Implemented ntru_private_key class
authorAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 18 Mar 2014 09:03:16 +0000 (10:03 +0100)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 18 Mar 2014 09:03:16 +0000 (10:03 +0100)
15 files changed:
src/libstrongswan/plugins/ntru/Makefile.am
src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto.h
src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt.c
src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.c
src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.h
src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.c
src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.h
src/libstrongswan/plugins/ntru/ntru_ke.c
src/libstrongswan/plugins/ntru/ntru_param_set.c
src/libstrongswan/plugins/ntru/ntru_param_set.h
src/libstrongswan/plugins/ntru/ntru_private_key.c [new file with mode: 0644]
src/libstrongswan/plugins/ntru/ntru_private_key.h [new file with mode: 0644]
src/libstrongswan/plugins/ntru/ntru_public_key.c [new file with mode: 0644]
src/libstrongswan/plugins/ntru/ntru_public_key.h [new file with mode: 0644]
src/libstrongswan/tests/suites/test_ntru.c

index d5bf8b9..fec2a70 100644 (file)
@@ -17,6 +17,8 @@ libstrongswan_ntru_la_SOURCES = \
        ntru_mgf1.h ntru_mgf1.c \
        ntru_param_set.h ntru_param_set.c \
        ntru_poly.h ntru_poly.c \
+       ntru_public_key.h ntru_public_key.c \
+       ntru_private_key.h ntru_private_key.c \
        ntru_trits.h ntru_trits.c \
        ntru_crypto/ntru_crypto.h \
        ntru_crypto/ntru_crypto_ntru_convert.h \
index 677b6d0..33a7e96 100644 (file)
@@ -113,102 +113,4 @@ ntru_crypto_ntru_encrypt(
                                                  no. of octets in ciphertext */
     uint8_t        *ct);             /*    out - address for ciphertext */
 
-
-/* ntru_crypto_ntru_decrypt
- *
- * Implements NTRU decryption (SVES) for the parameter set specified in
- * the private key blob.
- *
- * The maximum size of the output plaintext may be queried by invoking
- * this function with pt = NULL.  In this case, no decryption is performed,
- * NTRU_OK is returned, and the maximum size the plaintext could be is
- * returned in pt_len.
- * Note that until the decryption is performed successfully, the actual size
- * of the resulting plaintext cannot be known.
- *
- * When pt != NULL, at invocation *pt_len must be the size of the pt buffer.
- * Upon return it is the actual size of the plaintext.
- *
- * Returns NTRU_OK if successful.
- * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pt) is NULL.
- * Returns NTRU_BAD_LENGTH if a length argument (privkey_blob) is zero, or if
- *  ct_len is invalid for the parameter set.
- * Returns NTRU_BAD_PRIVATE_KEY if the private-key blob is invalid
- *  (unknown format, corrupt, bad length).
- * Returns NTRU_BUFFER_TOO_SMALL if the plaintext buffer is too small.
- * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap.
- * Returns NTRU_FAIL if a decryption error occurs.
- */
-
-NTRUCALL
-ntru_crypto_ntru_decrypt(
-    uint16_t       privkey_blob_len, /*     in - no. of octets in private key
-                                                 blob */
-    uint8_t const *privkey_blob,     /*     in - pointer to private key */
-    uint16_t       ct_len,           /*     in - no. of octets in ciphertext */
-    uint8_t const *ct,               /*     in - pointer to ciphertext */
-    uint16_t      *pt_len,           /* in/out - no. of octets in pt, addr for
-                                                 no. of octets in plaintext */
-    uint8_t       *pt);              /*    out - address for plaintext */
-
-
-/* ntru_crypto_ntru_encrypt_keygen
- *
- * Implements key generation for NTRUEncrypt for the parameter set specified.
- *
- * Before invoking this function, a DRBG must be instantiated using
- * ntru_crypto_drbg_instantiate() to obtain a DRBG handle, and in that
- * instantiation the requested security strength must be at least as large
- * as the security strength of the NTRU parameter set being used.
- * Failure to instantiate the DRBG with the proper security strength will
- * result in this function returning NTRU_DRBG_FAIL.
- *
- * The required minimum size of the output public-key buffer (pubkey_blob)
- * may be queried by invoking this function with pubkey_blob = NULL.
- * In this case, no key generation is performed, NTRU_OK is returned, and
- * the required minimum size for pubkey_blob is returned in pubkey_blob_len.
- *
- * The required minimum size of the output private-key buffer (privkey_blob)
- * may be queried by invoking this function with privkey_blob = NULL.
- * In this case, no key generation is performed, NTRU_OK is returned, and
- * the required minimum size for privkey_blob is returned in privkey_blob_len.
- *
- * The required minimum sizes of both pubkey_blob and privkey_blob may be
- * queried as described above, in a single invocation of this function.
- *
- * When pubkey_blob != NULL and privkey_blob != NULL, at invocation
- * *pubkey_blob_len must be the size of the pubkey_blob buffer and
- * *privkey_blob_len must be the size of the privkey_blob buffer.
- * Upon return, *pubkey_blob_len is the actual size of the public-key blob
- * and *privkey_blob_len is the actual size of the private-key blob.
- *
- * Returns NTRU_OK if successful.
- * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pubkey_blob
- * or privkey_blob) is NULL.
- * Returns NTRU_INVALID_PARAMETER_SET if the parameter-set ID is invalid.
- * Returns NTRU_BAD_LENGTH if a length argument is invalid.
- * Returns NTRU_BUFFER_TOO_SMALL if either the pubkey_blob buffer or the
- *  privkey_blob buffer is too small.
- * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap.
- * Returns NTRU_FAIL if the polynomial generated for f is not invertible in
- *  (Z/qZ)[X]/(X^N - 1), which is extremely unlikely.
- *  Should this occur, this function should simply be invoked again.
- */
-
-NTRUCALL
-ntru_crypto_ntru_encrypt_keygen(
-    ntru_drbg_t               *drbg,             /*     in - handle of DRBG */
-    ntru_param_set_id_t        param_set_id,     /*     in - parameter set ID */
-    uint16_t                  *pubkey_blob_len,  /* in/out - no. of octets in
-                                                             pubkey_blob, addr
-                                                             for no. of octets
-                                                             in pubkey_blob */
-    uint8_t                   *pubkey_blob,      /*    out - address for
-                                                             public key blob */
-    uint16_t                  *privkey_blob_len, /* in/out - no. of octets in
-                                                             privkey_blob, addr
-                                                             for no. of octets
-                                                             in privkey_blob */
-    uint8_t                   *privkey_blob);    /*    out - address for
-                                                             private key blob */
 #endif /* NTRU_CRYPTO_H */
index 8ebcf2c..0189123 100644 (file)
@@ -97,7 +97,7 @@ ntru_crypto_ntru_encrypt(
     uint32_t                dr2 = 0;
     uint32_t                dr3 = 0;
     uint16_t                ring_mult_tmp_len;
-    int16_t                 m1 = 0;
+    int16_t                 m1;
     uint16_t               *scratch_buf = NULL;
     uint16_t               *ringel_buf = NULL;
     uint8_t                *b_buf = NULL;
@@ -243,7 +243,7 @@ ntru_crypto_ntru_encrypt(
                        uint16_t pubkey_packed_len;
 
                        /* unpack the public key */
-                       assert(pubkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS);
+                       assert(pubkey_pack_type == NTRU_KEY_PACKED_COEFFICIENTS);
                        pubkey_packed_len = (params->N * params->q_bits + 7) >> 3;
                        ntru_octets_2_elements(pubkey_packed_len, pubkey_packed,
                                                                   params->q_bits, ringel_buf);
@@ -302,6 +302,7 @@ ntru_crypto_ntru_encrypt(
                        /* form the msg representative m' by adding Mtrin to mask, mod p */
                        if (params->is_product_form)
                        {
+                               m1 = 0;
                                for (i = 0; i < mprime_len; i++)
                                {
                                        tmp_buf[i] = mask_trits[i] + Mtrin_buf[i];
@@ -342,7 +343,6 @@ ntru_crypto_ntru_encrypt(
             else
                 msg_rep_good = ntru_poly_check_min_weight(mprime_len, tmp_buf,
                                                        params->min_msg_rep_wt);
-            msg_rep_good = TRUE;
         }
     } while ((result == NTRU_OK) && !msg_rep_good);
 
@@ -372,661 +372,3 @@ ntru_crypto_ntru_encrypt(
     
        return result;
 }
-
-
-/* ntru_crypto_ntru_decrypt
- *
- * Implements NTRU decryption (SVES) for the parameter set specified in
- * the private key blob.
- *
- * The maximum size of the output plaintext may be queried by invoking
- * this function with pt = NULL.  In this case, no decryption is performed,
- * NTRU_OK is returned, and the maximum size the plaintext could be is
- * returned in pt_len.
- * Note that until the decryption is performed successfully, the actual size
- * of the resulting plaintext cannot be known.
- *
- * When pt != NULL, at invocation *pt_len must be the size of the pt buffer.
- * Upon return it is the actual size of the plaintext.
- *
- * Returns NTRU_OK if successful.
- * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pt) is NULL.
- * Returns NTRU_BAD_LENGTH if a length argument (privkey_blob) is zero, or if
- *  ct_len is invalid for the parameter set.
- * Returns NTRU_BAD_PRIVATE_KEY if the private-key blob is invalid
- *  (unknown format, corrupt, bad length).
- * Returns NTRU_BUFFER_TOO_SMALL if the plaintext buffer is too small.
- * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap.
- * Returns NTRU_FAIL if a decryption error occurs.
- */
-
-uint32_t
-ntru_crypto_ntru_decrypt(
-    uint16_t       privkey_blob_len, /*     in - no. of octets in private key
-                                                 blob */
-    uint8_t const *privkey_blob,     /*     in - pointer to private key */
-    uint16_t       ct_len,           /*     in - no. of octets in ciphertext */
-    uint8_t const *ct,               /*     in - pointer to ciphertext */
-    uint16_t      *pt_len,           /* in/out - no. of octets in pt, addr for
-                                                 no. of octets in plaintext */
-    uint8_t       *pt)               /*    out - address for plaintext */
-{
-    ntru_param_set_t       *params = NULL;
-    uint8_t const          *privkey_packed = NULL;
-    uint8_t const          *pubkey_packed = NULL;
-    uint8_t                 privkey_pack_type = 0x00;
-    uint8_t                 pubkey_pack_type = 0x00;
-    size_t                  scratch_buf_len;
-    uint32_t                dF_r;
-    uint32_t                dF_r1 = 0;
-    uint32_t                dF_r2 = 0;
-    uint32_t                dF_r3 = 0;
-    uint16_t                ring_mult_tmp_len;
-    int16_t                 m1 = 0;
-    uint16_t               *scratch_buf = NULL;
-    uint16_t               *ringel_buf1 = NULL;
-    uint16_t               *ringel_buf2 = NULL;
-    uint16_t               *i_buf = NULL;
-    uint8_t                *m_buf = NULL;
-    uint8_t                *tmp_buf = NULL;
-    uint8_t                *Mtrin_buf = NULL;
-    uint8_t                *M_buf = NULL;
-    uint8_t                *ptr = NULL;
-    hash_algorithm_t        hash_algid;
-    uint16_t                cmprime_len;
-    uint16_t                mod_q_mask;
-    uint16_t                q_mod_p;
-    uint16_t                cm_len = 0;
-    uint16_t                num_zeros;
-    uint16_t                i;
-    bool                    decryption_ok = TRUE;
-    uint32_t                result = NTRU_OK;
-       ntru_trits_t           *mask;
-       uint8_t                *mask_trits;
-       chunk_t                 seed;
-       ntru_poly_t                        *F_poly, *r_poly;
-
-       /* check for bad parameters */
-       if (!privkey_blob || !ct || !pt_len)
-       {
-               return NTRU_BAD_PARAMETER;
-       }
-       if ((privkey_blob_len == 0) || (ct_len == 0))
-       {
-               return NTRU_BAD_LENGTH;
-       }
-
-    /* get a pointer to the parameter-set parameters, the packing types for
-     * the public and private keys, and pointers to the packed public and
-     * private keys
-     */
-
-       if (!ntru_crypto_ntru_encrypt_key_parse(FALSE /* privkey */,
-                                            privkey_blob_len,
-                                            privkey_blob, &pubkey_pack_type,
-                                            &privkey_pack_type, &params,
-                                            &pubkey_packed, &privkey_packed))
-       {
-               return NTRU_BAD_PRIVATE_KEY;
-       }
-
-    /* return the max plaintext size if requested */
-
-       if (!pt)
-       {
-        *pt_len = params->m_len_max;
-               return NTRU_OK;
-    }
-
-    /* cannot check the plaintext buffer size until after the plaintext
-     * is derived, if we allow plaintext buffers only as large as the
-     * actual plaintext
-     */
-
-    /* check the ciphertext length */
-
-       if (ct_len != (params->N * params->q_bits + 7) >> 3)
-       {
-               return NTRU_BAD_LENGTH;
-       }
-
-    /* allocate memory for all operations */
-
-       if (params->is_product_form)
-       {
-        ring_mult_tmp_len = params->N << 1; /* 2N 16-bit word buffer */
-        dF_r1 =  params->dF_r & 0xff;
-        dF_r2 = (params->dF_r >>  8) & 0xff;
-        dF_r3 = (params->dF_r >> 16) & 0xff;
-        dF_r = dF_r1 + dF_r2 + dF_r3;
-    } else {
-        ring_mult_tmp_len = params->N;      /* N 16-bit word buffer */
-        dF_r = params->dF_r;
-    }
-    scratch_buf_len = (ring_mult_tmp_len << 1) +
-                                            /* X-byte temp buf for ring mult and
-                                                other intermediate results */
-                      (params->N << 2) +    /* 2 2N-byte bufs for ring elements
-                                                and overflow from temp buffer */
-                      (dF_r << 2) +         /* buffer for F, r indices */
-                      params->m_len_max;    /* buffer for plaintext */
-    scratch_buf = malloc(scratch_buf_len);
-       if (!scratch_buf)
-       {
-               return NTRU_OUT_OF_MEMORY;
-    }
-    ringel_buf1 = scratch_buf + ring_mult_tmp_len;
-    ringel_buf2 = ringel_buf1 + params->N;
-    i_buf = ringel_buf2 + params->N;
-    m_buf = (uint8_t *)(i_buf + (dF_r << 1));
-    tmp_buf = (uint8_t *)scratch_buf;
-    Mtrin_buf = (uint8_t *)ringel_buf1;
-    M_buf = Mtrin_buf + params->N;
-
-       /* set hash algorithm based on security strength */
-       hash_algid = (params->sec_strength_len <= 20) ? HASH_SHA1 : HASH_SHA256;
-
-    /* set constants */
-    mod_q_mask = params->q - 1;
-    q_mod_p = params->q % 3;
-
-    /* unpack the ciphertext */
-    ntru_octets_2_elements(ct_len, ct, params->q_bits, ringel_buf2);
-
-    /* unpack the private key */
-    if (privkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_TRITS)
-       {
-        ntru_packed_trits_2_indices(privkey_packed, params->N, i_buf,
-                                    i_buf + dF_r);
-
-    }
-       else if (privkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_INDICES)
-       {
-        ntru_octets_2_elements(
-                (((uint16_t)dF_r << 1) * params->N_bits + 7) >> 3,
-                privkey_packed, params->N_bits, i_buf);
-
-    }
-       else
-       {
-        assert(FALSE);
-    }
-
-    /* form cm':
-     *  F * e
-     *  A = e * (1 + pF) mod q = e + pFe mod q
-     *  a = A in the range [-q/2, q/2)
-     *  cm' = a mod p
-     */
-       F_poly = ntru_poly_create_from_data(i_buf, params->N, params->q,
-                                                                               params->dF_r, params->dF_r,
-                                                                           params->is_product_form);
-       F_poly->ring_mult(F_poly, ringel_buf2, ringel_buf1);
-       F_poly->destroy(F_poly);
-
-    cmprime_len = params->N;
-    if (params->is_product_form)
-       {
-         --cmprime_len;
-               for (i = 0; i < cmprime_len; i++)
-               {
-                       ringel_buf1[i] = (ringel_buf2[i] + 3 * ringel_buf1[i]) & mod_q_mask;
-                       if (ringel_buf1[i] >= (params->q >> 1))
-                       {
-                               ringel_buf1[i] = ringel_buf1[i] - q_mod_p;
-                       }
-                       Mtrin_buf[i] = (uint8_t)(ringel_buf1[i] % 3);
-                       if (Mtrin_buf[i] == 1)
-                       {
-                               ++m1;
-                       }
-                       else if (Mtrin_buf[i] == 2)
-                       {
-                               --m1;
-                       }
-               }
-       }
-       else
-       {
-               for (i = 0; i < cmprime_len; i++)
-               {
-                       ringel_buf1[i] = (ringel_buf2[i] + 3 * ringel_buf1[i]) & mod_q_mask;
-                       if (ringel_buf1[i] >= (params->q >> 1))
-                       {
-                               ringel_buf1[i] = ringel_buf1[i] - q_mod_p;
-                       }
-                       Mtrin_buf[i] = (uint8_t)(ringel_buf1[i] % 3);
-               }
-       }
-
-    /* check that the candidate message representative meets minimum weight
-     * requirements
-     */
-
-    if (params->is_product_form)
-       {
-           decryption_ok = m1 < 0 ? (bool)(-m1 <= params->min_msg_rep_wt) : 
-                                    (bool)( m1 <= params->min_msg_rep_wt);
-       }
-       else
-       {
-        decryption_ok = ntru_poly_check_min_weight(cmprime_len, Mtrin_buf,
-                                                                                                  params->min_msg_rep_wt);
-       }
-
-       /* form cR = e - cm' mod q */
-       for (i = 0; i < cmprime_len; i++)
-       {
-               if (Mtrin_buf[i] == 1)
-               {
-                       ringel_buf2[i] = (ringel_buf2[i] - 1) & mod_q_mask;
-               }
-               else if (Mtrin_buf[i] == 2)
-               {
-                       ringel_buf2[i] = (ringel_buf2[i] + 1) & mod_q_mask;
-               }
-       }
-       if (params->is_product_form)
-       {
-               ringel_buf2[i] = (ringel_buf2[i] + m1) & mod_q_mask;
-       }
-
-       /* form cR mod 4 */
-       ntru_coeffs_mod4_2_octets(params->N, ringel_buf2, tmp_buf);
-
-       /* form mask */
-       seed = chunk_create(tmp_buf, (params->N + 3)/4);
-       mask = ntru_trits_create(params->N, hash_algid, seed);
-       if (!mask)
-       {
-               result = NTRU_MGF1_FAIL;
-       }
-       else
-       {
-               mask_trits = mask->get_trits(mask);
-
-               /* form cMtrin by subtracting mask from cm', mod p */
-               for (i = 0; i < cmprime_len; i++)
-               {
-                       Mtrin_buf[i] = Mtrin_buf[i] - mask_trits[i];
-                       if (Mtrin_buf[i] >= 3)
-                       {
-                               Mtrin_buf[i] += 3;
-                       }
-               }
-               mask->destroy(mask);
-
-        if (params->is_product_form)
-
-            /* set the last trit to zero since that's what it was, and
-             * because it can't be calculated from (cm' - mask) since
-             * we don't have the correct value for the last cm' trit
-             */
-
-            Mtrin_buf[i] = 0;
-
-        /* convert cMtrin to cM (Mtrin to Mbin) */
-
-        if (!ntru_trits_2_bits(Mtrin_buf, params->N, M_buf))
-            decryption_ok = FALSE;
-
-        /* validate the padded message cM and copy cm to m_buf */
-
-        ptr = M_buf + params->sec_strength_len;
-        if (params->m_len_len == 2)
-            cm_len = (uint16_t)(*ptr++) << 16;
-        cm_len |= (uint16_t)(*ptr++);
-        if (cm_len > params->m_len_max) {
-            cm_len = params->m_len_max;
-            decryption_ok = FALSE;
-        }
-        memcpy(m_buf, ptr, cm_len);
-        ptr += cm_len;
-        num_zeros = params->m_len_max - cm_len + 1;
-        for (i = 0; i < num_zeros; i++) {
-            if (ptr[i] != 0)
-                decryption_ok = FALSE;
-        }
-
-        /* form sData (OID || m || b || hTrunc) */
-
-        ptr = tmp_buf;
-        memcpy(ptr, params->oid, 3);
-        ptr += 3;
-        memcpy(ptr, m_buf, cm_len);
-        ptr += cm_len;
-        memcpy(ptr, M_buf, params->sec_strength_len);
-        ptr += params->sec_strength_len;
-        memcpy(ptr, pubkey_packed, params->sec_strength_len);
-        ptr += params->sec_strength_len;
-
-        /* generate cr */
-               DBG2(DBG_LIB, "generate polynomial r");
-
-               seed = chunk_create(tmp_buf, ptr - tmp_buf);
-               r_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits,
-                                                                                       params->N, params->q,
-                                                                                       params->dF_r, params->dF_r,
-                                                                                       params->is_product_form);
-               if (!r_poly)
-               {
-                  result = NTRU_MGF1_FAIL;
-               }
-    }
-
-       if (result == NTRU_OK)
-       {
-               /* unpack the public key */
-               {
-            uint16_t pubkey_packed_len;
-
-                       assert(pubkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS);
-                       pubkey_packed_len = (params->N * params->q_bits + 7) >> 3;
-                       ntru_octets_2_elements(pubkey_packed_len, pubkey_packed,
-                                                                  params->q_bits, ringel_buf1);
-               }
-
-               /* form cR' = h * cr */
-               r_poly->ring_mult(r_poly, ringel_buf1, ringel_buf1);
-               r_poly->destroy(r_poly);
-
-               /* compare cR' to cR */
-               for (i = 0; i < params->N; i++)
-               {
-                       if (ringel_buf1[i] != ringel_buf2[i])
-                       {
-                decryption_ok = FALSE;
-                       }
-               }
-
-        /* output plaintext and plaintext length */
-               if (decryption_ok)
-               {
-                       if (*pt_len < cm_len)
-                       {
-                               return NTRU_BUFFER_TOO_SMALL;
-                       }
-                       memcpy(pt, m_buf, cm_len);
-                       *pt_len = cm_len;
-        }
-    }
-
-       /* cleanup */
-       memset(scratch_buf, 0, scratch_buf_len);
-       free(scratch_buf);
-    
-       if (!decryption_ok)
-       {
-               return NTRU_FAIL;
-       }
-
-       return result;
-}
-
-
-/* ntru_crypto_ntru_encrypt_keygen
- *
- * Implements key generation for NTRUEncrypt for the parameter set specified.
- *
- * The required minimum size of the output public-key buffer (pubkey_blob)
- * may be queried by invoking this function with pubkey_blob = NULL.
- * In this case, no key generation is performed, NTRU_OK is returned, and
- * the required minimum size for pubkey_blob is returned in pubkey_blob_len.
- *
- * The required minimum size of the output private-key buffer (privkey_blob)
- * may be queried by invoking this function with privkey_blob = NULL.
- * In this case, no key generation is performed, NTRU_OK is returned, and
- * the required minimum size for privkey_blob is returned in privkey_blob_len.
- *
- * The required minimum sizes of both pubkey_blob and privkey_blob may be
- * queried as described above, in a single invocation of this function.
- *
- * When pubkey_blob != NULL and privkey_blob != NULL, at invocation
- * *pubkey_blob_len must be the size of the pubkey_blob buffer and
- * *privkey_blob_len must be the size of the privkey_blob buffer.
- * Upon return, *pubkey_blob_len is the actual size of the public-key blob
- * and *privkey_blob_len is the actual size of the private-key blob.
- *
- * Returns NTRU_OK if successful.
- * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pubkey_blob or
- *  privkey_blob) is NULL.
- * Returns NTRU_INVALID_PARAMETER_SET if the parameter-set ID is invalid.
- * Returns NTRU_BAD_LENGTH if a length argument is invalid.
- * Returns NTRU_BUFFER_TOO_SMALL if either the pubkey_blob buffer or the
- *  privkey_blob buffer is too small.
- * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap.
- * Returns NTRU_FAIL if the polynomial generated for f is not invertible in
- *  (Z/qZ)[X]/(X^N - 1), which is extremely unlikely.
- *  Should this occur, this function should simply be invoked again.
- */
-
-uint32_t
-ntru_crypto_ntru_encrypt_keygen(
-    ntru_drbg_t               *drbg,             /*     in - handle of DRBG */
-    ntru_param_set_id_t        param_set_id,     /*     in - parameter set ID */
-    uint16_t                  *pubkey_blob_len,  /* in/out - no. of octets in
-                                                             pubkey_blob, addr
-                                                             for no. of octets
-                                                             in pubkey_blob */
-    uint8_t                   *pubkey_blob,      /*    out - address for
-                                                             public key blob */
-    uint16_t                  *privkey_blob_len, /* in/out - no. of octets in
-                                                             privkey_blob, addr
-                                                             for no. of octets
-                                                             in privkey_blob */
-    uint8_t                   *privkey_blob)     /*    out - address for
-                                                             private key blob */
-{
-    ntru_param_set_t       *params = NULL;
-    uint16_t                public_key_blob_len;
-    uint16_t                private_key_blob_len;
-    uint8_t                 pubkey_pack_type;
-    uint8_t                 privkey_pack_type;
-    size_t                  scratch_buf_len;
-    uint32_t                dF;
-    uint32_t                dF1 = 0;
-    uint32_t                dF2 = 0;
-    uint32_t                dF3 = 0;
-    uint16_t               *scratch_buf = NULL;
-    uint16_t               *ringel_buf1 = NULL;
-    uint16_t               *ringel_buf2 = NULL;
-    uint8_t                *tmp_buf = NULL;
-    uint16_t                mod_q_mask;
-    hash_algorithm_t        hash_algid;
-    uint16_t                seed_len;
-       chunk_t                                 seed;
-    uint32_t                result = NTRU_OK;
-       ntru_poly_t                        *F_poly = NULL;
-       ntru_poly_t            *g_poly = NULL;
-       uint16_t                           *F_indices;
-
-       /* get a pointer to the parameter-set parameters */
-       params = ntru_param_set_get_by_id(param_set_id);
-       if (!params)
-       {
-               return NTRU_INVALID_PARAMETER_SET;
-       }
-
-    /* check for bad parameters */
-    if (!pubkey_blob_len || !privkey_blob_len)
-       {
-               return NTRU_BAD_PARAMETER;
-       }
-
-    /* get public and private key packing types and blob lengths */
-    ntru_crypto_ntru_encrypt_key_get_blob_params(params, &pubkey_pack_type,
-                                                 &public_key_blob_len,
-                                                 &privkey_pack_type,
-                                                 &private_key_blob_len);
-
-    /* return the pubkey_blob size and/or privkey_blob size if requested */
-
-    if (!pubkey_blob || !privkey_blob)
-       {
-        if (!pubkey_blob)
-            *pubkey_blob_len = public_key_blob_len;
-        if (!privkey_blob)
-            *privkey_blob_len = private_key_blob_len;
-               return NTRU_OK;
-    }
-
-    /* check size of output buffers */
-
-    if ((*pubkey_blob_len < public_key_blob_len) ||
-            (*privkey_blob_len < private_key_blob_len))
-       {
-               return NTRU_BUFFER_TOO_SMALL;
-       }
-
-    /* allocate memory for all operations */
-    if (params->is_product_form) {
-        dF1 =  params->dF_r & 0xff;
-        dF2 = (params->dF_r >> 8) & 0xff;
-        dF3 = (params->dF_r >> 16) & 0xff;
-        dF = dF1 + dF2 + dF3;
-    } else {
-        dF = params->dF_r;
-    }
-
-    scratch_buf_len = (params->N * 8) +     /* 4N-byte temp buffer for ring inv
-                                                and other intermediate results,
-                                               2N-byte buffer for f, g indices
-                                                and overflow from temp buffer,
-                                               2N-byte buffer for f^-1 */
-                      (dF << 2);            /* buffer for F indices */
-    scratch_buf = malloc(scratch_buf_len);
-       if (!scratch_buf)
-       {
-               return NTRU_OUT_OF_MEMORY;
-    }
-    ringel_buf1 = scratch_buf + (params->N << 1);
-    ringel_buf2 = ringel_buf1 + params->N;
-    tmp_buf = (uint8_t *)scratch_buf;
-
-       /* set hash algorithm and seed length based on security strength */
-    if (params->sec_strength_len <= 20)
-       {
-               hash_algid = HASH_SHA1;
-       }
-       else
-       {
-               hash_algid = HASH_SHA256;
-       }
-       seed_len = params->sec_strength_len + 8;
-
-    /* set constants */
-
-    mod_q_mask = params->q - 1;
-
-    /* get random bytes for seed for generating trinary F
-     * as a list of indices
-     */
-
-    if (drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE,
-                                                        seed_len, tmp_buf))
-       {
-               result = NTRU_OK;
-       }
-       else
-       {
-               result = NTRU_DRBG_FAIL;
-       }
-
-       if (result == NTRU_OK)
-       {
-               DBG2(DBG_LIB, "generate polynomial F");
-
-               seed = chunk_create(tmp_buf, seed_len);
-               F_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits,
-                                                                                       params->N, params->q,
-                                                                                       params->dF_r, params->dF_r,
-                                                                                       params->is_product_form);
-               if (!F_poly)
-               {
-                  result = NTRU_MGF1_FAIL;
-               }
-    }
-
-       if (result == NTRU_OK)
-       {
-               int i;
-
-               F_poly->get_array(F_poly, ringel_buf1);
-
-               /* form f = 1 + pF */
-               for (i = 0; i < params->N; i++)
-               {
-                       ringel_buf1[i] = (ringel_buf1[i] * 3) & mod_q_mask;
-               }
-               ringel_buf1[0] = (ringel_buf1[0] + 1) & mod_q_mask;
-
-               /* find f^-1 in (Z/qZ)[X]/(X^N - 1) */
-               if (!ntru_ring_inv(ringel_buf1, params->N, params->q,
-                                                  scratch_buf, ringel_buf2))
-               {
-                       result = NTRU_FAIL;
-               }
-       }
-
-       if (result == NTRU_OK)
-       {
-
-        /* get random bytes for seed for generating trinary polynomial g
-         * as a list of indices
-         */
-        if (!drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE,
-                                                                 seed_len, tmp_buf))
-               {
-                       result = NTRU_DRBG_FAIL;
-               }
-    }
-
-       if (result == NTRU_OK)
-       {
-               DBG2(DBG_LIB, "generate polynomial g");
-
-               seed = chunk_create(tmp_buf, seed_len);
-               g_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits,
-                                                                                       params->N, params->q,
-                                                                                       params->dg + 1, params->dg, FALSE);
-               if (!g_poly)
-               {
-                  result = NTRU_MGF1_FAIL;
-               }
-   }
-
-       if (result == NTRU_OK)
-       {
-               uint16_t i;
-
-               /* compute h = p * (f^-1 * g) mod q */
-               g_poly->ring_mult(g_poly, ringel_buf2, ringel_buf2);
-               g_poly->destroy(g_poly);
-
-               for (i = 0; i < params->N; i++)
-               {
-                       ringel_buf2[i] = (ringel_buf2[i] * 3) & mod_q_mask;
-               }
-
-               /* create public key blob */
-               ntru_crypto_ntru_encrypt_key_create_pubkey_blob(params, ringel_buf2,
-                                                                                                           pubkey_pack_type,
-                                                                                                               pubkey_blob);
-               *pubkey_blob_len = public_key_blob_len;
-
-               /* create private key blob */
-               F_indices = F_poly->get_indices(F_poly);
-               ntru_crypto_ntru_encrypt_key_create_privkey_blob(params, ringel_buf2,
-                                                                                                                F_indices,
-                                                                                                                privkey_pack_type,
-                                                                                                                tmp_buf, privkey_blob);
-               *privkey_blob_len = private_key_blob_len;
-    }
-
-       /* cleanup */
-       DESTROY_IF(F_poly);
-       memset(scratch_buf, 0, scratch_buf_len);
-       free(scratch_buf);
-  
-       return result;
-}
index dec6bbc..702b574 100644 (file)
@@ -72,13 +72,13 @@ ntru_crypto_ntru_encrypt_key_parse(
     /* parse key blob based on tag */
     tag = key_blob[0];
     switch (tag) {
-        case NTRU_ENCRYPT_PUBKEY_TAG:
+        case NTRU_PUBKEY_TAG:
             if (!pubkey_parse)
                 return FALSE;
             break;
-        case NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG:
-        case NTRU_ENCRYPT_PRIVKEY_TRITS_TAG:
-        case NTRU_ENCRYPT_PRIVKEY_INDICES_TAG:
+        case NTRU_PRIVKEY_DEFAULT_TAG:
+        case NTRU_PRIVKEY_TRITS_TAG:
+        case NTRU_PRIVKEY_INDICES_TAG:
             assert(privkey_pack_type);
             assert(privkey);
             if (pubkey_parse)
@@ -89,10 +89,10 @@ ntru_crypto_ntru_encrypt_key_parse(
     }
 
     switch (tag) {
-        case NTRU_ENCRYPT_PUBKEY_TAG:
-        case NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG:
-        case NTRU_ENCRYPT_PRIVKEY_TRITS_TAG:
-        case NTRU_ENCRYPT_PRIVKEY_INDICES_TAG:
+        case NTRU_PUBKEY_TAG:
+        case NTRU_PRIVKEY_DEFAULT_TAG:
+        case NTRU_PRIVKEY_TRITS_TAG:
+        case NTRU_PRIVKEY_INDICES_TAG:
 
             /* Version 0:
              *  byte  0:   tag
@@ -136,7 +136,7 @@ ntru_crypto_ntru_encrypt_key_parse(
                 /* check packing type for product-form private keys */
 
                 if (p->is_product_form &&
-                        (tag == NTRU_ENCRYPT_PRIVKEY_TRITS_TAG))
+                        (tag == NTRU_PRIVKEY_TRITS_TAG))
                     return FALSE;
 
                 /* set packed-key length for packed indices */
@@ -151,16 +151,16 @@ ntru_crypto_ntru_encrypt_key_parse(
 
                 /* set private-key packing type if defaulted */
 
-                if (tag == NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG) {
+                if (tag == NTRU_PRIVKEY_DEFAULT_TAG) {
                     if (p->is_product_form ||
                             (privkey_packed_indices_len <=
                              privkey_packed_trits_len))
-                        tag = NTRU_ENCRYPT_PRIVKEY_INDICES_TAG;
+                        tag = NTRU_PRIVKEY_INDICES_TAG;
                     else
-                        tag = NTRU_ENCRYPT_PRIVKEY_TRITS_TAG;
+                        tag = NTRU_PRIVKEY_TRITS_TAG;
                 }
 
-                if (tag == NTRU_ENCRYPT_PRIVKEY_TRITS_TAG)
+                if (tag == NTRU_PRIVKEY_TRITS_TAG)
                     privkey_packed_len = privkey_packed_trits_len;
                 else
                     privkey_packed_len = privkey_packed_indices_len;
@@ -170,14 +170,14 @@ ntru_crypto_ntru_encrypt_key_parse(
 
                 *pubkey = key_blob + 5;
                 *privkey = *pubkey + pubkey_packed_len;
-                *privkey_pack_type = (tag == NTRU_ENCRYPT_PRIVKEY_TRITS_TAG) ?
-                    NTRU_ENCRYPT_KEY_PACKED_TRITS :
-                    NTRU_ENCRYPT_KEY_PACKED_INDICES;
+                *privkey_pack_type = (tag == NTRU_PRIVKEY_TRITS_TAG) ?
+                    NTRU_KEY_PACKED_TRITS :
+                    NTRU_KEY_PACKED_INDICES;
             }
 
             /* return parameter set pointer */
 
-            *pubkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS;
+            *pubkey_pack_type = NTRU_KEY_PACKED_COEFFICIENTS;
             *params = p;
         }
         default:
@@ -185,171 +185,3 @@ ntru_crypto_ntru_encrypt_key_parse(
     }
     return TRUE;
 }
-
-
-/* ntru_crypto_ntru_encrypt_key_get_blob_params
- *
- * Returns public and private key packing types and blob lengths given
- * a packing format.  For now, only a default packing format exists.
- *
- * Only public-key params may be returned by setting privkey_pack_type
- * and privkey_blob_len to NULL.
- */
-
-void
-ntru_crypto_ntru_encrypt_key_get_blob_params(
-    ntru_param_set_t             *params,             /*  in - pointer to
-                                                               param set
-                                                               parameters */
-    uint8_t                      *pubkey_pack_type,   /* out - addr for pubkey
-                                                               packing type */
-    uint16_t                     *pubkey_blob_len,    /* out - addr for no. of
-                                                               bytes in
-                                                               pubkey blob */
-    uint8_t                      *privkey_pack_type,  /* out - addr for privkey
-                                                               packing type */
-    uint16_t                     *privkey_blob_len)   /* out - addr for no. of
-                                                               bytes in
-                                                               privkey blob */
-{
-    uint16_t pubkey_packed_len = (params->N * params->q_bits + 7) >> 3;
-
-    assert(params);
-    assert(pubkey_pack_type);
-    assert(pubkey_blob_len);
-
-    *pubkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS;
-    *pubkey_blob_len = 5 + pubkey_packed_len;
-
-    if (privkey_pack_type && privkey_blob_len) {
-        uint16_t privkey_packed_trits_len = (params->N + 4) / 5;
-        uint16_t privkey_packed_indices_len;
-        uint16_t dF;
-
-        if (params->is_product_form)
-            dF = (uint16_t)( (params->dF_r & 0xff) +            /* df1 */
-                            ((params->dF_r >>  8) & 0xff) +     /* df2 */
-                            ((params->dF_r >> 16) & 0xff));     /* df3 */
-        else
-            dF = (uint16_t)params->dF_r;
-        privkey_packed_indices_len = ((dF << 1) * params->N_bits + 7) >> 3;
-
-        if (params->is_product_form ||
-                (privkey_packed_indices_len <= privkey_packed_trits_len)) {
-            *privkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_INDICES;
-            *privkey_blob_len =
-                5 + pubkey_packed_len + privkey_packed_indices_len;
-        } else {
-            *privkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_TRITS;
-            *privkey_blob_len =
-                5 + pubkey_packed_len + privkey_packed_trits_len;
-        }
-    }
-}
-
-
-/* ntru_crypto_ntru_encrypt_key_create_pubkey_blob
- *
- * Returns a public key blob, packed according to the packing type provided.
- */
-
-void
-ntru_crypto_ntru_encrypt_key_create_pubkey_blob(
-    ntru_param_set_t             *params,             /*  in - pointer to
-                                                               param set
-                                                               parameters */
-    uint16_t const               *pubkey,             /*  in - pointer to the
-                                                               coefficients
-                                                               of the pubkey */
-    uint8_t                       pubkey_pack_type,   /* out - pubkey packing
-                                                               type */
-    uint8_t                      *pubkey_blob)        /* out - addr for the
-                                                               pubkey blob */
-{
-    assert(params);
-    assert(pubkey);
-    assert(pubkey_blob);
-
-    switch (pubkey_pack_type) {
-        case NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS:
-            *pubkey_blob++ = NTRU_ENCRYPT_PUBKEY_TAG;
-            *pubkey_blob++ = (uint8_t)sizeof(params->oid);
-            memcpy(pubkey_blob, params->oid, sizeof(params->oid));
-            pubkey_blob += sizeof(params->oid);
-            ntru_elements_2_octets(params->N, pubkey, params->q_bits,
-                                   pubkey_blob);
-            break;
-        default:
-            assert(FALSE);
-    }
-}
-
-
-/* ntru_crypto_ntru_encrypt_key_create_privkey_blob
- *
- * Returns a private key blob, packed according to the packing type provided.
- */
-
-void
-ntru_crypto_ntru_encrypt_key_create_privkey_blob(
-    ntru_param_set_t             *params,             /*  in - pointer to
-                                                               param set
-                                                               parameters */
-    uint16_t const               *pubkey,             /*  in - pointer to the
-                                                               coefficients
-                                                               of the pubkey */
-    uint16_t const               *privkey,            /*  in - pointer to the
-                                                               indices of the
-                                                               privkey */
-    uint8_t                       privkey_pack_type,  /*  in - privkey packing
-                                                               type */
-    uint8_t                      *buf,                /*  in - temp, N bytes */
-    uint8_t                      *privkey_blob)       /* out - addr for the
-                                                               privkey blob */
-{
-    assert(params);
-    assert(pubkey);
-    assert(privkey);
-    assert(privkey_blob);
-
-    switch (privkey_pack_type) {
-        case NTRU_ENCRYPT_KEY_PACKED_TRITS:
-        case NTRU_ENCRYPT_KEY_PACKED_INDICES:
-
-            /* format header and packed public key */
-
-            *privkey_blob++ = NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG;
-            *privkey_blob++ = (uint8_t)sizeof(params->oid);
-            memcpy(privkey_blob, params->oid, sizeof(params->oid));
-            privkey_blob += sizeof(params->oid);
-            ntru_elements_2_octets(params->N, pubkey, params->q_bits,
-                                   privkey_blob);
-            privkey_blob += (params->N * params->q_bits + 7) >> 3;
-
-            /* add packed private key */
-
-            if (privkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_TRITS) {
-                ntru_indices_2_packed_trits(privkey, (uint16_t)params->dF_r,
-                                            (uint16_t)params->dF_r,
-                                            params->N, buf, privkey_blob);
-            } else {
-                uint32_t dF;
-
-                if (params->is_product_form) {
-                    dF =  (params->dF_r & 0xff) +
-                         ((params->dF_r >> 8) & 0xff) +
-                         ((params->dF_r >> 16) & 0xff);
-                } else {
-                    dF = params->dF_r;
-                }
-                ntru_elements_2_octets((uint16_t)dF << 1, privkey,
-                                       params->N_bits, privkey_blob);
-            }
-            break;
-        default:
-            assert(FALSE);
-            break;
-    }
-}
-
-
index c38c3fc..637e49c 100644 (file)
 
 #include "ntru_param_set.h"
 
-/* key-blob definitions */
-
-#define NTRU_ENCRYPT_PUBKEY_TAG           0x01
-#define NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG  0x02
-#define NTRU_ENCRYPT_PRIVKEY_TRITS_TAG    0xfe
-#define NTRU_ENCRYPT_PRIVKEY_INDICES_TAG  0xff
-
-/* packing types */
-
-#define NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS    0x01
-#define NTRU_ENCRYPT_KEY_PACKED_INDICES         0x02
-#define NTRU_ENCRYPT_KEY_PACKED_TRITS           0x03
-
 /* function declarations */
 
 
@@ -75,93 +62,4 @@ ntru_crypto_ntru_encrypt_key_parse(
     uint8_t const          **privkey);          /* out - addr for ptr to
                                                          packed privkey */
 
-
-/* ntru_crypto_ntru_encrypt_key_get_blob_params
- *
- * Returns public and private key packing types and blob lengths given
- * a packing format.  For now, only a default packing format exists.
- *
- * Only public-key params may be returned by setting privkey_pack_type
- * and privkey_blob_len to NULL.
- */
-
-extern void
-ntru_crypto_ntru_encrypt_key_get_blob_params(
-    ntru_param_set_t             *params,             /*  in - pointer to
-                                                               param set
-                                                               parameters */
-    uint8_t                      *pubkey_pack_type,   /* out - addr for pubkey
-                                                               packing type */
-    uint16_t                     *pubkey_blob_len,    /* out - addr for no. of
-                                                               bytes in
-                                                               pubkey blob */
-    uint8_t                      *privkey_pack_type,  /* out - addr for privkey
-                                                               packing type */
-    uint16_t                     *privkey_blob_len);  /* out - addr for no. of
-                                                               bytes in
-                                                               privkey blob */
-
-
-/* ntru_crypto_ntru_encrypt_key_create_pubkey_blob
- *
- * Returns a public key blob, packed according to the packing type provided.
- */
-
-extern void
-ntru_crypto_ntru_encrypt_key_create_pubkey_blob(
-    ntru_param_set_t             *params,             /*  in - pointer to
-                                                               param set
-                                                               parameters */
-    uint16_t const               *pubkey,             /*  in - pointer to the
-                                                               coefficients
-                                                               of the pubkey */
-    uint8_t                       pubkey_pack_type,   /* out - addr for pubkey
-                                                               packing type */
-    uint8_t                      *pubkey_blob);       /* out - addr for the
-                                                               pubkey blob */
-
-
-/* ntru_crypto_ntru_encrypt_key_recreate_pubkey_blob
- *
- * Returns a public key blob, recreated from an already-packed public key.
- */
-
-extern void
-ntru_crypto_ntru_encrypt_key_recreate_pubkey_blob(
-    ntru_param_set_t             *params,             /*  in - pointer to
-                                                               param set
-                                                               parameters */
-    uint16_t                      packed_pubkey_len,  /*  in - no. octets in
-                                                               packed pubkey */
-    uint8_t const                *packed_pubkey,      /*  in - pointer to the
-                                                               packed pubkey */
-    uint8_t                       pubkey_pack_type,   /* out - pubkey packing
-                                                               type */
-    uint8_t                      *pubkey_blob);       /* out - addr for the
-                                                               pubkey blob */
-
-
-/* ntru_crypto_ntru_encrypt_key_create_privkey_blob
- *
- * Returns a privlic key blob, packed according to the packing type provided.
- */
-
-extern void
-ntru_crypto_ntru_encrypt_key_create_privkey_blob(
-    ntru_param_set_t             *params,             /*  in - pointer to
-                                                               param set
-                                                               parameters */
-    uint16_t const               *pubkey,             /*  in - pointer to the
-                                                               coefficients
-                                                               of the pubkey */
-    uint16_t const               *privkey,            /*  in - pointer to the
-                                                               indices of the
-                                                               privkey */
-    uint8_t                       privkey_pack_type,  /*  in - privkey packing
-                                                               type */
-    uint8_t                      *buf,                /*  in - temp, N bytes */
-    uint8_t                      *privkey_blob);      /* out - addr for the
-                                                               privkey blob */
-
-
 #endif /* NTRU_CRYPTO_NTRU_ENCRYPT_KEY_H */
index 8e4eede..e539384 100644 (file)
@@ -51,192 +51,3 @@ ntru_poly_check_min_weight(
     return TRUE;
 }
 
-/* ntru_ring_mult_coefficients
- *
- * Multiplies ring element (polynomial) "a" by ring element (polynomial) "b"
- * to produce ring element (polynomial) "c" in (Z/qZ)[X]/(X^N - 1).
- * This is a convolution operation.
- *
- * Ring element "b" has coefficients in the range [0,N).
- *
- * This assumes q is 2^r where 8 < r < 16, so that overflow of the sum
- * beyond 16 bits does not matter.
- */
-
-void
-ntru_ring_mult_coefficients(
-    uint16_t const *a,          /*  in - pointer to polynomial a */
-    uint16_t const *b,          /*  in - pointer to polynomial b */
-    uint16_t        N,          /*  in - no. of coefficients in a, b, c */
-    uint16_t        q,          /*  in - large modulus */
-    uint16_t       *c)          /* out - address for polynomial c */
-{
-    uint16_t const *bptr = b;
-    uint16_t        mod_q_mask = q - 1;
-    uint16_t        i, k;
-
-    /* c[k] = sum(a[i] * b[k-i]) mod q */
-    memset(c, 0, N * sizeof(uint16_t));
-    for (k = 0; k < N; k++) {
-        i = 0;
-        while (i <= k)
-            c[k] += a[i++] * *bptr--;
-        bptr += N;
-        while (i < N)
-            c[k] += a[i++] * *bptr--;
-        c[k] &= mod_q_mask;
-        ++bptr;
-    }
-}
-
-
-/* ntru_ring_inv
- *
- * Finds the inverse of a polynomial, a, in (Z/2^rZ)[X]/(X^N - 1).
- *
- * This assumes q is 2^r where 8 < r < 16, so that operations mod q can
- * wait until the end, and only 16-bit arrays need to be used.
- */
-
-bool
-ntru_ring_inv(
-    uint16_t       *a,          /*  in - pointer to polynomial a */
-    uint16_t        N,          /*  in - no. of coefficients in a */
-    uint16_t        q,          /*  in - large modulus */
-    uint16_t       *t,          /*  in - temp buffer of 2N elements */
-    uint16_t       *a_inv)      /* out - address for polynomial a^-1 */
-{
-    uint8_t  *b = (uint8_t *)t;     /* b cannot be in a_inv since it must be
-                                       rotated and copied there as a^-1 mod 2 */
-    uint8_t  *c = b + N;            /* c cannot be in a_inv since it exchanges
-                                       with b, and b cannot be in a_inv */
-    uint8_t  *f = c + N;
-    uint8_t  *g = (uint8_t *)a_inv; /* g needs N + 1 bytes */
-    uint16_t *t2 = t + N;
-    uint16_t  deg_b;
-    uint16_t  deg_c;
-    uint16_t  deg_f;
-    uint16_t  deg_g;
-    uint16_t  k = 0;
-    bool      done = FALSE;
-    uint16_t  i, j;
-
-    /* form a^-1 in (Z/2Z)[X]/X^N - 1) */
-    memset(b, 0, (N << 1));                /* clear to init b, c */
-
-    /* b(X) = 1 */
-    b[0] = 1;
-    deg_b = 0;
-
-    /* c(X) = 0 (cleared above) */
-    deg_c = 0;
-
-    /* f(X) = a(X) mod 2 */
-    for (i = 0; i < N; i++)
-        f[i] = (uint8_t)(a[i] & 1);
-    deg_f = N - 1;
-
-    /* g(X) = X^N - 1 */
-    g[0] = 1;
-    memset(g + 1, 0, N - 1);
-    g[N] = 1;
-    deg_g = N;
-
-    /* until f(X) = 1 */
-
-       while (!done)
-       {
-
-        /* while f[0] = 0, f(X) /= X, c(X) *= X, k++ */
-
-        for (i = 0; (i <= deg_f) && (f[i] == 0); ++i);
-        if (i > deg_f)
-            return FALSE;
-        if (i) {
-            f = f + i;
-            deg_f = deg_f - i;
-            deg_c = deg_c + i;
-            for (j = deg_c; j >= i; j--)
-                c[j] = c[j-i];
-            for (j = 0; j < i; j++)
-                c[j] = 0;
-            k = k + i;
-        }
-
-        /* adjust degree of f(X) if the highest coefficients are zero
-         * Note: f[0] = 1 from above so the loop will terminate.
-         */
-
-        while (f[deg_f] == 0)
-            --deg_f;
-
-        /* if f(X) = 1, done
-         * Note: f[0] = 1 from above, so only check the x term and up
-         */
-
-        for (i = 1; (i <= deg_f) && (f[i] == 0); ++i);
-        if (i > deg_f) {
-            done = TRUE;
-            break;
-        }
-
-        /* if deg_f < deg_g, f <-> g, b <-> c */
-
-        if (deg_f < deg_g) {
-            uint8_t *x;
-
-            x = f;
-            f = g;
-            g = x;
-            deg_f ^= deg_g;
-            deg_g ^= deg_f;
-            deg_f ^= deg_g;
-            x = b;
-            b = c;
-            c = x;
-            deg_b ^= deg_c;
-            deg_c ^= deg_b;
-            deg_b ^= deg_c;
-        }
-
-        /* f(X) += g(X), b(X) += c(X) */
-
-        for (i = 0; i <= deg_g; i++)
-            f[i] ^= g[i];
-
-        if (deg_c > deg_b)
-            deg_b = deg_c;
-        for (i = 0; i <= deg_c; i++)
-            b[i] ^= c[i];
-    }
-
-    /* a^-1 in (Z/2Z)[X]/(X^N - 1) = b(X) shifted left k coefficients */
-
-    j = 0;
-    if (k >= N)
-        k = k - N;
-    for (i = k; i < N; i++)
-        a_inv[j++] = (uint16_t)(b[i]);
-    for (i = 0; i < k; i++)
-        a_inv[j++] = (uint16_t)(b[i]);
-
-    /* lift a^-1 in (Z/2Z)[X]/(X^N - 1) to a^-1 in (Z/qZ)[X]/(X^N -1) */
-
-    for (j = 0; j < 4; ++j) {       /* assumes 256 < q <= 65536 */
-
-        /* a^-1 = a^-1 * (2 - a * a^-1) mod q */
-
-        memcpy(t2, a_inv, N * sizeof(uint16_t));
-        ntru_ring_mult_coefficients(a, t2, N, q, t);
-        for (i = 0; i < N; ++i)
-            t[i] = q - t[i];
-        t[0] = t[0] + 2;
-        ntru_ring_mult_coefficients(t2, t, N, q, a_inv);
-    }
-
-    return TRUE;
-
-
-}
-
-
index 1e9d467..938e7b2 100644 (file)
@@ -55,42 +55,4 @@ ntru_poly_check_min_weight(
     uint8_t  *ringels,              /*  in - pointer to trinary ring elements */
     uint16_t  min_wt);              /*  in - minimum weight */
 
-/* ntru_ring_mult_coefficients
- *
- * Multiplies ring element (polynomial) "a" by ring element (polynomial) "b"
- * to produce ring element (polynomial) "c" in (Z/qZ)[X]/(X^N - 1).
- * This is a convolution operation.
- *
- * Ring element "b" has coefficients in the range [0,N).
- *
- * This assumes q is 2^r where 8 < r < 16, so that overflow of the sum
- * beyond 16 bits does not matter.
- */
-
-extern void
-ntru_ring_mult_coefficients(
-    uint16_t const *a,          /*  in - pointer to polynomial a */
-    uint16_t const *b,          /*  in - pointer to polynomial b */
-    uint16_t        N,          /*  in - no. of coefficients in a, b, c */
-    uint16_t        q,          /*  in - large modulus */
-    uint16_t       *c);         /* out - address for polynomial c */
-
-
-/* ntru_ring_inv
- *
- * Finds the inverse of a polynomial, a, in (Z/2^rZ)[X]/(X^N - 1).
- *
- * This assumes q is 2^r where 8 < r < 16, so that operations mod q can
- * wait until the end, and only 16-bit arrays need to be used.
- */
-
-extern bool
-ntru_ring_inv(
-    uint16_t       *a,          /*  in - pointer to polynomial a */
-    uint16_t        N,          /*  in - no. of coefficients in a */
-    uint16_t        q,          /*  in - large modulus */
-    uint16_t       *t,          /*  in - temp buffer of 2N elements */
-    uint16_t       *a_inv);     /* out - address for polynomial a^-1 */
-
-
 #endif /* NTRU_CRYPTO_NTRU_POLY_H */
index 14bd0cd..95acffd 100644 (file)
@@ -16,6 +16,8 @@
 #include "ntru_ke.h"
 #include "ntru_drbg.h"
 #include "ntru_param_set.h"
+#include "ntru_private_key.h"
+#include "ntru_public_key.h"
 
 #include "ntru_crypto/ntru_crypto.h"
 
@@ -71,12 +73,17 @@ struct private_ntru_ke_t {
        /**
         * NTRU Public Key
         */
-       chunk_t pub_key;
+       ntru_public_key_t *pubkey;
 
        /**
         * NTRU Private Key
         */
-       chunk_t priv_key;
+       ntru_private_key_t *privkey;
+
+       /**
+        * NTRU Public Key Encoding
+        */
+       chunk_t pubkey_enc;
 
        /**
         * NTRU encrypted shared secret
@@ -112,8 +119,6 @@ struct private_ntru_ke_t {
 METHOD(diffie_hellman_t, get_my_public_value, void,
        private_ntru_ke_t *this, chunk_t *value)
 {
-    uint16_t pub_key_len, priv_key_len;
-
        *value = chunk_empty;
 
        if (this->responder)
@@ -125,34 +130,21 @@ METHOD(diffie_hellman_t, get_my_public_value, void,
        }
        else
        {
-               if (this->pub_key.len == 0)
+               if (!this->pubkey)
                {
-                       /* determine the NTRU public and private key sizes */
-                       if (ntru_crypto_ntru_encrypt_keygen(this->drbg, this->param_set->id,
-                                                               &pub_key_len, NULL,
-                                                               &priv_key_len, NULL) != NTRU_OK)
-                       {
-                               DBG1(DBG_LIB, "error determining NTRU public and private key "
-                                                         "sizes");
-                               return;
-                       }
-                       this->pub_key  = chunk_alloc(pub_key_len);
-                       this->priv_key = chunk_alloc(priv_key_len);
-
                        /* generate a random NTRU public/private key pair */
-                   if (ntru_crypto_ntru_encrypt_keygen(this->drbg, this->param_set->id,
-                                                               &pub_key_len, this->pub_key.ptr,
-                                                               &priv_key_len, this->priv_key.ptr) != NTRU_OK)
+                       this->privkey = ntru_private_key_create(this->drbg, this->param_set);
+                       if (!this->privkey)
                        {
                                DBG1(DBG_LIB, "NTRU keypair generation failed");
-                               chunk_free(&this->priv_key);
-                               chunk_free(&this->pub_key);
                                return;
                        }
-                       DBG3(DBG_LIB, "NTRU public key: %B", &this->pub_key);
-                       DBG4(DBG_LIB, "NTRU private key: %B", &this->priv_key);
+                       this->pubkey = this->privkey->get_public_key(this->privkey);
+                       this->pubkey_enc = this->pubkey->get_encoding(this->pubkey);
+                       this->pubkey_enc = chunk_clone(this->pubkey_enc);
+                       DBG3(DBG_LIB, "NTRU public key: %B", &this->pubkey_enc);
                }
-               *value = chunk_clone(this->pub_key);
+               *value = chunk_clone(this->pubkey_enc);
        }
 }
 
@@ -173,9 +165,9 @@ METHOD(diffie_hellman_t, get_shared_secret, status_t,
 METHOD(diffie_hellman_t, set_other_public_value, void,
        private_ntru_ke_t *this, chunk_t value)
 {
-       u_int16_t plaintext_len, ciphertext_len;
+       u_int16_t ciphertext_len;
 
-       if (this->priv_key.len)
+       if (this->privkey)
        {
                /* initiator decrypting shared secret */
                if (value.len == 0)
@@ -183,29 +175,14 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
                        DBG1(DBG_LIB, "empty NTRU ciphertext");
                        return;
                }
-               this->ciphertext = chunk_clone(value);
-               DBG3(DBG_LIB, "NTRU ciphertext: %B", &this->ciphertext);
-
-               /* determine the size of the maximum plaintext */
-       if (ntru_crypto_ntru_decrypt(this->priv_key.len, this->priv_key.ptr,
-                                                               this->ciphertext.len, this->ciphertext.ptr,
-                                                               &plaintext_len, NULL) != NTRU_OK)
-               {
-                       DBG1(DBG_LIB, "error determining maximum plaintext size");
-                       return;
-               }
-               this->shared_secret = chunk_alloc(plaintext_len);
+               DBG3(DBG_LIB, "NTRU ciphertext: %B", &value);
 
                /* decrypt the shared secret */
-       if (ntru_crypto_ntru_decrypt(this->priv_key.len, this->priv_key.ptr,
-                                               this->ciphertext.len, this->ciphertext.ptr,
-                                               &plaintext_len, this->shared_secret.ptr) != NTRU_OK)
+               if (!this->privkey->decrypt(this->privkey, value, &this->shared_secret))
                {
                        DBG1(DBG_LIB, "NTRU decryption of shared secret failed");
-                       chunk_free(&this->shared_secret);
                        return;
                }
-               this->shared_secret.len = plaintext_len;
                this->computed = TRUE;
        }
        else
@@ -214,17 +191,19 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
                this->responder = TRUE;
 
                /* check the NTRU public key format */
-               if (value.len < 5 || value.ptr[0] != 1 || value.ptr[1] != 3)
+               if (value.len < 5 ||
+                       value.ptr[0] != NTRU_PUBKEY_TAG ||
+                       value.ptr[1] != NTRU_OID_LEN)
                {
                        DBG1(DBG_LIB, "received NTRU public key with invalid header");
                        return;
                }
-               if (!memeq(value.ptr + 2, this->param_set->oid, 3))
+               if (!memeq(value.ptr + 2, this->param_set->oid, NTRU_OID_LEN))
                {
                        DBG1(DBG_LIB, "received NTRU public key with wrong OID");
                        return;
                }
-               this->pub_key = chunk_clone(value);
+               this->pubkey_enc = chunk_clone(value);
 
                /* shared secret size is chosen as twice the cryptographical strength */
                this->shared_secret = chunk_alloc(2 * this->strength / BITS_PER_BYTE);
@@ -241,7 +220,7 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
 
                /* determine the size of the ciphertext */
                if (ntru_crypto_ntru_encrypt(this->drbg,
-                                                       this->pub_key.len,      this->pub_key.ptr,
+                                                       this->pubkey_enc.len, this->pubkey_enc.ptr,
                                                        this->shared_secret.len, this->shared_secret.ptr,
                             &ciphertext_len, NULL) != NTRU_OK)
                {
@@ -252,7 +231,7 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
 
                /* encrypt the shared secret */
                if (ntru_crypto_ntru_encrypt(this->drbg,
-                                                       this->pub_key.len,      this->pub_key.ptr,
+                                                       this->pubkey_enc.len, this->pubkey_enc.ptr,
                                                        this->shared_secret.len, this->shared_secret.ptr,
                             &ciphertext_len, this->ciphertext.ptr) != NTRU_OK)
                {
@@ -273,11 +252,12 @@ METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
 METHOD(diffie_hellman_t, destroy, void,
        private_ntru_ke_t *this)
 {
+       DESTROY_IF(this->privkey);
+       DESTROY_IF(this->pubkey);
        this->drbg->destroy(this->drbg);
        this->entropy->destroy(this->entropy);
-       chunk_free(&this->pub_key);
+       chunk_free(&this->pubkey_enc);
        chunk_free(&this->ciphertext);
-       chunk_clear(&this->priv_key);
        chunk_clear(&this->shared_secret);
        free(this);
 }
index 2bc61f6..4af1e30 100644 (file)
@@ -17,6 +17,8 @@
 
 #include "ntru_param_set.h"
 
+#include <utils/test.h>
+
 ENUM(ntru_param_set_id_names, NTRU_EES401EP1, NTRU_EES743EP1,
        "ees401ep1",
        "ees449ep1",
@@ -370,3 +372,4 @@ ntru_param_set_t* ntru_param_set_get_by_oid(uint8_t const *oid)
        return NULL;
 }
 
+EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_param_set_get_by_id);
index c3ccf89..20d75dc 100644 (file)
@@ -29,6 +29,26 @@ typedef struct ntru_param_set_t ntru_param_set_t;
 #include <library.h>
 
 /**
+ * Encoding types for NTRU encryption public/private key blobs
+ */
+#define NTRU_PUBKEY_TAG           0x01
+#define NTRU_PRIVKEY_DEFAULT_TAG  0x02
+#define NTRU_PRIVKEY_TRITS_TAG    0xfe
+#define NTRU_PRIVKEY_INDICES_TAG  0xff
+
+/**
+ * Size in octets of the OID designating the NTRU encryption parameter set
+ */
+#define NTRU_OID_LEN   3
+
+/**
+ * Packing types for NTRU encryption public/private keys
+ */
+#define NTRU_KEY_PACKED_COEFFICIENTS    0x01
+#define NTRU_KEY_PACKED_INDICES         0x02
+#define NTRU_KEY_PACKED_TRITS           0x03
+
+/**
  * NTRU encryption parameter set ID list
  */
 enum ntru_param_set_id_t {
@@ -60,23 +80,23 @@ extern enum_name_t *ntru_param_set_id_names;
  * NTRU encryption parameter set definitions
  */
 struct ntru_param_set_t {
-       ntru_param_set_id_t id;    /* NTRU parameter set ID */
-       uint8_t  oid[3];           /* pointer to OID */
-       uint8_t  der_id;           /* parameter-set DER id */
-       uint8_t  N_bits;           /* no. of bits in N (i.e. in an index */
-       uint16_t N;                /* ring dimension */
-       uint16_t sec_strength_len; /* no. of octets of security strength */
-       uint16_t q;                /* big modulus */
-       uint8_t  q_bits;           /* no. of bits in q (i.e. in a coefficient */
-       bool     is_product_form;  /* if product form used */
-       uint32_t dF_r;             /* no. of +1 or -1 coefficients in ring elements
-                                  F, r */
-       uint16_t dg;               /* no. - 1 of +1 coefficients or
-                                  no.     of -1 coefficients in ring element g */
-       uint16_t m_len_max;        /* max no. of plaintext octets */
-       uint16_t min_msg_rep_wt;   /* min. message representative weight */
-       uint8_t  c_bits;           /* no. bits in candidate for deriving an index */
-       uint8_t  m_len_len;        /* no. of octets to hold mLenOctets */
+       ntru_param_set_id_t id;     /* NTRU parameter set ID */
+       uint8_t  oid[NTRU_OID_LEN]; /* pointer to OID */
+       uint8_t  der_id;            /* parameter-set DER id */
+       uint8_t  N_bits;            /* no. of bits in N (i.e. in an index */
+       uint16_t N;                 /* ring dimension */
+       uint16_t sec_strength_len;  /* no. of octets of security strength */
+       uint16_t q;                 /* big modulus */
+       uint8_t  q_bits;            /* no. of bits in q (i.e. in a coefficient */
+       bool     is_product_form;   /* if product form used */
+       uint32_t dF_r;              /* no. of +1 or -1 coefficients in ring elements
+                                   F, r */
+       uint16_t dg;                /* no. - 1 of +1 coefficients or
+                                   no. of -1 coefficients in ring element g */
+       uint16_t m_len_max;         /* max no. of plaintext octets */
+       uint16_t min_msg_rep_wt;    /* min. message representative weight */
+       uint8_t  c_bits;            /* no. bits in candidate for deriving an index */
+       uint8_t  m_len_len;         /* no. of octets to hold mLenOctets */
 };
 
 /**
diff --git a/src/libstrongswan/plugins/ntru/ntru_private_key.c b/src/libstrongswan/plugins/ntru/ntru_private_key.c
new file mode 100644 (file)
index 0000000..9e82463
--- /dev/null
@@ -0,0 +1,745 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2009-2013  Security Innovation
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ntru_private_key.h"
+#include "ntru_trits.h"
+#include "ntru_poly.h"
+
+#include "ntru_crypto/ntru_crypto_ntru_convert.h"
+
+#include <utils/debug.h>
+#include <utils/test.h>
+
+typedef struct private_ntru_private_key_t private_ntru_private_key_t;
+
+/**
+ * Private data of an ntru_private_key_t object.
+ */
+struct private_ntru_private_key_t {
+
+       /**
+        * Public ntru_private_key_t interface.
+        */
+       ntru_private_key_t public;
+
+       /**
+        * NTRU Parameter Set
+        */
+       ntru_param_set_t *params;
+
+       /**
+        * Polynomial F which is the private key
+        */
+       ntru_poly_t *privkey;
+
+       /**
+        * Polynomial h which is the public key
+        */
+       uint16_t *pubkey;
+
+       /**
+        * Encoding of the private key
+        */
+       chunk_t encoding;
+
+};
+
+METHOD(ntru_private_key_t, get_public_key, ntru_public_key_t*,
+       private_ntru_private_key_t *this)
+{
+       return ntru_public_key_create(this->params, this->pubkey);
+}
+
+/**
+ * Generate NTRU encryption private key encoding
+ */
+static void generate_encoding(private_ntru_private_key_t *this)
+{
+       size_t pubkey_len, privkey_len, privkey_trits_len, privkey_indices_len;
+       int privkey_pack_type;
+       uint16_t *indices;
+       uint8_t *trits;
+       u_char *enc;
+
+       /* compute public key length encoded as packed coefficients */
+       pubkey_len =  (this->params->N * this->params->q_bits + 7) / 8;
+
+       /* compute private key length encoded as packed trits coefficients */
+       privkey_trits_len = (this->params->N + 4) / 5;
+
+       /* compute private key length encoded as packed indices */
+       privkey_indices_len = (this->privkey->get_size(this->privkey) *
+                                                  this->params->N_bits + 7) / 8;
+
+       if (this->params->is_product_form ||
+               privkey_indices_len <= privkey_trits_len)
+       {
+               privkey_pack_type = NTRU_KEY_PACKED_INDICES;
+               privkey_len = privkey_indices_len;
+       }
+       else
+       {
+               privkey_pack_type = NTRU_KEY_PACKED_TRITS;
+               privkey_len = privkey_trits_len;
+       }
+
+       /* allocate memory for private key encoding */
+       this->encoding = chunk_alloc(2 + NTRU_OID_LEN + pubkey_len + privkey_len);
+       enc = this->encoding.ptr;
+
+       /* format header and packed public key */
+       *enc++ = NTRU_PRIVKEY_DEFAULT_TAG;
+       *enc++ = NTRU_OID_LEN;
+       memcpy(enc, this->params->oid, NTRU_OID_LEN);
+       enc += NTRU_OID_LEN;
+       ntru_elements_2_octets(this->params->N, this->pubkey,
+                                                  this->params->q_bits, enc);
+       enc += pubkey_len;
+
+       /* add packed private key */
+       indices = this->privkey->get_indices(this->privkey);
+
+       if (privkey_pack_type == NTRU_KEY_PACKED_TRITS)
+       {
+               /* encode private key as packed trits */
+               trits = malloc(this->params->N);
+               ntru_indices_2_packed_trits(indices, this->params->dF_r,
+                                                       this->params->dF_r, this->params->N, trits, enc);
+               memwipe(trits, this->params->N);
+               free(trits);
+       }
+       else
+       {
+               /* encode private key as packed indices */
+               ntru_elements_2_octets(this->privkey->get_size(this->privkey),
+                                                          indices, this->params->N_bits, enc);
+       }
+}
+
+METHOD(ntru_private_key_t, get_encoding, chunk_t,
+       private_ntru_private_key_t *this)
+{
+       return this->encoding;
+}
+
+/** 
+ * Checks that the number of 0, +1, and -1 trinary ring elements meet or exceed
+ * a minimum weight.
+ *
+ * @param N                    degree of polynomial
+ * @param t                    array of trinary ring elements
+ * @param min_wt       minimum weight
+ * @return                     TRUE if minimum weight met or exceeded
+ */
+static bool check_min_weight(uint16_t N, uint8_t  *t, uint16_t min_wt)
+{
+       uint16_t wt[3];
+       int i;
+
+       wt[0] = wt[1] = wt[2] = 0;
+
+       for (i = 0; i < N; i++)
+       {
+               ++wt[t[i]];
+       }
+
+       return (wt[0] >= min_wt) && (wt[1] >= min_wt) && (wt[2] >= min_wt);
+}
+
+METHOD(ntru_private_key_t, decrypt, bool,
+       private_ntru_private_key_t *this, chunk_t ciphertext, chunk_t *plaintext)
+{
+       hash_algorithm_t hash_algid;
+       size_t t_len, seed1_len, seed2_len;
+       uint16_t *t1, *t2, *t = NULL;
+    uint16_t mod_q_mask, q_mod_p, cmprime_len, cm_len = 0, num_zeros;
+       uint8_t *Mtrin, *M, *cm, *mask_trits, *ptr;
+       int16_t m1 = 0;
+       chunk_t seed = chunk_empty;
+       ntru_trits_t *mask;
+       ntru_poly_t *r_poly;
+       bool success = TRUE;
+       int i;
+
+       *plaintext = chunk_empty;
+
+       if (ciphertext.len != (this->params->N * this->params->q_bits + 7) / 8)
+       {
+               DBG1(DBG_LIB, "wrong NTRU ciphertext length");
+               return FALSE;
+       }
+
+       /* allocate temporary array t */
+       t_len  = 2 * this->params->N * sizeof(uint16_t);
+       t = malloc(t_len);
+       t1 = t;
+       t2 = t + this->params->N;
+       Mtrin = (uint8_t *)t1;
+       M = Mtrin + this->params->N;
+
+       /* set hash algorithm based on security strength */
+       hash_algid = (this->params->sec_strength_len <= 20) ? HASH_SHA1 :
+                                                                                                                 HASH_SHA256;
+
+       /* set constants */
+       mod_q_mask = this->params->q - 1;
+       q_mod_p = this->params->q % 3;
+
+    /* unpack the ciphertext */
+    ntru_octets_2_elements(ciphertext.len, ciphertext.ptr,
+                                                  this->params->q_bits, t2);
+
+       /* form cm':
+        *  F * e
+        *  A = e * (1 + pF) mod q = e + pFe mod q
+        *  a = A in the range [-q/2, q/2)
+        *  cm' = a mod p
+        */
+       this->privkey->ring_mult(this->privkey, t2, t1);
+
+       cmprime_len = this->params->N;
+       if (this->params->is_product_form)
+       {
+               --cmprime_len;
+               for (i = 0; i < cmprime_len; i++)
+               {
+                       t1[i] = (t2[i] + 3 * t1[i]) & mod_q_mask;
+                       if (t1[i] >= (this->params->q / 2))
+                       {
+                               t1[i] -= q_mod_p;
+                       }
+                       Mtrin[i] = (uint8_t)(t1[i] % 3);
+                       if (Mtrin[i] == 1)
+                       {
+                               ++m1;
+                       }
+                       else if (Mtrin[i] == 2)
+                       {
+                               --m1;
+                       }
+               }
+       }
+       else
+       {
+               for (i = 0; i < cmprime_len; i++)
+               {
+                       t1[i] = (t2[i] + 3 * t1[i]) & mod_q_mask;
+                       if (t1[i] >= (this->params->q / 2))
+                       {
+                               t1[i] -= q_mod_p;
+                       }
+                       Mtrin[i] = (uint8_t)(t1[i] % 3);
+               }
+       }
+
+    /**
+        * check that the candidate message representative meets
+     * minimum weight requirements
+     */
+       if (this->params->is_product_form)
+       {
+               success = (abs(m1) <= this->params->min_msg_rep_wt);
+       }
+       else
+       {
+               success = check_min_weight(cmprime_len, Mtrin,
+                                                                  this->params->min_msg_rep_wt);
+       }
+       if (!success)
+       {
+               DBG1(DBG_LIB, "decryption failed due to unsufficient minimum weight");
+       }
+
+       /* form cR = e - cm' mod q */
+       for (i = 0; i < cmprime_len; i++)
+       {
+               if (Mtrin[i] == 1)
+               {
+                       t2[i] = (t2[i] - 1) & mod_q_mask;
+               }
+               else if (Mtrin[i] == 2)
+               {
+                       t2[i] = (t2[i] + 1) & mod_q_mask;
+               }
+       }
+       if (this->params->is_product_form)
+       {
+               t2[i] = (t2[i] + m1) & mod_q_mask;
+       }
+
+       /* allocate memory for the larger of the two seeds */
+       seed1_len = (this->params->N + 3)/4;
+       seed2_len = 3 + 2*this->params->sec_strength_len + this->params->m_len_max;
+       seed = chunk_alloc(max(seed1_len, seed2_len));
+       seed.len = seed1_len;
+
+       /* form cR mod 4 */
+       ntru_coeffs_mod4_2_octets(this->params->N, t2, seed.ptr);
+
+       /* form mask */
+       mask = ntru_trits_create(this->params->N, hash_algid, seed);
+       if (!mask)
+       {
+               DBG1(DBG_LIB, "mask creation failed");
+               success = FALSE;
+               goto err;
+       }
+
+       mask_trits = mask->get_trits(mask);
+
+       /* form cMtrin by subtracting mask from cm', mod p */
+       for (i = 0; i < cmprime_len; i++)
+       {
+               Mtrin[i] -=  mask_trits[i];
+               if (Mtrin[i] >= 3)
+               {
+                       Mtrin[i] += 3;
+               }
+       }
+       mask->destroy(mask);
+
+       if (this->params->is_product_form)
+       {
+               /* set the last trit to zero since that's what it was, and
+                * because it can't be calculated from (cm' - mask) since
+                * we don't have the correct value for the last cm' trit
+                */
+               Mtrin[i] = 0;
+       }
+
+       /* convert cMtrin to cM (Mtrin to Mbin) */
+       if (!ntru_trits_2_bits(Mtrin, this->params->N, M))
+       {
+               success = FALSE;
+               goto err;
+       }
+
+       /* skip the random padding */
+       ptr = M + this->params->sec_strength_len;
+
+       /* validate the padded message cM and copy cm to m_buf */
+       if (this->params->m_len_len == 2)
+       {
+               cm_len = (uint16_t)(*ptr++) << 16;
+       }
+       cm_len |= (uint16_t)(*ptr++);
+
+       if (cm_len > this->params->m_len_max)
+       {
+               cm_len = this->params->m_len_max;
+               DBG1(DBG_LIB, "NTRU message length is larger than maximum length");
+               success = FALSE;
+       }
+       cm = ptr;
+       ptr += cm_len;
+
+       /* check if the remaining padding consists of zeros */
+       num_zeros = this->params->m_len_max - cm_len + 1;
+       for (i = 0; i < num_zeros; i++)
+       {
+               if (ptr[i] != 0)
+               {
+                       DBG1(DBG_LIB, "non-zero trailing padding detected");
+                       success = FALSE;
+                       break;
+               }
+       }
+
+       /* form sData (OID || m || b || hTrunc) */
+       ptr = seed.ptr;
+       memcpy(ptr, this->params->oid, 3);
+       ptr += 3;
+       memcpy(ptr, cm, cm_len);
+       ptr += cm_len;
+       memcpy(ptr, M, this->params->sec_strength_len);
+       ptr += this->params->sec_strength_len;
+       memcpy(ptr, this->encoding.ptr + 2 + NTRU_OID_LEN,
+                  this->params->sec_strength_len);
+       ptr += this->params->sec_strength_len;
+       seed.len = ptr - seed.ptr;
+
+       /* generate cr */
+       DBG2(DBG_LIB, "generate polynomial r");
+       r_poly = ntru_poly_create_from_seed(hash_algid, seed,
+                                               this->params->c_bits, this->params->N,
+                                               this->params->q, this->params->dF_r,
+                                               this->params->dF_r, this->params->is_product_form);
+       if (!r_poly)
+       {
+               success = FALSE;
+               goto err;
+       }
+
+       /* output plaintext in allocated chunk */
+       *plaintext = chunk_clone(chunk_create(cm, cm_len));
+
+       /* form cR' = h * cr */
+       r_poly->ring_mult(r_poly, this->pubkey, t1);
+       r_poly->destroy(r_poly);
+
+       /* compare cR' to cR */
+       for (i = 0; i < this->params->N; i++)
+       {
+               if (t[i] != t2[i])
+               {
+                       DBG1(DBG_LIB, "cR' does not equal cR'");
+                       success = FALSE;
+               }
+       }
+       memwipe(t, t_len);
+
+err:
+       /* cleanup */
+       chunk_clear(&seed);
+       free(t);
+
+       return success;
+}
+
+METHOD(ntru_private_key_t, destroy, void,
+       private_ntru_private_key_t *this)
+{
+       DESTROY_IF(this->privkey);
+       chunk_clear(&this->encoding);
+       free(this->pubkey);
+       free(this);
+}
+
+/**
+ * Multiplies ring element (polynomial) "a" by ring element (polynomial) "b"
+ * to produce ring element (polynomial) "c" in (Z/qZ)[X]/(X^N - 1).
+ * This is a convolution operation.
+ *
+ * Ring element "b" has coefficients in the range [0,N).
+ *
+ * This assumes q is 2^r where 8 < r < 16, so that overflow of the sum
+ * beyond 16 bits does not matter.
+ *
+ * @param a            polynomial a
+ * @param b            polynomial b
+ * @param N            no. of coefficients in a, b, c
+ * @param q            large modulus
+ * @param c            polynomial c = a * b
+ */
+static void ring_mult_c(uint16_t *a, uint16_t *b, uint16_t N, uint16_t q,
+                                           uint16_t *c)
+{
+       uint16_t *bptr = b;
+       uint16_t mod_q_mask = q - 1;
+       int i, k;
+
+       /* c[k] = sum(a[i] * b[k-i]) mod q */
+       memset(c, 0, N * sizeof(uint16_t));
+       for (k = 0; k < N; k++)
+       {
+               i = 0;
+               while (i <= k)
+               {
+                       c[k] += a[i++] * *bptr--;
+               }
+               bptr += N;
+               while (i < N)
+               {
+                       c[k] += a[i++] * *bptr--;
+               }
+               c[k] &= mod_q_mask;
+               ++bptr;
+       }
+}
+
+/**
+ * Finds the inverse of a polynomial a in (Z/2^rZ)[X]/(X^N - 1).
+ *
+ * This assumes q is 2^r where 8 < r < 16, so that operations mod q can
+ * wait until the end, and only 16-bit arrays need to be used.
+ *
+ * @param a                    polynomial a
+ * @param N                    no. of coefficients in a
+ * @param q                    large modulus
+ * @param t                    temporary buffer of size 2N elements
+ * @param a_inv        polynomial for inverse of a
+ */
+static bool ring_inv(uint16_t *a, uint16_t N, uint16_t q, uint16_t *t,
+                                        uint16_t *a_inv)
+{
+       uint8_t *b = (uint8_t *)t;
+       uint8_t *c = b + N;
+       uint8_t *f = c + N;
+       uint8_t *g = (uint8_t *)a_inv;
+       uint16_t *t2 = t + N;
+       uint16_t deg_b, deg_c, deg_f, deg_g;
+    bool done = FALSE;
+    int i, j, k = 0;
+
+       /* form a^-1 in (Z/2Z)[X]/X^N - 1) */
+       memset(b, 0, 2 * N);                                    /* clear to init b, c */
+
+       /* b(X) = 1 */
+       b[0] = 1;
+       deg_b = 0;
+
+       /* c(X) = 0 (cleared above) */
+       deg_c = 0;
+
+       /* f(X) = a(X) mod 2 */
+       for (i = 0; i < N; i++)
+       {
+               f[i] = (uint8_t)(a[i] & 1);
+       }
+       deg_f = N - 1;
+
+       /* g(X) = X^N - 1 */
+       g[0] = 1;
+       memset(g + 1, 0, N - 1);
+       g[N] = 1;
+       deg_g = N;
+
+       /* until f(X) = 1 */
+       while (!done)
+       {
+               /* while f[0] = 0, f(X) /= X, c(X) *= X, k++ */
+               for (i = 0; (i <= deg_f) && (f[i] == 0); ++i);
+
+               if (i > deg_f)
+               {
+                       return FALSE;
+               }
+               if (i)
+               {
+                       f = f + i;
+                       deg_f = deg_f - i;
+                       deg_c = deg_c + i;
+                       for (j = deg_c; j >= i; j--)
+                       {
+                               c[j] = c[j-i];
+                       }
+                       for (j = 0; j < i; j++)
+                       {
+                               c[j] = 0;
+                       }
+                       k = k + i;
+               }
+
+               /* adjust degree of f(X) if the highest coefficients are zero
+                * Note: f[0] = 1 from above so the loop will terminate.
+                */
+               while (f[deg_f] == 0)
+               {
+                       --deg_f;
+               }
+
+               /* if f(X) = 1, done
+                * Note: f[0] = 1 from above, so only check the x term and up
+                */
+               for (i = 1; (i <= deg_f) && (f[i] == 0); ++i);
+
+               if (i > deg_f)
+               {
+                       done = TRUE;
+                       break;
+               }
+
+               /* if deg_f < deg_g, f <-> g, b <-> c */
+               if (deg_f < deg_g)
+               {
+                       uint8_t *x;
+
+                       x = f;
+                       f = g;
+                       g = x;
+                       deg_f ^= deg_g;
+                       deg_g ^= deg_f;
+                       deg_f ^= deg_g;
+                       x = b;
+                       b = c;
+                       c = x;
+                       deg_b ^= deg_c;
+                       deg_c ^= deg_b;
+                       deg_b ^= deg_c;
+               }
+
+               /* f(X) += g(X), b(X) += c(X) */
+               for (i = 0; i <= deg_g; i++)
+               {
+                       f[i] ^= g[i];
+               }
+               if (deg_c > deg_b)
+               {       
+                       deg_b = deg_c;
+               }
+               for (i = 0; i <= deg_c; i++)
+               {
+                       b[i] ^= c[i];
+               }
+       }
+
+       /* a^-1 in (Z/2Z)[X]/(X^N - 1) = b(X) shifted left k coefficients */
+       j = 0;
+       if (k >= N)
+       {
+               k = k - N;
+       }
+       for (i = k; i < N; i++)
+       {
+               a_inv[j++] = (uint16_t)(b[i]);
+       }
+       for (i = 0; i < k; i++)
+       {
+               a_inv[j++] = (uint16_t)(b[i]);
+       }
+
+       /* lift a^-1 in (Z/2Z)[X]/(X^N - 1) to a^-1 in (Z/qZ)[X]/(X^N -1) */
+    for (j = 0; j < 4; ++j)                            /* assumes 256 < q <= 65536 */
+       {
+               /* a^-1 = a^-1 * (2 - a * a^-1) mod q */
+               memcpy(t2, a_inv, N * sizeof(uint16_t));
+               ring_mult_c(a, t2, N, q, t);
+               for (i = 0; i < N; ++i)
+               {
+                       t[i] = q - t[i];
+               }
+               t[0] = t[0] + 2;
+               ring_mult_c(t2, t, N, q, a_inv);
+       }
+       
+       return TRUE;
+}
+
+/*
+ * Described in header.
+ */
+ntru_private_key_t *ntru_private_key_create(ntru_drbg_t *drbg, ntru_param_set_t *params)
+{
+       private_ntru_private_key_t *this;
+       size_t t_len;
+       uint16_t *t1, *t2, *t = NULL;
+       uint16_t mod_q_mask;
+    hash_algorithm_t hash_algid;
+       ntru_poly_t *g_poly;
+       chunk_t seed;
+       int i;
+
+       INIT(this,
+               .public = {
+                       .get_public_key = _get_public_key,
+                       .get_encoding = _get_encoding,
+                       .decrypt = _decrypt,
+                       .destroy = _destroy,
+               },
+               .params = params,
+               .pubkey = malloc(params->N * sizeof(uint16_t)),
+       );
+
+       /* set hash algorithm and seed length based on security strength */
+       if (params->sec_strength_len <= 20)
+       {
+               hash_algid = HASH_SHA1;
+       }
+       else
+       {
+               hash_algid = HASH_SHA256;
+       }
+       seed =chunk_alloc(params->sec_strength_len + 8);
+
+       /* get random seed for generating trinary F as a list of indices */
+       if (!drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE,
+                                                         seed.len, seed.ptr))
+       {
+               goto err;
+       }
+
+       DBG2(DBG_LIB, "generate polynomial F");
+       this->privkey = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits,
+                                                                                          params->N, params->q,
+                                                                                          params->dF_r, params->dF_r,
+                                                                                          params->is_product_form);
+       if (!this->privkey)
+       {
+               goto err;
+       }
+
+       /* allocate temporary array t */
+       t_len = 3 * params->N * sizeof(uint16_t);
+       t = malloc(t_len);
+       t1 = t + 2 * params->N;
+
+       /* extend sparse private key polynomial f to N array elements */ 
+       this->privkey->get_array(this->privkey, t1);
+
+       /* set mask for large modulus */
+       mod_q_mask = params->q - 1;
+
+       /* form f = 1 + pF */
+       for (i = 0; i < params->N; i++)
+       {
+               t1[i] = (t1[i] * 3) & mod_q_mask;
+       }
+       t1[0] = (t1[0] + 1) & mod_q_mask;
+
+       /* use the public key array as a temporary buffer */
+       t2 = this->pubkey;
+       /* find f^-1 in (Z/qZ)[X]/(X^N - 1) */
+       if (!ring_inv(t1, params->N, params->q, t, t2))
+       {
+               goto err;
+       }
+
+       /* get random seed for generating trinary g as a list of indices */
+       if (!drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE,
+                                                         seed.len, seed.ptr))
+       {
+               goto err;
+       }
+
+       DBG2(DBG_LIB, "generate polynomial g");
+       g_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits,
+                                                                               params->N, params->q, params->dg + 1,
+                                                                               params->dg, FALSE);
+       if (!g_poly)
+       {
+               goto err;
+       }
+
+       /* compute public key polynomial h = p * (f^-1 * g) mod q */
+       g_poly->ring_mult(g_poly, t2, t2);
+       g_poly->destroy(g_poly);
+
+       for (i = 0; i < params->N; i++)
+       {
+               this->pubkey[i] = (t2[i] * 3) & mod_q_mask;
+       }
+
+       /* cleanup temporary storage */
+       chunk_clear(&seed);
+       memwipe(t, t_len);
+       free(t);
+       
+       /* generate private key encoding */
+       generate_encoding(this);
+
+       return &this->public;
+
+err:
+       chunk_free(&seed);
+       free(t);
+       destroy(this);
+
+       return NULL;
+}
+
+EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_private_key_create);
diff --git a/src/libstrongswan/plugins/ntru/ntru_private_key.h b/src/libstrongswan/plugins/ntru/ntru_private_key.h
new file mode 100644 (file)
index 0000000..ded4be4
--- /dev/null
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ntru_private_key ntru_private_key
+ * @{ @ingroup ntru_p
+ */
+
+#ifndef NTRU_PRIVATE_KEY_H_
+#define NTRU_PRIVATE_KEY_H_
+
+typedef struct ntru_private_key_t ntru_private_key_t;
+
+#include "ntru_drbg.h"
+#include "ntru_param_set.h"
+#include "ntru_public_key.h"
+
+#include <library.h>
+
+/**
+ * Implements an NTRU encryption public/private key pair
+ */
+struct ntru_private_key_t {
+
+
+       /**
+        * Returns the NTRU encryption public key as an encoded binary blob
+        *
+        * @return                              NTRU encryption public key (must be freed after use)
+        */
+       ntru_public_key_t* (*get_public_key)(ntru_private_key_t *this);
+
+       /**
+        * Returns the packed encoding of the NTRU encryption private key
+        *
+        * @return                              Packed encoding of NTRU encryption private key
+        */
+       chunk_t (*get_encoding)(ntru_private_key_t *this);
+
+       /**
+        * Decrypts an NTRU ciphertext
+        *
+        * @param ciphertext    NTRU Ciphertext
+        * @param plaintext             Plaintext
+        * @return                              TRUE if decryption was successful
+        */
+       bool (*decrypt)(ntru_private_key_t *this, chunk_t ciphertext,
+                                       chunk_t *plaintext);
+
+       /**
+        * Destroy ntru_private_key_t object
+        */
+       void (*destroy)(ntru_private_key_t *this);
+};
+
+/**
+ * Creates an NTRU encryption public/private key pair using a NIST DRBG
+ *
+ * @param drbg                 Digital Random Bit Generator used for key generation
+ * @param params               NTRU encryption parameter set to be used
+ */
+ntru_private_key_t *ntru_private_key_create(ntru_drbg_t *drbg, ntru_param_set_t *params);
+
+
+#endif /** NTRU_PRIVATE_KEY_H_ @}*/
+
diff --git a/src/libstrongswan/plugins/ntru/ntru_public_key.c b/src/libstrongswan/plugins/ntru/ntru_public_key.c
new file mode 100644 (file)
index 0000000..6974b76
--- /dev/null
@@ -0,0 +1,110 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2009-2013  Security Innovation
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ntru_public_key.h"
+
+#include "ntru_crypto/ntru_crypto_ntru_convert.h"
+
+#include <utils/debug.h>
+
+typedef struct private_ntru_public_key_t private_ntru_public_key_t;
+
+/**
+ * Private data of an ntru_public_key_t object.
+ */
+struct private_ntru_public_key_t {
+       /**
+        * Public ntru_public_key_t interface.
+        */
+       ntru_public_key_t public;
+
+       /**
+        * NTRU Parameter Set
+        */
+       ntru_param_set_t *params;
+
+       /**
+        * Polynomial h which is the public key
+        */
+       uint16_t *pubkey;
+
+       /**
+        * Encoding of the public key
+        */
+       chunk_t encoding;
+
+};
+
+METHOD(ntru_public_key_t, get_encoding, chunk_t,
+       private_ntru_public_key_t *this)
+{
+       if (!this->encoding.len)
+       {
+               size_t pubkey_len;
+               u_char *enc;
+
+               /* compute public key length encoded as packed coefficients */
+               pubkey_len =  (this->params->N * this->params->q_bits + 7) / 8;
+
+               /* allocate memory for public key encoding */
+               this->encoding = chunk_alloc(2 + NTRU_OID_LEN + pubkey_len);
+               enc = this->encoding.ptr;
+
+               /* format header and packed public key */
+               *enc++ = NTRU_PUBKEY_TAG;
+               *enc++ = NTRU_OID_LEN;
+               memcpy(enc, this->params->oid, NTRU_OID_LEN);
+               enc += NTRU_OID_LEN;
+               ntru_elements_2_octets(this->params->N, this->pubkey,
+                                                          this->params->q_bits, enc);
+       }
+       return this->encoding;
+}
+
+METHOD(ntru_public_key_t, destroy, void,
+       private_ntru_public_key_t *this)
+{
+       chunk_clear(&this->encoding);
+       free(this->pubkey);
+       free(this);
+}
+
+/*
+ * Described in header.
+ */
+ntru_public_key_t *ntru_public_key_create(ntru_param_set_t *params,
+                                                                                 uint16_t *pubkey)
+{
+       private_ntru_public_key_t *this;
+       int i;
+
+       INIT(this,
+               .public = {
+                       .get_encoding = _get_encoding,
+                       .destroy = _destroy,
+               },
+               .params = params,
+               .pubkey = malloc(params->N * sizeof(uint16_t)),
+       );
+
+       for (i = 0; i < params->N; i++)
+       {
+               this->pubkey[i] = pubkey[i];
+       }
+
+       return &this->public;
+}
diff --git a/src/libstrongswan/plugins/ntru/ntru_public_key.h b/src/libstrongswan/plugins/ntru/ntru_public_key.h
new file mode 100644 (file)
index 0000000..2fd5f64
--- /dev/null
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ntru_public_key ntru_public_key
+ * @{ @ingroup ntru_p
+ */
+
+#ifndef NTRU_PUBLIC_KEY_H_
+#define NTRU_PUBLIC_KEY_H_
+
+typedef struct ntru_public_key_t ntru_public_key_t;
+
+#include "ntru_param_set.h"
+
+#include <library.h>
+
+/**
+ * Implements an NTRU encryption public key
+ */
+struct ntru_public_key_t {
+
+       /**
+        * Returns the packed encoding of the NTRU encryption public key
+        *
+        * @return                      Packed encoding of NTRU encryption public key
+        */
+       chunk_t (*get_encoding)(ntru_public_key_t *this);
+
+       /**
+        * Destroy ntru_public_key_t object
+        */
+       void (*destroy)(ntru_public_key_t *this);
+};
+
+/**
+ * Creates an NTRU encryption public key
+ *
+ * @param params               NTRU encryption parameter set to be used
+ * @param pubkey               Coefficients of public key polynomial h
+ */
+ntru_public_key_t *ntru_public_key_create(ntru_param_set_t *params,
+                                                                                 uint16_t *pubkey);
+
+
+#endif /** NTRU_PUBLIC_KEY_H_ @}*/
+
index a46f574..3204c89 100644 (file)
@@ -20,6 +20,8 @@
 #include <plugins/ntru/ntru_mgf1.h>
 #include <plugins/ntru/ntru_trits.h>
 #include <plugins/ntru/ntru_poly.h>
+#include <plugins/ntru/ntru_param_set.h>
+#include <plugins/ntru/ntru_private_key.h>
 #include <utils/test.h>
 
 IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_drbg_create, ntru_drbg_t*,
@@ -41,6 +43,12 @@ IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_poly_create_from_data, ntru_poly_t*,
                                                  uint32_t indices_len_p, uint32_t indices_len_m,
                                                  bool is_product_form)
 
+IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_param_set_get_by_id,  ntru_param_set_t* ,
+                                                 ntru_param_set_id_t id)
+
+IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_private_key_create, ntru_private_key_t*,
+                                                 ntru_drbg_t *drbg, ntru_param_set_t *params)
+
 /**
  * NTRU parameter sets to test
  */
@@ -793,62 +801,349 @@ START_TEST(test_ntru_array)
 }
 END_TEST
 
+START_TEST(test_ntru_param_set)
+{
+       ck_assert(ntru_param_set_get_by_id(-1) == NULL);
+       ck_assert(ntru_param_set_get_by_id(16) == NULL);
+}
+END_TEST
+
+typedef struct {
+       ntru_param_set_id_t id;
+       chunk_t entropy;
+       chunk_t encoding;
+} privkey_test_t;
+
+privkey_test_t privkey_tests[] = {
+       {
+               NTRU_EES401EP1,
+               chunk_from_chars(
+                                               0x0C, 0x2F, 0x24, 0xE1, 0xA4, 0x81, 0x26, 0xA2,
+                                               0x6C, 0xEA, 0xCD, 0x1A, 0xF3, 0xEB, 0x3D, 0xBF,
+                                               0xEA, 0xAE, 0xC3, 0x0D, 0xC1),
+               chunk_from_chars(
+                                               0x02, 0x03, 0x00, 0x02, 0x04, 0x3E, 0xF3, 0xCB,
+                                               0x7A, 0x58, 0x13, 0x75, 0xBB, 0x87, 0xF5, 0xBF,
+                                               0x2E, 0x18, 0xAE, 0x03, 0xAF, 0xB8, 0x33, 0x85,
+                                               0xD8, 0xBF, 0x8A, 0xB5, 0x8C, 0xA6, 0xDF, 0x03,
+                                               0x90, 0x1E, 0xE4, 0x83, 0xA4, 0x95, 0x40, 0xB5,
+                                               0x08, 0x92, 0x29, 0xD8, 0x83, 0xA8, 0x42, 0xB2,
+                                               0x69, 0xC2, 0x00, 0x8B, 0xAE, 0x80, 0x00, 0x4F,
+                                               0x3D, 0xDD, 0xFB, 0xDB, 0x9A, 0xD8, 0x0F, 0xFF,
+                                               0xBC, 0x21, 0xD5, 0xE6, 0x04, 0x9C, 0xDD, 0x3B,
+                                               0x2D, 0x16, 0x4B, 0xC7, 0x3D, 0xBE, 0xDE, 0xBB,
+                                               0x6F, 0xF4, 0x8A, 0x31, 0xCD, 0x23, 0x19, 0xC2,
+                                               0x3C, 0xE1, 0xE2, 0xEE, 0xE4, 0xE7, 0x2E, 0xFC,
+                                               0x5C, 0xDD, 0xAD, 0x0C, 0x9D, 0x98, 0xC5, 0x18,
+                                               0x2A, 0x80, 0x21, 0x93, 0x61, 0xC4, 0x9A, 0x16,
+                                               0xE8, 0x9B, 0xF7, 0x3B, 0x6D, 0x06, 0x91, 0x9E,
+                                               0x71, 0x59, 0xBE, 0x8E, 0x65, 0x61, 0xB2, 0x69,
+                                               0x9C, 0x82, 0x58, 0x0D, 0x63, 0x7A, 0x1F, 0x2A,
+                                               0x1C, 0x2C, 0x92, 0x8C, 0x8D, 0xCA, 0x2B, 0x45,
+                                               0x24, 0x79, 0xDB, 0x7F, 0x1D, 0x2F, 0xAB, 0x88,
+                                               0x8C, 0x1D, 0xE3, 0x15, 0x8F, 0xCD, 0x46, 0x8C,
+                                               0x45, 0x20, 0x88, 0x1C, 0x17, 0xE0, 0xE5, 0x89,
+                                               0xF4, 0x60, 0x56, 0x3C, 0x6B, 0x9F, 0x2A, 0xD9,
+                                               0xD0, 0xAE, 0x3B, 0xB6, 0xC2, 0xB7, 0x58, 0xC6,
+                                               0x6E, 0x09, 0x36, 0x21, 0x0B, 0xDD, 0xE9, 0x52,
+                                               0x33, 0x27, 0x39, 0xC8, 0x51, 0x59, 0x69, 0x25,
+                                               0xC6, 0x3D, 0x19, 0x5C, 0x5E, 0x74, 0xD0, 0x62,
+                                               0xD9, 0x26, 0x90, 0xC7, 0x64, 0x92, 0xA8, 0x72,
+                                               0xD1, 0x77, 0x1F, 0x78, 0xC5, 0x11, 0xBD, 0x5D,
+                                               0x3C, 0x1B, 0x1F, 0x8B, 0x5B, 0xE4, 0x5D, 0xA1,
+                                               0x27, 0x6D, 0x20, 0x24, 0x32, 0x53, 0xF3, 0xB0,
+                                               0xE6, 0x71, 0x61, 0xCC, 0xFC, 0x4A, 0x06, 0xDA,
+                                               0xBE, 0xD7, 0x9F, 0x2F, 0xEB, 0x44, 0xD0, 0x8A,
+                                               0x7D, 0x8E, 0x82, 0xF5, 0x84, 0xCF, 0x8E, 0xE5,
+                                               0x4B, 0xA4, 0x30, 0x77, 0xBD, 0x14, 0xB9, 0x75,
+                                               0x02, 0x68, 0xDF, 0x71, 0x89, 0x81, 0xF2, 0x95,
+                                               0xC3, 0x67, 0x6E, 0x37, 0xE4, 0xD0, 0xC9, 0x1E,
+                                               0x02, 0xDE, 0x2D, 0x79, 0x99, 0xE8, 0x7D, 0x5C,
+                                               0x99, 0xF2, 0x1A, 0xDE, 0x12, 0x9B, 0xD1, 0x83,
+                                               0x9B, 0x01, 0xD3, 0xEB, 0x2B, 0x8E, 0x9C, 0xA5,
+                                               0x19, 0xE8, 0x2E, 0xFE, 0x23, 0x6E, 0xAD, 0x8F,
+                                               0x3C, 0xAF, 0xB9, 0xE6, 0xDB, 0x07, 0xA4, 0x31,
+                                               0x02, 0x2B, 0x6A, 0xA0, 0xFB, 0x51, 0x6C, 0xD0,
+                                               0x26, 0xD5, 0xAD, 0x29, 0x65, 0x10, 0xCE, 0xF8,
+                                               0x84, 0x4D, 0x1E, 0x37, 0x92, 0xA2, 0xD1, 0xFA,
+                                               0xF6, 0xC0, 0x36, 0x4C, 0x23, 0x3A, 0x42, 0xAA,
+                                               0xB8, 0x0D, 0x4E, 0xD4, 0x40, 0x61, 0xD5, 0x36,
+                                               0x62, 0x23, 0x7C, 0x1C, 0x5E, 0xEA, 0x16, 0xAD,
+                                               0x4F, 0x30, 0xF9, 0x16, 0x99, 0xCE, 0xC5, 0x50,
+                                               0xAC, 0x8F, 0x6F, 0x98, 0xD7, 0xE3, 0x89, 0x6E,
+                                               0x3A, 0x12, 0xCE, 0xA7, 0xA4, 0x17, 0x74, 0xDC,
+                                               0xDB, 0xFA, 0xFF, 0xF9, 0x35, 0xD7, 0xF5, 0x77,
+                                               0x03, 0xF5, 0xBF, 0x81, 0x6C, 0x9F, 0x62, 0xA6,
+                                               0x8A, 0x5B, 0xA3, 0xEF, 0x9D, 0xC3, 0xF6, 0x3A,
+                                               0x6A, 0xC0, 0x42, 0x71, 0xAF, 0x90, 0xCA, 0x1D,
+                                               0x86, 0x78, 0xD7, 0x2C, 0xFE, 0xB6, 0x99, 0x15,
+                                               0x8C, 0x10, 0x42, 0x92, 0x2C, 0x05, 0x43, 0x92,
+                                               0x69, 0x05, 0x8D, 0x9E, 0xBC, 0xAB, 0x8F, 0x28,
+                                               0xAA, 0x4B, 0xFB, 0x25, 0xD9, 0xAD, 0x29, 0xFF,
+                                               0x33, 0x65, 0x14, 0xC3, 0x75, 0x1F, 0xCF, 0xFC,
+                                               0x20, 0x83, 0xBF, 0xB9, 0xA5, 0x4B, 0x7B, 0xD9,
+                                               0x07, 0x5C, 0xA1, 0xD1, 0x5A, 0x3E, 0x94, 0xF8,
+                                               0x03, 0xDE, 0xB8, 0x94, 0x11, 0x92, 0x80, 0x77,
+                                               0x57, 0x45, 0x1E, 0x6B, 0xA5, 0x15, 0xDB, 0x48,
+                                               0xB6, 0x9E, 0x02, 0xF1, 0x61, 0x4A, 0xAC, 0x1D,
+                                               0x49, 0xBC, 0xA9, 0x3F, 0x03, 0x50, 0xAC, 0x02,
+                                               0x8E, 0x84, 0xE0, 0x12, 0x37, 0x76, 0xBC, 0x4A,
+                                               0xF9, 0xC6, 0x74, 0x36, 0xFC, 0x92, 0x1D, 0x59,
+                                               0x0C, 0x04, 0xD2, 0x14, 0xB7, 0x11, 0xE9, 0xE2,
+                                               0xFE, 0x0C, 0xE1, 0xDA, 0x8B, 0xCA, 0x10, 0xA1,
+                                               0x60, 0xB6, 0x57, 0x51, 0x00, 0xD6, 0x5B, 0x55,
+                                               0x09, 0x60, 0xE8, 0x00, 0x40, 0x45, 0x56, 0xBA,
+                                               0x83, 0x1E, 0x36, 0x12, 0x59, 0x4B, 0x19, 0x00,
+                                               0x53, 0xAE, 0x62, 0xA6, 0x29, 0x39, 0xED, 0x87,
+                                               0x24, 0x37, 0x1E, 0x1B, 0xCF, 0x3F, 0x3A, 0x71,
+                                               0x31, 0xB5, 0x50, 0x8D, 0x4B, 0x53, 0x53, 0x75,
+                                               0x3F, 0x33, 0x39, 0x09, 0x2A, 0x78, 0xA8, 0x71,
+                                               0x3E, 0x63, 0xC5, 0x61, 0x73, 0xB6, 0xE1, 0x71,
+                                               0x16, 0xDA, 0x06, 0xBF, 0x3F, 0x22, 0x74, 0x89,
+                                               0x08, 0xD2, 0x05, 0x0B, 0x16, 0xC8, 0xF0, 0x17,
+                                               0x4E, 0xA2, 0x65, 0x67, 0x6D, 0x02)
+       },
+       {
+               NTRU_EES743EP1,
+               chunk_from_chars(
+                                               0x9B, 0xAB, 0x57, 0xDB, 0x2C, 0x60, 0x83, 0x48,
+                                               0x9F, 0xC9, 0x70, 0x8F, 0x69, 0xF7, 0xB4, 0xBB,
+                                               0x63, 0x5C, 0x9A, 0x63, 0x07, 0x80, 0x17, 0xD3,
+                                               0xCD, 0xB1, 0x57, 0x79, 0xFE, 0x8D, 0x81, 0x70,
+                                               0xEB, 0x50, 0xFA, 0x05, 0xFB, 0x97, 0xB2, 0xAB,
+                                               0x25, 0xED, 0xD8, 0x18, 0x1C, 0xFE, 0x96, 0x7D),
+               chunk_from_chars(
+                                               0x02, 0x03, 0x00, 0x06, 0x10, 0x14, 0x53, 0x73,
+                                               0x56, 0xF5, 0xA9, 0x34, 0xDE, 0xA6, 0x4D, 0x46,
+                                               0x05, 0x9E, 0x80, 0xAE, 0xB6, 0x74, 0x91, 0xFF,
+                                               0xFB, 0x48, 0xD3, 0x5C, 0x61, 0x12, 0x46, 0x02,
+                                               0x9F, 0x53, 0x45, 0x87, 0x47, 0xBD, 0x6B, 0x26,
+                                               0xF7, 0x36, 0xD3, 0x99, 0x1B, 0xD7, 0xEA, 0xA3,
+                                               0xA8, 0x94, 0xFF, 0x93, 0x46, 0x7C, 0x2C, 0x5F,
+                                               0x87, 0x8C, 0x38, 0xB3, 0x7B, 0xC6, 0x49, 0xE2,
+                                               0x88, 0xCA, 0x67, 0x89, 0xD0, 0x6D, 0x7C, 0xAE,
+                                               0x7C, 0x98, 0x84, 0xDA, 0x6B, 0x93, 0x92, 0xEF,
+                                               0x4A, 0xD1, 0x4A, 0xD2, 0x5B, 0x13, 0xF8, 0x59,
+                                               0x15, 0x2E, 0xBC, 0x70, 0x8D, 0x2D, 0xA9, 0x47,
+                                               0xA1, 0x99, 0x19, 0x3F, 0x67, 0xE8, 0x18, 0xA7,
+                                               0x17, 0x07, 0xB3, 0x14, 0xF6, 0x20, 0xA1, 0xD8,
+                                               0x33, 0xE8, 0x08, 0x6A, 0xC1, 0x39, 0x99, 0x08,
+                                               0xB4, 0x88, 0xEB, 0x48, 0x7D, 0xFB, 0xF5, 0xEF,
+                                               0x03, 0x0D, 0x25, 0xB7, 0x98, 0xF3, 0xF1, 0x15,
+                                               0x63, 0xE4, 0x0F, 0xFD, 0x54, 0x9F, 0x56, 0xE9,
+                                               0xD1, 0x44, 0xE5, 0x89, 0x66, 0x14, 0x91, 0x1C,
+                                               0xFD, 0xD6, 0xFD, 0x38, 0xAE, 0x39, 0xE3, 0xF7,
+                                               0xCD, 0x77, 0xC2, 0xEA, 0x2E, 0xE4, 0xB7, 0x2B,
+                                               0xBA, 0x7A, 0xD1, 0x75, 0xB8, 0x28, 0x65, 0x18,
+                                               0xF4, 0xC6, 0xBD, 0xD0, 0x17, 0x7E, 0xEA, 0x86,
+                                               0x7E, 0xFC, 0x95, 0xD6, 0x4C, 0x92, 0x01, 0xC3,
+                                               0xFF, 0x04, 0x9B, 0xF8, 0xD6, 0xB3, 0x8F, 0x72,
+                                               0xEF, 0x64, 0x09, 0x61, 0xF8, 0xE4, 0x48, 0xFC,
+                                               0x0D, 0xEE, 0xEF, 0xA2, 0x9F, 0x3A, 0x2B, 0x1A,
+                                               0xFB, 0x8B, 0xA0, 0x9C, 0x11, 0x0B, 0x97, 0x75,
+                                               0x30, 0x7C, 0xB8, 0x9F, 0xEE, 0x3B, 0x53, 0x85,
+                                               0x7D, 0xE9, 0xCB, 0xC4, 0x4D, 0xD7, 0x7F, 0x59,
+                                               0x10, 0x72, 0x19, 0x3A, 0xC9, 0x38, 0xFE, 0xE8,
+                                               0xB3, 0x06, 0x55, 0x8D, 0xA2, 0x5A, 0x3D, 0x79,
+                                               0x67, 0x0E, 0x90, 0xC9, 0x25, 0x6D, 0x45, 0x9C,
+                                               0x39, 0x79, 0x5F, 0x18, 0x35, 0x9F, 0xC1, 0x49,
+                                               0x08, 0x6F, 0x1C, 0x47, 0x09, 0x0D, 0x49, 0x7C,
+                                               0x3C, 0x7B, 0xB1, 0x09, 0x92, 0x1C, 0x4E, 0x5A,
+                                               0xDA, 0x74, 0x9E, 0xBB, 0x55, 0x9D, 0xBB, 0x1E,
+                                               0x43, 0x28, 0x62, 0xAF, 0x02, 0xB0, 0x1A, 0xEA,
+                                               0x13, 0x0A, 0x70, 0x0F, 0x60, 0x0F, 0x62, 0xA2,
+                                               0x4E, 0x1F, 0xB2, 0xEA, 0x06, 0xDD, 0x18, 0x02,
+                                               0x6C, 0xF3, 0x82, 0xF1, 0x80, 0x7F, 0xA7, 0x2F,
+                                               0xCC, 0xC6, 0x18, 0xEA, 0xFF, 0x1F, 0xAD, 0xC6,
+                                               0xBA, 0x0C, 0x0E, 0x04, 0xB2, 0x58, 0x1D, 0xB6,
+                                               0x01, 0xA3, 0x97, 0xDF, 0x7D, 0x9B, 0xB5, 0x0A,
+                                               0xAD, 0x30, 0x2B, 0xC5, 0x67, 0x40, 0x07, 0xF1,
+                                               0xD5, 0x6C, 0x11, 0x10, 0xE1, 0x69, 0x30, 0xAD,
+                                               0x90, 0x06, 0xDB, 0xF8, 0xEA, 0x92, 0x9B, 0x39,
+                                               0x57, 0x38, 0x7B, 0xE4, 0xB2, 0xA2, 0x89, 0xFD,
+                                               0xB1, 0x6D, 0x88, 0x41, 0x62, 0x4D, 0x18, 0xB6,
+                                               0x3F, 0x12, 0x81, 0xDE, 0xE6, 0xDC, 0x4A, 0x31,
+                                               0x61, 0x26, 0xB1, 0x4B, 0x95, 0xC1, 0x69, 0xDC,
+                                               0xDC, 0xAC, 0xD0, 0x15, 0xFC, 0x21, 0xC5, 0x20, 
+                                               0x5F, 0x97, 0x76, 0x41, 0xC1, 0xF2, 0xD7, 0x95,
+                                               0x1D, 0x25, 0x23, 0x36, 0x86, 0xFA, 0x7E, 0xF4,
+                                               0x14, 0x9F, 0x9D, 0x9F, 0xB2, 0xBB, 0x25, 0x1D,
+                                               0xD5, 0x7A, 0x6F, 0x9E, 0xF7, 0xEF, 0x9D, 0x63,
+                                               0x1E, 0xD5, 0xDE, 0x6A, 0xE6, 0x46, 0x48, 0x1F,
+                                               0xE1, 0x0C, 0x4D, 0x82, 0xC9, 0x19, 0x3B, 0x65,
+                                               0xA4, 0x06, 0x13, 0xB7, 0x04, 0xB1, 0x62, 0xF7,
+                                               0x08, 0xAE, 0xED, 0x42, 0x6D, 0xCC, 0x6C, 0xA6,
+                                               0x06, 0x06, 0x41, 0x3E, 0x0C, 0x89, 0x4C, 0xBD,
+                                               0x00, 0x4F, 0x0E, 0xA9, 0x72, 0x06, 0x21, 0x82,
+                                               0xD2, 0xB6, 0x6C, 0xB0, 0xB0, 0x01, 0x5B, 0xDD,
+                                               0x05, 0xCE, 0x71, 0x6E, 0x00, 0x58, 0xC7, 0xA6,
+                                               0x5B, 0xF6, 0xFB, 0x6B, 0x62, 0xB1, 0xE8, 0x4D,
+                                               0xAC, 0xC0, 0x6B, 0xF4, 0x40, 0x69, 0xEE, 0x0D,
+                                               0xE7, 0x82, 0x61, 0x8D, 0x35, 0x01, 0x97, 0x4E,
+                                               0xF2, 0xCC, 0xF5, 0x7F, 0xBF, 0xE4, 0xEC, 0x9C,
+                                               0xC4, 0xD2, 0xD9, 0x65, 0x78, 0x98, 0xD8, 0xB0,
+                                               0xFA, 0xA8, 0xFB, 0xB0, 0xCE, 0x22, 0x5D, 0x0B,
+                                               0x27, 0xDF, 0x0E, 0x63, 0x42, 0xFE, 0x89, 0x13,
+                                               0x99, 0xB2, 0x02, 0x0B, 0xF6, 0x04, 0xB6, 0xAF,
+                                               0x9F, 0x8C, 0xA6, 0x17, 0x0D, 0xD9, 0x5B, 0x45,
+                                               0xE4, 0x08, 0x53, 0x51, 0xE0, 0xD5, 0x22, 0x72,
+                                               0xBE, 0xAD, 0x74, 0x69, 0xB9, 0xFB, 0x91, 0xF8,
+                                               0xC1, 0x89, 0x28, 0x71, 0x27, 0x62, 0xB1, 0xF0,
+                                               0xFD, 0x78, 0xBC, 0x82, 0xFE, 0x76, 0xBE, 0x7B,
+                                               0x47, 0x79, 0x32, 0x71, 0xAD, 0xD6, 0x76, 0x46,
+                                               0xFB, 0x32, 0xE8, 0x4B, 0x98, 0x9A, 0xC6, 0x85,
+                                               0xF2, 0xF1, 0x8A, 0xEC, 0xC2, 0x4E, 0x9B, 0x2F,
+                                               0x2D, 0x6F, 0xC9, 0x9B, 0xB6, 0x14, 0x35, 0x6D,
+                                               0xD6, 0x5B, 0xF3, 0x02, 0x5A, 0xE5, 0xBD, 0x00,
+                                               0xF7, 0x6E, 0x51, 0xA7, 0xDB, 0x19, 0xAE, 0x01,
+                                               0x01, 0x05, 0x94, 0x23, 0xF7, 0x5B, 0x07, 0x79,
+                                               0xFF, 0x39, 0x58, 0x9C, 0x2A, 0xF7, 0x7E, 0x5D,
+                                               0x81, 0xF9, 0x59, 0xFE, 0xB9, 0x9A, 0x96, 0x63,
+                                               0x1F, 0x65, 0xF6, 0xF0, 0x3D, 0xEA, 0xD7, 0xC2,
+                                               0x8A, 0xCF, 0xB5, 0x58, 0x74, 0x77, 0x23, 0xD6,
+                                               0x72, 0x58, 0xA8, 0xAE, 0x31, 0x8A, 0x59, 0xEA,
+                                               0x69, 0x14, 0x6A, 0x20, 0x78, 0x79, 0x28, 0x5A,
+                                               0xE1, 0x76, 0x6F, 0xA6, 0x1A, 0x9E, 0x47, 0xD2,
+                                               0xAF, 0x63, 0xF8, 0x06, 0xF6, 0xD8, 0xD5, 0x14,
+                                               0xA8, 0xD1, 0xEE, 0x96, 0xCE, 0xBB, 0x8E, 0x22,
+                                               0x69, 0x2F, 0x52, 0x06, 0xB6, 0x6F, 0xC8, 0x99,
+                                               0x96, 0xEA, 0xC6, 0x1D, 0x96, 0x4C, 0x69, 0x95,
+                                               0xFE, 0x74, 0x04, 0x3C, 0x55, 0xD9, 0x5F, 0xE0,
+                                               0x41, 0x21, 0x43, 0x21, 0x5A, 0x50, 0x5D, 0x8B,
+                                               0xE8, 0xB2, 0x51, 0x1B, 0x7C, 0x63, 0x50, 0xAE,
+                                               0x97, 0x4F, 0xBA, 0x7D, 0xF2, 0xB6, 0xB6, 0x16,
+                                               0x1D, 0x47, 0x9E, 0x19, 0x68, 0xD4, 0x6B, 0x2B,
+                                               0x75, 0xCD, 0xAE, 0x65, 0x33, 0x38, 0xF6, 0x6D,
+                                               0xC7, 0x3E, 0x46, 0x98, 0x9E, 0x98, 0x8B, 0x45,
+                                               0x11, 0xA7, 0x12, 0x05, 0xB0, 0x01, 0xC3, 0x51,
+                                               0xA0, 0xEE, 0x7C, 0x16, 0xD1, 0x42, 0x96, 0xC4,
+                                               0xF0, 0x7B, 0x71, 0xCD, 0x50, 0x38, 0xA4, 0xB0,
+                                               0x6E, 0x6F, 0xE0, 0xBD, 0xC4, 0xF7, 0x96, 0x2B,
+                                               0xF1, 0x6D, 0x9F, 0xF3, 0x71, 0x89, 0xFA, 0xB4,
+                                               0x44, 0xA4, 0x32, 0xDC, 0xB2, 0x55, 0x13, 0x31,
+                                               0x83, 0x29, 0x66, 0x21, 0x3E, 0x89, 0xF8, 0x78,
+                                               0x97, 0x9C, 0x64, 0xF9, 0x2C, 0x0A, 0x88, 0xBC,
+                                               0xCA, 0x6F, 0x83, 0x42, 0xF6, 0xD7, 0x00, 0xC4,
+                                               0x19, 0x52, 0xB0, 0x31, 0xA8, 0xBA, 0xE8, 0xD4,
+                                               0xAD, 0x4B, 0x5D, 0xC0, 0x01, 0x20, 0x6C, 0xBB,
+                                               0x1D, 0x9A, 0x1D, 0xD4, 0x19, 0xFD, 0x33, 0xAB,
+                                               0xA0, 0x54, 0x50, 0x91, 0xE9, 0x75, 0x5C, 0x7E,
+                                               0x7E, 0xB3, 0x24, 0x79, 0xAE, 0x10, 0x3C, 0xB4,
+                                               0xB7, 0x0A, 0x1D, 0x86, 0xAD, 0x06, 0x95, 0xCB,
+                                               0x84, 0x9B, 0x0E, 0x8B, 0x77, 0x7E, 0x3E, 0xD2,
+                                               0xA6, 0xDF, 0xAD, 0x4E, 0xFB, 0x69, 0x23, 0xAC,
+                                               0x7A, 0xCB, 0xAA, 0xB0, 0x22, 0xDD, 0xD2, 0xC6,
+                                               0xC7, 0xAD, 0xD7, 0xDE, 0xEC, 0x6F, 0x08, 0x41,
+                                               0x54, 0xD5, 0x52, 0xDC, 0x77, 0xE4, 0x72, 0xF9,
+                                               0x16, 0xB1, 0xC9, 0xAF, 0xB1, 0x3B, 0x18, 0x99,
+                                               0x20, 0x9F, 0x79, 0x63, 0x7B, 0x07, 0xC7, 0x35,
+                                               0xDF, 0xBB, 0xCE, 0x66, 0x93, 0x1B, 0xF5, 0x82,
+                                               0x25, 0x67, 0xC1, 0xF2, 0xF0, 0x89, 0x0F, 0xEF,
+                                               0x84, 0x0D, 0x63, 0xB6, 0x7B, 0xD0, 0x40, 0x8E,
+                                               0xDB, 0x94, 0xCC, 0x71, 0x3C, 0xDB, 0x36, 0x14,
+                                               0x34, 0xFD, 0xA0, 0xB0, 0xC1, 0x45, 0x31, 0xF8,
+                                               0x8D, 0xD8, 0x23, 0xB1, 0x05, 0x14, 0xA9, 0x55,
+                                               0x3A, 0x1A, 0x37, 0x48, 0x68, 0x89, 0x3F, 0x15,
+                                               0x25, 0xD4, 0x99, 0x53, 0x4C, 0x85, 0x98, 0x78,
+                                               0x1D, 0x35, 0x4A, 0x83, 0x79, 0x9A, 0x29, 0x90,
+                                               0x2B, 0x45, 0x76, 0x0C, 0x13, 0x80, 0x4A, 0xE0,
+                                               0x40, 0xED, 0x6B, 0x2E, 0x2A, 0x43, 0xA9, 0x28,
+                                               0xB0, 0x2F, 0x89, 0x01, 0x6B, 0x39, 0x8C, 0x5E,
+                                               0x80, 0x61, 0xD9, 0xEE, 0x0F, 0x41, 0x75, 0xB5,
+                                               0xAE, 0xB6, 0xC2, 0x42, 0x49, 0x8D, 0x89, 0xD8,
+                                               0xF4, 0x78, 0x1D, 0x90, 0x46, 0x26, 0x4C, 0x56,
+                                               0xB7, 0xC0, 0xD9, 0x98, 0x7B, 0x07, 0xA1, 0x20)
+       }
+};
+
+START_TEST(test_ntru_privkey)
+{
+       rng_t *entropy;
+       ntru_drbg_t *drbg;
+       ntru_private_key_t *privkey;
+       ntru_public_key_t *pubkey;
+       ntru_param_set_t *params;
+       uint32_t strength;
+       chunk_t encoding, privkey_encoding, pubkey_encoding;
+
+       params = ntru_param_set_get_by_id(privkey_tests[_i].id);
+       strength = params->sec_strength_len * BITS_PER_BYTE;
+       entropy = test_rng_create(privkey_tests[_i].entropy);
+       drbg = ntru_drbg_create(strength, chunk_from_str("IKE NTRU-KE"), entropy);
+       ck_assert(drbg != NULL);
+
+       privkey = ntru_private_key_create(drbg, params);
+       ck_assert(privkey);
+
+       privkey_encoding = privkey->get_encoding(privkey);
+       encoding = privkey_tests[_i].encoding;
+       ck_assert(chunk_equals(privkey_encoding, encoding));
+
+
+       pubkey= privkey->get_public_key(privkey);
+       pubkey_encoding = pubkey->get_encoding(pubkey);
+       encoding = chunk_clone(encoding);
+       encoding.ptr[0] = NTRU_PUBKEY_TAG;
+       encoding.len = pubkey_encoding.len;
+       ck_assert(chunk_equals(pubkey_encoding, encoding));
+
+       /* get encoding a second time without generating it again internally */
+       pubkey_encoding = pubkey->get_encoding(pubkey);
+
+       chunk_free(&encoding);
+       privkey->destroy(privkey);
+       pubkey->destroy(pubkey);
+}
+END_TEST
+
 START_TEST(test_ntru_ke)
 {
        chunk_t pub_key, cipher_text, i_shared_secret, r_shared_secret;
        diffie_hellman_t *i_ntru, *r_ntru;
        char buf[10];
-       int n, len;
+       int k, n, len;
        status_t status;
 
+       k = (_i) / countof(parameter_sets);
+       n = (_i) % countof(parameter_sets);
+
        len = snprintf(buf, sizeof(buf), "%N", diffie_hellman_group_names,
-                                  params[_i].group);
+                                  params[k].group);
        ck_assert(len == 8);
-       ck_assert(streq(buf, params[_i].group_name));
-
-       for (n = 0; n < countof(parameter_sets); n++)
-       {
-               lib->settings->set_str(lib->settings,
-                                                         "libstrongswan.plugins.ntru.parameter_set",
-                                                          parameter_sets[n]);
+       ck_assert(streq(buf, params[k].group_name));
 
-               i_ntru = lib->crypto->create_dh(lib->crypto, params[_i].group);
-               ck_assert(i_ntru != NULL);
-               ck_assert(i_ntru->get_dh_group(i_ntru) == params[_i].group);
+       lib->settings->set_str(lib->settings,
+                               "libstrongswan.plugins.ntru.parameter_set", parameter_sets[n]);
 
-               i_ntru->get_my_public_value(i_ntru, &pub_key);
-               ck_assert(pub_key.len > 0);
+       i_ntru = lib->crypto->create_dh(lib->crypto, params[k].group);
+       ck_assert(i_ntru != NULL);
+       ck_assert(i_ntru->get_dh_group(i_ntru) == params[k].group);
 
-               r_ntru = lib->crypto->create_dh(lib->crypto, params[_i].group);
-               ck_assert(r_ntru != NULL);
+       i_ntru->get_my_public_value(i_ntru, &pub_key);
+       ck_assert(pub_key.len > 0);
 
-               r_ntru->set_other_public_value(r_ntru, pub_key);
-               r_ntru->get_my_public_value(r_ntru, &cipher_text);
-               ck_assert(cipher_text.len > 0);
+       r_ntru = lib->crypto->create_dh(lib->crypto, params[k].group);
+       ck_assert(r_ntru != NULL);
 
-               status = r_ntru->get_shared_secret(r_ntru, &r_shared_secret);
-               ck_assert(status == SUCCESS);
-               ck_assert(r_shared_secret.len > 0);
+       r_ntru->set_other_public_value(r_ntru, pub_key);
+       r_ntru->get_my_public_value(r_ntru, &cipher_text);
+       ck_assert(cipher_text.len > 0);
 
-               i_ntru->set_other_public_value(i_ntru, cipher_text);
-               status = i_ntru->get_shared_secret(i_ntru, &i_shared_secret);
+       status = r_ntru->get_shared_secret(r_ntru, &r_shared_secret);
+       ck_assert(status == SUCCESS);
+       ck_assert(r_shared_secret.len > 0);
 
-               if (status == SUCCESS)
-               {
-                       ck_assert(chunk_equals(i_shared_secret, r_shared_secret));
-               }
-               else
-               {
-                       ck_assert(i_shared_secret.len == 0);
-               }
+       i_ntru->set_other_public_value(i_ntru, cipher_text);
+       status = i_ntru->get_shared_secret(i_ntru, &i_shared_secret);
+       ck_assert(status == SUCCESS);
+       ck_assert(chunk_equals(i_shared_secret, r_shared_secret));
 
-               chunk_clear(&i_shared_secret);
-               chunk_clear(&r_shared_secret);
-               chunk_free(&pub_key);
-               chunk_free(&cipher_text);
-               i_ntru->destroy(i_ntru);
-               r_ntru->destroy(r_ntru);
-       }
+       chunk_clear(&i_shared_secret);
+       chunk_clear(&r_shared_secret);
+       chunk_free(&pub_key);
+       chunk_free(&cipher_text);
+       i_ntru->destroy(i_ntru);
+       r_ntru->destroy(r_ntru);
 }
 END_TEST
 
@@ -1015,8 +1310,17 @@ Suite *ntru_suite_create()
        tcase_add_loop_test(tc, test_ntru_array, 0, countof(array_tests));
        suite_add_tcase(s, tc);
 
+       tc = tcase_create("param_set");
+       tcase_add_test(tc, test_ntru_param_set);
+       suite_add_tcase(s, tc);
+
+       tc = tcase_create("privkey");
+       tcase_add_loop_test(tc, test_ntru_privkey, 0, countof(privkey_tests));
+       suite_add_tcase(s, tc);
+
        tc = tcase_create("ke");
-       tcase_add_loop_test(tc, test_ntru_ke, 0, countof(params));
+       tcase_add_loop_test(tc, test_ntru_ke, 0,
+                                               countof(params) * countof(parameter_sets));
        suite_add_tcase(s, tc);
 
        tc = tcase_create("retransmission");