); /* t0 = h*s0 */ pol_mul_coefficients(t0, t0, s0, N, padN, q, a); /* t0 = tp - (s0*h) */ for(i=0; i<N; i++) { t0[i] *= -1; t0[i] += tp[i]; } /* a = ginv * (tp - t0) (mod p) */ pol_mul_coefficients(a, t0, ginv, N, padN, p, a); /* tmpx2 = a * F = (a * (f-1)/p) */ pol_mul_product(tmpx2, a, d1, d2, d3, f, N, tmpx2); for(i=0; i<N; i++) { m = p * (a[i] + tmpx2[i]); error |= (m > P->B_s) || (-m > P->B_s); s[i] = m; /* s0 = s0 + p*(a + tmpx2) = s0 + a*f */ s0[i] += m; error |= (cmod(s0[i], p) - sp[i]); /* Not necessary to check this */ error |= (s0[i] > P->norm_bound_s) || (-s0[i] > P->norm_bound_s); } /* tmpx2 = a * G = (a * (g - 1)) */ pol_mul_product(tmpx2, a, d1, d2, d3, g, N, tmpx2); for(i=0; i<N; i++) { m = (a[i] + tmpx2[i]); error |= (m > P->B_t) || (-m > P->B_t); t[i] = m; /* t0 = (a + tmpx2) - t0 + tp = a*g - tp + s0*h + tp = s0*h + a*g */ t0[i] = m - t0[i] + tp[i]; error |= (cmod(t0[i], p) - tp[i]); /* Not necessary to check this */ error |= (t0[i] > P->norm_bound_t) || (-t0[i] > P->norm_bound_t) ; } // attempts ++; } while(0 != error); for (i=0; i<N; i++) { if (s[i] > P->B_s || -s[i] > P->B_s) printf("s\tholy shit\n"); if (t[i] > P->B_t || -t[i] > P->B_t) printf("t\tholy shit\n"); } for(i=0; i<N; i++) { s0[i] = (s0[i] - sp[i])/P->p; s0[i] += P->q / (2*P->p); } pack_signature(P, s0, *packed_sig_len, packed_sig); shred(scratch, scratch_len); free(scratch); return PQNTRU_OK; }