uint8_t ntru_gen_key_pair_single(const NtruEncParams *params, NtruEncPrivKey *priv, NtruEncPubKey *pub, NtruIntPoly *fq, NtruRandContext *rand_ctx) {
uint16_t N = params->N;
uint16_t q = params->q;
uint16_t df1 = params->df1;
#ifndef NTRU_AVOID_HAMMING_WT_PATENT
uint16_t df2 = params->df2;
uint16_t df3 = params->df3;
#endif /* NTRU_AVOID_HAMMING_WT_PATENT */
if (q & (q-1)) /* check that modulus is a power of 2 */
return NTRU_ERR_INVALID_PARAM;
/* choose a random f that is invertible mod q */
#ifndef NTRU_AVOID_HAMMING_WT_PATENT
if (params->prod_flag) {
NtruPrivPoly *t = &priv->t;
t->prod_flag = 1;
t->poly.prod.N = N;
priv->q = q;
for (;;) {
/* choose random t, find the inverse of 3t+1 */
if (!ntru_rand_prod(N, df1, df2, df3, df3, &t->poly.prod, rand_ctx))
return NTRU_ERR_PRNG;
if (ntru_invert(t, q-1, fq))
break;
}
}
else
#endif /* NTRU_AVOID_HAMMING_WT_PATENT */
{
NtruPrivPoly *t = &priv->t;
t->prod_flag = 0;
priv->q = q;
for (;;) {
/* choose random t, find the inverse of 3t+1 */
if (!ntru_rand_tern(N, df1, df1, &t->poly.tern, rand_ctx))
return NTRU_ERR_PRNG;
if (ntru_invert(t, q-1, fq))
break;
}
}
/* choose a random g */
NtruPrivPoly g;
uint8_t result = ntru_gen_g(params, &g, rand_ctx);
if (result != NTRU_SUCCESS)
return result;
NtruIntPoly *h = &pub->h;
if (!ntru_mult_priv(&g, fq, h, q-1))
return NTRU_ERR_INVALID_PARAM;
ntru_mult_fac(h, 3);
ntru_mod_mask(h, q-1);
ntru_clear_priv(&g);
pub->q = q;
return NTRU_SUCCESS;
}
void decrypt_poly(NtruIntPoly *e, NtruEncPrivKey *priv, NtruIntPoly *d, uint16_t modulus) {
#ifndef NTRU_AVOID_HAMMING_WT_PATENT
if (priv->t.prod_flag)
ntru_mult_prod(e, &priv->t.poly.prod, d, modulus-1);
else
#endif /* NTRU_AVOID_HAMMING_WT_PATENT */
ntru_mult_tern(e, &priv->t.poly.tern, d, modulus-1);
ntru_mod_mask(d, modulus-1);
ntru_mult_fac(d, 3);
ntru_add_int(d, e);
ntru_mod_center(d, modulus);
ntru_mod3(d);
uint16_t i;
for (i=0; i<d->N; i++)
if (d->coeffs[i] == 2)
d->coeffs[i] = -1;
}
uint8_t ntru_gen_pub(const NtruEncParams *params, NtruEncPrivKey *priv, NtruEncPubKey *pub, NtruRandContext *rand_ctx) {
ntru_set_optimized_impl();
uint16_t q = params->q;
NtruIntPoly fq;
if (!ntru_invert(&priv->t, q-1, &fq))
return NTRU_ERR_INVALID_KEY;
NtruIntPoly *h = &pub->h;
NtruPrivPoly g;
uint8_t result = ntru_gen_g(params, &g, rand_ctx);
if (result != NTRU_SUCCESS)
return result;
if (!ntru_mult_priv(&g, &fq, h, q-1))
return NTRU_ERR_INVALID_PARAM;
ntru_clear_int(&fq);
ntru_mult_fac(h, 3);
ntru_mod_mask(h, q-1);
pub->q = q;
return NTRU_SUCCESS;
}
uint8_t ntru_gen_key_pair_multi(const NtruEncParams *params, NtruEncPrivKey *priv, NtruEncPubKey *pub, NtruRandContext *rand_ctx, uint32_t num_pub) {
ntru_set_optimized_impl();
uint16_t q = params->q;
NtruIntPoly fq;
uint8_t result = ntru_gen_key_pair_single(params, priv, pub, &fq, rand_ctx);
if (result != NTRU_SUCCESS)
return result;
uint32_t i;
for (i=1; i<num_pub; i++) {
NtruIntPoly *h = &pub[i].h;
NtruPrivPoly g;
result = ntru_gen_g(params, &g, rand_ctx);
if (result != NTRU_SUCCESS)
return result;
if (!ntru_mult_priv(&g, &fq, h, q-1))
return NTRU_ERR_INVALID_PARAM;
ntru_mult_fac(h, 3);
ntru_mod_mask(h, q-1);
pub[i].q = q;
}
ntru_clear_int(&fq);
return result;
}
void encrypt_poly(NtruIntPoly *m, NtruTernPoly *r, NtruIntPoly *h, NtruIntPoly *e, uint16_t q) {
ntru_mult_tern(h, r, e, q);
ntru_add_int(e, m);
ntru_mod_mask(e, q-1);
}
uint8_t ntru_decrypt(uint8_t *enc, NtruEncKeyPair *kp, const NtruEncParams *params, uint8_t *dec, uint16_t *dec_len) {
ntru_set_optimized_impl();
uint16_t N = params->N;
uint16_t q = params->q;
uint16_t db = params->db;
uint16_t max_len_bytes = ntru_max_msg_len(params);
uint16_t dm0 = params->dm0;
if (q & (q-1)) /* check that modulus is a power of 2 */
return NTRU_ERR_INVALID_PARAM;
if (max_len_bytes > 255)
return NTRU_ERR_INVALID_MAX_LEN;
uint16_t blen = db / 8;
uint8_t retcode = NTRU_SUCCESS;
NtruIntPoly e;
ntru_from_arr(enc, N, q, &e);
NtruIntPoly ci;
ntru_decrypt_poly(&e, &kp->priv, q, &ci);
if (!ntru_check_rep_weight(&ci, dm0) && retcode==NTRU_SUCCESS)
retcode = NTRU_ERR_DM0_VIOLATION;
NtruIntPoly cR = e;
ntru_sub(&cR, &ci);
ntru_mod_mask(&cR, q-1);
uint16_t coR4_len = (N*2+7) / 8;
uint8_t coR4[coR4_len];
ntru_to_arr4(&cR, (uint8_t*)&coR4);
NtruIntPoly mask;
ntru_MGF((uint8_t*)&coR4, coR4_len, params, &mask);
NtruIntPoly cmtrin = ci;
ntru_sub(&cmtrin, &mask);
ntru_mod3(&cmtrin);
uint16_t cM_len_bits = (N*3+1) / 2;
uint16_t cM_len_bytes = (cM_len_bits+7) / 8;
uint8_t cM[cM_len_bytes+3]; /* 3 extra bytes for ntru_to_sves() */
if (!ntru_to_sves(&cmtrin, (uint8_t*)&cM) && retcode==NTRU_SUCCESS)
retcode = NTRU_ERR_INVALID_ENCODING;
uint8_t cb[blen];
uint8_t *cM_head = cM;
memcpy(cb, cM_head, blen);
cM_head += blen;
uint8_t cl = *cM_head; /* llen=1, so read one byte */
cM_head++;
if (cl > max_len_bytes) {
if (retcode == NTRU_SUCCESS)
retcode = NTRU_ERR_MSG_TOO_LONG;
cl = max_len_bytes; /* prevent buffer overrun in memcpy below */
}
memcpy(dec, cM_head, cl);
cM_head += cl;
uint8_t *i;
for (i=cM_head; i<cM+cM_len_bytes; i++)
if (*i && retcode==NTRU_SUCCESS)
retcode = NTRU_ERR_NO_ZERO_PAD;
uint16_t sdata_len = sizeof(params->oid) + cl + blen + db/8;
uint8_t sdata[sdata_len];
ntru_get_seed(dec, cl, &kp->pub.h, (uint8_t*)&cb, params, (uint8_t*)&sdata);
NtruPrivPoly cr;
ntru_gen_blind_poly((uint8_t*)&sdata, sdata_len, params, &cr);
NtruIntPoly cR_prime;
ntru_mult_priv(&cr, &kp->pub.h, &cR_prime, q-1);
if (!ntru_equals_int(&cR_prime, &cR) && retcode==NTRU_SUCCESS)
retcode = NTRU_ERR_INVALID_ENCODING;
*dec_len = cl;
return retcode;
}
