ntru_mgf1.h ntru_mgf1.c \
ntru_param_set.h ntru_param_set.c \
ntru_poly.h ntru_poly.c \
+ ntru_public_key.h ntru_public_key.c \
+ ntru_private_key.h ntru_private_key.c \
ntru_trits.h ntru_trits.c \
ntru_crypto/ntru_crypto.h \
ntru_crypto/ntru_crypto_ntru_convert.h \
no. of octets in ciphertext */
uint8_t *ct); /* out - address for ciphertext */
-
-/* ntru_crypto_ntru_decrypt
- *
- * Implements NTRU decryption (SVES) for the parameter set specified in
- * the private key blob.
- *
- * The maximum size of the output plaintext may be queried by invoking
- * this function with pt = NULL. In this case, no decryption is performed,
- * NTRU_OK is returned, and the maximum size the plaintext could be is
- * returned in pt_len.
- * Note that until the decryption is performed successfully, the actual size
- * of the resulting plaintext cannot be known.
- *
- * When pt != NULL, at invocation *pt_len must be the size of the pt buffer.
- * Upon return it is the actual size of the plaintext.
- *
- * Returns NTRU_OK if successful.
- * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pt) is NULL.
- * Returns NTRU_BAD_LENGTH if a length argument (privkey_blob) is zero, or if
- * ct_len is invalid for the parameter set.
- * Returns NTRU_BAD_PRIVATE_KEY if the private-key blob is invalid
- * (unknown format, corrupt, bad length).
- * Returns NTRU_BUFFER_TOO_SMALL if the plaintext buffer is too small.
- * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap.
- * Returns NTRU_FAIL if a decryption error occurs.
- */
-
-NTRUCALL
-ntru_crypto_ntru_decrypt(
- uint16_t privkey_blob_len, /* in - no. of octets in private key
- blob */
- uint8_t const *privkey_blob, /* in - pointer to private key */
- uint16_t ct_len, /* in - no. of octets in ciphertext */
- uint8_t const *ct, /* in - pointer to ciphertext */
- uint16_t *pt_len, /* in/out - no. of octets in pt, addr for
- no. of octets in plaintext */
- uint8_t *pt); /* out - address for plaintext */
-
-
-/* ntru_crypto_ntru_encrypt_keygen
- *
- * Implements key generation for NTRUEncrypt for the parameter set specified.
- *
- * Before invoking this function, a DRBG must be instantiated using
- * ntru_crypto_drbg_instantiate() to obtain a DRBG handle, and in that
- * instantiation the requested security strength must be at least as large
- * as the security strength of the NTRU parameter set being used.
- * Failure to instantiate the DRBG with the proper security strength will
- * result in this function returning NTRU_DRBG_FAIL.
- *
- * The required minimum size of the output public-key buffer (pubkey_blob)
- * may be queried by invoking this function with pubkey_blob = NULL.
- * In this case, no key generation is performed, NTRU_OK is returned, and
- * the required minimum size for pubkey_blob is returned in pubkey_blob_len.
- *
- * The required minimum size of the output private-key buffer (privkey_blob)
- * may be queried by invoking this function with privkey_blob = NULL.
- * In this case, no key generation is performed, NTRU_OK is returned, and
- * the required minimum size for privkey_blob is returned in privkey_blob_len.
- *
- * The required minimum sizes of both pubkey_blob and privkey_blob may be
- * queried as described above, in a single invocation of this function.
- *
- * When pubkey_blob != NULL and privkey_blob != NULL, at invocation
- * *pubkey_blob_len must be the size of the pubkey_blob buffer and
- * *privkey_blob_len must be the size of the privkey_blob buffer.
- * Upon return, *pubkey_blob_len is the actual size of the public-key blob
- * and *privkey_blob_len is the actual size of the private-key blob.
- *
- * Returns NTRU_OK if successful.
- * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pubkey_blob
- * or privkey_blob) is NULL.
- * Returns NTRU_INVALID_PARAMETER_SET if the parameter-set ID is invalid.
- * Returns NTRU_BAD_LENGTH if a length argument is invalid.
- * Returns NTRU_BUFFER_TOO_SMALL if either the pubkey_blob buffer or the
- * privkey_blob buffer is too small.
- * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap.
- * Returns NTRU_FAIL if the polynomial generated for f is not invertible in
- * (Z/qZ)[X]/(X^N - 1), which is extremely unlikely.
- * Should this occur, this function should simply be invoked again.
- */
-
-NTRUCALL
-ntru_crypto_ntru_encrypt_keygen(
- ntru_drbg_t *drbg, /* in - handle of DRBG */
- ntru_param_set_id_t param_set_id, /* in - parameter set ID */
- uint16_t *pubkey_blob_len, /* in/out - no. of octets in
- pubkey_blob, addr
- for no. of octets
- in pubkey_blob */
- uint8_t *pubkey_blob, /* out - address for
- public key blob */
- uint16_t *privkey_blob_len, /* in/out - no. of octets in
- privkey_blob, addr
- for no. of octets
- in privkey_blob */
- uint8_t *privkey_blob); /* out - address for
- private key blob */
#endif /* NTRU_CRYPTO_H */
uint32_t dr2 = 0;
uint32_t dr3 = 0;
uint16_t ring_mult_tmp_len;
- int16_t m1 = 0;
+ int16_t m1;
uint16_t *scratch_buf = NULL;
uint16_t *ringel_buf = NULL;
uint8_t *b_buf = NULL;
uint16_t pubkey_packed_len;
/* unpack the public key */
- assert(pubkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS);
+ assert(pubkey_pack_type == NTRU_KEY_PACKED_COEFFICIENTS);
pubkey_packed_len = (params->N * params->q_bits + 7) >> 3;
ntru_octets_2_elements(pubkey_packed_len, pubkey_packed,
params->q_bits, ringel_buf);
/* form the msg representative m' by adding Mtrin to mask, mod p */
if (params->is_product_form)
{
+ m1 = 0;
for (i = 0; i < mprime_len; i++)
{
tmp_buf[i] = mask_trits[i] + Mtrin_buf[i];
else
msg_rep_good = ntru_poly_check_min_weight(mprime_len, tmp_buf,
params->min_msg_rep_wt);
- msg_rep_good = TRUE;
}
} while ((result == NTRU_OK) && !msg_rep_good);
return result;
}
-
-
-/* ntru_crypto_ntru_decrypt
- *
- * Implements NTRU decryption (SVES) for the parameter set specified in
- * the private key blob.
- *
- * The maximum size of the output plaintext may be queried by invoking
- * this function with pt = NULL. In this case, no decryption is performed,
- * NTRU_OK is returned, and the maximum size the plaintext could be is
- * returned in pt_len.
- * Note that until the decryption is performed successfully, the actual size
- * of the resulting plaintext cannot be known.
- *
- * When pt != NULL, at invocation *pt_len must be the size of the pt buffer.
- * Upon return it is the actual size of the plaintext.
- *
- * Returns NTRU_OK if successful.
- * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pt) is NULL.
- * Returns NTRU_BAD_LENGTH if a length argument (privkey_blob) is zero, or if
- * ct_len is invalid for the parameter set.
- * Returns NTRU_BAD_PRIVATE_KEY if the private-key blob is invalid
- * (unknown format, corrupt, bad length).
- * Returns NTRU_BUFFER_TOO_SMALL if the plaintext buffer is too small.
- * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap.
- * Returns NTRU_FAIL if a decryption error occurs.
- */
-
-uint32_t
-ntru_crypto_ntru_decrypt(
- uint16_t privkey_blob_len, /* in - no. of octets in private key
- blob */
- uint8_t const *privkey_blob, /* in - pointer to private key */
- uint16_t ct_len, /* in - no. of octets in ciphertext */
- uint8_t const *ct, /* in - pointer to ciphertext */
- uint16_t *pt_len, /* in/out - no. of octets in pt, addr for
- no. of octets in plaintext */
- uint8_t *pt) /* out - address for plaintext */
-{
- ntru_param_set_t *params = NULL;
- uint8_t const *privkey_packed = NULL;
- uint8_t const *pubkey_packed = NULL;
- uint8_t privkey_pack_type = 0x00;
- uint8_t pubkey_pack_type = 0x00;
- size_t scratch_buf_len;
- uint32_t dF_r;
- uint32_t dF_r1 = 0;
- uint32_t dF_r2 = 0;
- uint32_t dF_r3 = 0;
- uint16_t ring_mult_tmp_len;
- int16_t m1 = 0;
- uint16_t *scratch_buf = NULL;
- uint16_t *ringel_buf1 = NULL;
- uint16_t *ringel_buf2 = NULL;
- uint16_t *i_buf = NULL;
- uint8_t *m_buf = NULL;
- uint8_t *tmp_buf = NULL;
- uint8_t *Mtrin_buf = NULL;
- uint8_t *M_buf = NULL;
- uint8_t *ptr = NULL;
- hash_algorithm_t hash_algid;
- uint16_t cmprime_len;
- uint16_t mod_q_mask;
- uint16_t q_mod_p;
- uint16_t cm_len = 0;
- uint16_t num_zeros;
- uint16_t i;
- bool decryption_ok = TRUE;
- uint32_t result = NTRU_OK;
- ntru_trits_t *mask;
- uint8_t *mask_trits;
- chunk_t seed;
- ntru_poly_t *F_poly, *r_poly;
-
- /* check for bad parameters */
- if (!privkey_blob || !ct || !pt_len)
- {
- return NTRU_BAD_PARAMETER;
- }
- if ((privkey_blob_len == 0) || (ct_len == 0))
- {
- return NTRU_BAD_LENGTH;
- }
-
- /* get a pointer to the parameter-set parameters, the packing types for
- * the public and private keys, and pointers to the packed public and
- * private keys
- */
-
- if (!ntru_crypto_ntru_encrypt_key_parse(FALSE /* privkey */,
- privkey_blob_len,
- privkey_blob, &pubkey_pack_type,
- &privkey_pack_type, ¶ms,
- &pubkey_packed, &privkey_packed))
- {
- return NTRU_BAD_PRIVATE_KEY;
- }
-
- /* return the max plaintext size if requested */
-
- if (!pt)
- {
- *pt_len = params->m_len_max;
- return NTRU_OK;
- }
-
- /* cannot check the plaintext buffer size until after the plaintext
- * is derived, if we allow plaintext buffers only as large as the
- * actual plaintext
- */
-
- /* check the ciphertext length */
-
- if (ct_len != (params->N * params->q_bits + 7) >> 3)
- {
- return NTRU_BAD_LENGTH;
- }
-
- /* allocate memory for all operations */
-
- if (params->is_product_form)
- {
- ring_mult_tmp_len = params->N << 1; /* 2N 16-bit word buffer */
- dF_r1 = params->dF_r & 0xff;
- dF_r2 = (params->dF_r >> 8) & 0xff;
- dF_r3 = (params->dF_r >> 16) & 0xff;
- dF_r = dF_r1 + dF_r2 + dF_r3;
- } else {
- ring_mult_tmp_len = params->N; /* N 16-bit word buffer */
- dF_r = params->dF_r;
- }
- scratch_buf_len = (ring_mult_tmp_len << 1) +
- /* X-byte temp buf for ring mult and
- other intermediate results */
- (params->N << 2) + /* 2 2N-byte bufs for ring elements
- and overflow from temp buffer */
- (dF_r << 2) + /* buffer for F, r indices */
- params->m_len_max; /* buffer for plaintext */
- scratch_buf = malloc(scratch_buf_len);
- if (!scratch_buf)
- {
- return NTRU_OUT_OF_MEMORY;
- }
- ringel_buf1 = scratch_buf + ring_mult_tmp_len;
- ringel_buf2 = ringel_buf1 + params->N;
- i_buf = ringel_buf2 + params->N;
- m_buf = (uint8_t *)(i_buf + (dF_r << 1));
- tmp_buf = (uint8_t *)scratch_buf;
- Mtrin_buf = (uint8_t *)ringel_buf1;
- M_buf = Mtrin_buf + params->N;
-
- /* set hash algorithm based on security strength */
- hash_algid = (params->sec_strength_len <= 20) ? HASH_SHA1 : HASH_SHA256;
-
- /* set constants */
- mod_q_mask = params->q - 1;
- q_mod_p = params->q % 3;
-
- /* unpack the ciphertext */
- ntru_octets_2_elements(ct_len, ct, params->q_bits, ringel_buf2);
-
- /* unpack the private key */
- if (privkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_TRITS)
- {
- ntru_packed_trits_2_indices(privkey_packed, params->N, i_buf,
- i_buf + dF_r);
-
- }
- else if (privkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_INDICES)
- {
- ntru_octets_2_elements(
- (((uint16_t)dF_r << 1) * params->N_bits + 7) >> 3,
- privkey_packed, params->N_bits, i_buf);
-
- }
- else
- {
- assert(FALSE);
- }
-
- /* form cm':
- * F * e
- * A = e * (1 + pF) mod q = e + pFe mod q
- * a = A in the range [-q/2, q/2)
- * cm' = a mod p
- */
- F_poly = ntru_poly_create_from_data(i_buf, params->N, params->q,
- params->dF_r, params->dF_r,
- params->is_product_form);
- F_poly->ring_mult(F_poly, ringel_buf2, ringel_buf1);
- F_poly->destroy(F_poly);
-
- cmprime_len = params->N;
- if (params->is_product_form)
- {
- --cmprime_len;
- for (i = 0; i < cmprime_len; i++)
- {
- ringel_buf1[i] = (ringel_buf2[i] + 3 * ringel_buf1[i]) & mod_q_mask;
- if (ringel_buf1[i] >= (params->q >> 1))
- {
- ringel_buf1[i] = ringel_buf1[i] - q_mod_p;
- }
- Mtrin_buf[i] = (uint8_t)(ringel_buf1[i] % 3);
- if (Mtrin_buf[i] == 1)
- {
- ++m1;
- }
- else if (Mtrin_buf[i] == 2)
- {
- --m1;
- }
- }
- }
- else
- {
- for (i = 0; i < cmprime_len; i++)
- {
- ringel_buf1[i] = (ringel_buf2[i] + 3 * ringel_buf1[i]) & mod_q_mask;
- if (ringel_buf1[i] >= (params->q >> 1))
- {
- ringel_buf1[i] = ringel_buf1[i] - q_mod_p;
- }
- Mtrin_buf[i] = (uint8_t)(ringel_buf1[i] % 3);
- }
- }
-
- /* check that the candidate message representative meets minimum weight
- * requirements
- */
-
- if (params->is_product_form)
- {
- decryption_ok = m1 < 0 ? (bool)(-m1 <= params->min_msg_rep_wt) :
- (bool)( m1 <= params->min_msg_rep_wt);
- }
- else
- {
- decryption_ok = ntru_poly_check_min_weight(cmprime_len, Mtrin_buf,
- params->min_msg_rep_wt);
- }
-
- /* form cR = e - cm' mod q */
- for (i = 0; i < cmprime_len; i++)
- {
- if (Mtrin_buf[i] == 1)
- {
- ringel_buf2[i] = (ringel_buf2[i] - 1) & mod_q_mask;
- }
- else if (Mtrin_buf[i] == 2)
- {
- ringel_buf2[i] = (ringel_buf2[i] + 1) & mod_q_mask;
- }
- }
- if (params->is_product_form)
- {
- ringel_buf2[i] = (ringel_buf2[i] + m1) & mod_q_mask;
- }
-
- /* form cR mod 4 */
- ntru_coeffs_mod4_2_octets(params->N, ringel_buf2, tmp_buf);
-
- /* form mask */
- seed = chunk_create(tmp_buf, (params->N + 3)/4);
- mask = ntru_trits_create(params->N, hash_algid, seed);
- if (!mask)
- {
- result = NTRU_MGF1_FAIL;
- }
- else
- {
- mask_trits = mask->get_trits(mask);
-
- /* form cMtrin by subtracting mask from cm', mod p */
- for (i = 0; i < cmprime_len; i++)
- {
- Mtrin_buf[i] = Mtrin_buf[i] - mask_trits[i];
- if (Mtrin_buf[i] >= 3)
- {
- Mtrin_buf[i] += 3;
- }
- }
- mask->destroy(mask);
-
- if (params->is_product_form)
-
- /* set the last trit to zero since that's what it was, and
- * because it can't be calculated from (cm' - mask) since
- * we don't have the correct value for the last cm' trit
- */
-
- Mtrin_buf[i] = 0;
-
- /* convert cMtrin to cM (Mtrin to Mbin) */
-
- if (!ntru_trits_2_bits(Mtrin_buf, params->N, M_buf))
- decryption_ok = FALSE;
-
- /* validate the padded message cM and copy cm to m_buf */
-
- ptr = M_buf + params->sec_strength_len;
- if (params->m_len_len == 2)
- cm_len = (uint16_t)(*ptr++) << 16;
- cm_len |= (uint16_t)(*ptr++);
- if (cm_len > params->m_len_max) {
- cm_len = params->m_len_max;
- decryption_ok = FALSE;
- }
- memcpy(m_buf, ptr, cm_len);
- ptr += cm_len;
- num_zeros = params->m_len_max - cm_len + 1;
- for (i = 0; i < num_zeros; i++) {
- if (ptr[i] != 0)
- decryption_ok = FALSE;
- }
-
- /* form sData (OID || m || b || hTrunc) */
-
- ptr = tmp_buf;
- memcpy(ptr, params->oid, 3);
- ptr += 3;
- memcpy(ptr, m_buf, cm_len);
- ptr += cm_len;
- memcpy(ptr, M_buf, params->sec_strength_len);
- ptr += params->sec_strength_len;
- memcpy(ptr, pubkey_packed, params->sec_strength_len);
- ptr += params->sec_strength_len;
-
- /* generate cr */
- DBG2(DBG_LIB, "generate polynomial r");
-
- seed = chunk_create(tmp_buf, ptr - tmp_buf);
- r_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits,
- params->N, params->q,
- params->dF_r, params->dF_r,
- params->is_product_form);
- if (!r_poly)
- {
- result = NTRU_MGF1_FAIL;
- }
- }
-
- if (result == NTRU_OK)
- {
- /* unpack the public key */
- {
- uint16_t pubkey_packed_len;
-
- assert(pubkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS);
- pubkey_packed_len = (params->N * params->q_bits + 7) >> 3;
- ntru_octets_2_elements(pubkey_packed_len, pubkey_packed,
- params->q_bits, ringel_buf1);
- }
-
- /* form cR' = h * cr */
- r_poly->ring_mult(r_poly, ringel_buf1, ringel_buf1);
- r_poly->destroy(r_poly);
-
- /* compare cR' to cR */
- for (i = 0; i < params->N; i++)
- {
- if (ringel_buf1[i] != ringel_buf2[i])
- {
- decryption_ok = FALSE;
- }
- }
-
- /* output plaintext and plaintext length */
- if (decryption_ok)
- {
- if (*pt_len < cm_len)
- {
- return NTRU_BUFFER_TOO_SMALL;
- }
- memcpy(pt, m_buf, cm_len);
- *pt_len = cm_len;
- }
- }
-
- /* cleanup */
- memset(scratch_buf, 0, scratch_buf_len);
- free(scratch_buf);
-
- if (!decryption_ok)
- {
- return NTRU_FAIL;
- }
-
- return result;
-}
-
-
-/* ntru_crypto_ntru_encrypt_keygen
- *
- * Implements key generation for NTRUEncrypt for the parameter set specified.
- *
- * The required minimum size of the output public-key buffer (pubkey_blob)
- * may be queried by invoking this function with pubkey_blob = NULL.
- * In this case, no key generation is performed, NTRU_OK is returned, and
- * the required minimum size for pubkey_blob is returned in pubkey_blob_len.
- *
- * The required minimum size of the output private-key buffer (privkey_blob)
- * may be queried by invoking this function with privkey_blob = NULL.
- * In this case, no key generation is performed, NTRU_OK is returned, and
- * the required minimum size for privkey_blob is returned in privkey_blob_len.
- *
- * The required minimum sizes of both pubkey_blob and privkey_blob may be
- * queried as described above, in a single invocation of this function.
- *
- * When pubkey_blob != NULL and privkey_blob != NULL, at invocation
- * *pubkey_blob_len must be the size of the pubkey_blob buffer and
- * *privkey_blob_len must be the size of the privkey_blob buffer.
- * Upon return, *pubkey_blob_len is the actual size of the public-key blob
- * and *privkey_blob_len is the actual size of the private-key blob.
- *
- * Returns NTRU_OK if successful.
- * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pubkey_blob or
- * privkey_blob) is NULL.
- * Returns NTRU_INVALID_PARAMETER_SET if the parameter-set ID is invalid.
- * Returns NTRU_BAD_LENGTH if a length argument is invalid.
- * Returns NTRU_BUFFER_TOO_SMALL if either the pubkey_blob buffer or the
- * privkey_blob buffer is too small.
- * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap.
- * Returns NTRU_FAIL if the polynomial generated for f is not invertible in
- * (Z/qZ)[X]/(X^N - 1), which is extremely unlikely.
- * Should this occur, this function should simply be invoked again.
- */
-
-uint32_t
-ntru_crypto_ntru_encrypt_keygen(
- ntru_drbg_t *drbg, /* in - handle of DRBG */
- ntru_param_set_id_t param_set_id, /* in - parameter set ID */
- uint16_t *pubkey_blob_len, /* in/out - no. of octets in
- pubkey_blob, addr
- for no. of octets
- in pubkey_blob */
- uint8_t *pubkey_blob, /* out - address for
- public key blob */
- uint16_t *privkey_blob_len, /* in/out - no. of octets in
- privkey_blob, addr
- for no. of octets
- in privkey_blob */
- uint8_t *privkey_blob) /* out - address for
- private key blob */
-{
- ntru_param_set_t *params = NULL;
- uint16_t public_key_blob_len;
- uint16_t private_key_blob_len;
- uint8_t pubkey_pack_type;
- uint8_t privkey_pack_type;
- size_t scratch_buf_len;
- uint32_t dF;
- uint32_t dF1 = 0;
- uint32_t dF2 = 0;
- uint32_t dF3 = 0;
- uint16_t *scratch_buf = NULL;
- uint16_t *ringel_buf1 = NULL;
- uint16_t *ringel_buf2 = NULL;
- uint8_t *tmp_buf = NULL;
- uint16_t mod_q_mask;
- hash_algorithm_t hash_algid;
- uint16_t seed_len;
- chunk_t seed;
- uint32_t result = NTRU_OK;
- ntru_poly_t *F_poly = NULL;
- ntru_poly_t *g_poly = NULL;
- uint16_t *F_indices;
-
- /* get a pointer to the parameter-set parameters */
- params = ntru_param_set_get_by_id(param_set_id);
- if (!params)
- {
- return NTRU_INVALID_PARAMETER_SET;
- }
-
- /* check for bad parameters */
- if (!pubkey_blob_len || !privkey_blob_len)
- {
- return NTRU_BAD_PARAMETER;
- }
-
- /* get public and private key packing types and blob lengths */
- ntru_crypto_ntru_encrypt_key_get_blob_params(params, &pubkey_pack_type,
- &public_key_blob_len,
- &privkey_pack_type,
- &private_key_blob_len);
-
- /* return the pubkey_blob size and/or privkey_blob size if requested */
-
- if (!pubkey_blob || !privkey_blob)
- {
- if (!pubkey_blob)
- *pubkey_blob_len = public_key_blob_len;
- if (!privkey_blob)
- *privkey_blob_len = private_key_blob_len;
- return NTRU_OK;
- }
-
- /* check size of output buffers */
-
- if ((*pubkey_blob_len < public_key_blob_len) ||
- (*privkey_blob_len < private_key_blob_len))
- {
- return NTRU_BUFFER_TOO_SMALL;
- }
-
- /* allocate memory for all operations */
- if (params->is_product_form) {
- dF1 = params->dF_r & 0xff;
- dF2 = (params->dF_r >> 8) & 0xff;
- dF3 = (params->dF_r >> 16) & 0xff;
- dF = dF1 + dF2 + dF3;
- } else {
- dF = params->dF_r;
- }
-
- scratch_buf_len = (params->N * 8) + /* 4N-byte temp buffer for ring inv
- and other intermediate results,
- 2N-byte buffer for f, g indices
- and overflow from temp buffer,
- 2N-byte buffer for f^-1 */
- (dF << 2); /* buffer for F indices */
- scratch_buf = malloc(scratch_buf_len);
- if (!scratch_buf)
- {
- return NTRU_OUT_OF_MEMORY;
- }
- ringel_buf1 = scratch_buf + (params->N << 1);
- ringel_buf2 = ringel_buf1 + params->N;
- tmp_buf = (uint8_t *)scratch_buf;
-
- /* set hash algorithm and seed length based on security strength */
- if (params->sec_strength_len <= 20)
- {
- hash_algid = HASH_SHA1;
- }
- else
- {
- hash_algid = HASH_SHA256;
- }
- seed_len = params->sec_strength_len + 8;
-
- /* set constants */
-
- mod_q_mask = params->q - 1;
-
- /* get random bytes for seed for generating trinary F
- * as a list of indices
- */
-
- if (drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE,
- seed_len, tmp_buf))
- {
- result = NTRU_OK;
- }
- else
- {
- result = NTRU_DRBG_FAIL;
- }
-
- if (result == NTRU_OK)
- {
- DBG2(DBG_LIB, "generate polynomial F");
-
- seed = chunk_create(tmp_buf, seed_len);
- F_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits,
- params->N, params->q,
- params->dF_r, params->dF_r,
- params->is_product_form);
- if (!F_poly)
- {
- result = NTRU_MGF1_FAIL;
- }
- }
-
- if (result == NTRU_OK)
- {
- int i;
-
- F_poly->get_array(F_poly, ringel_buf1);
-
- /* form f = 1 + pF */
- for (i = 0; i < params->N; i++)
- {
- ringel_buf1[i] = (ringel_buf1[i] * 3) & mod_q_mask;
- }
- ringel_buf1[0] = (ringel_buf1[0] + 1) & mod_q_mask;
-
- /* find f^-1 in (Z/qZ)[X]/(X^N - 1) */
- if (!ntru_ring_inv(ringel_buf1, params->N, params->q,
- scratch_buf, ringel_buf2))
- {
- result = NTRU_FAIL;
- }
- }
-
- if (result == NTRU_OK)
- {
-
- /* get random bytes for seed for generating trinary polynomial g
- * as a list of indices
- */
- if (!drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE,
- seed_len, tmp_buf))
- {
- result = NTRU_DRBG_FAIL;
- }
- }
-
- if (result == NTRU_OK)
- {
- DBG2(DBG_LIB, "generate polynomial g");
-
- seed = chunk_create(tmp_buf, seed_len);
- g_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits,
- params->N, params->q,
- params->dg + 1, params->dg, FALSE);
- if (!g_poly)
- {
- result = NTRU_MGF1_FAIL;
- }
- }
-
- if (result == NTRU_OK)
- {
- uint16_t i;
-
- /* compute h = p * (f^-1 * g) mod q */
- g_poly->ring_mult(g_poly, ringel_buf2, ringel_buf2);
- g_poly->destroy(g_poly);
-
- for (i = 0; i < params->N; i++)
- {
- ringel_buf2[i] = (ringel_buf2[i] * 3) & mod_q_mask;
- }
-
- /* create public key blob */
- ntru_crypto_ntru_encrypt_key_create_pubkey_blob(params, ringel_buf2,
- pubkey_pack_type,
- pubkey_blob);
- *pubkey_blob_len = public_key_blob_len;
-
- /* create private key blob */
- F_indices = F_poly->get_indices(F_poly);
- ntru_crypto_ntru_encrypt_key_create_privkey_blob(params, ringel_buf2,
- F_indices,
- privkey_pack_type,
- tmp_buf, privkey_blob);
- *privkey_blob_len = private_key_blob_len;
- }
-
- /* cleanup */
- DESTROY_IF(F_poly);
- memset(scratch_buf, 0, scratch_buf_len);
- free(scratch_buf);
-
- return result;
-}
/* parse key blob based on tag */
tag = key_blob[0];
switch (tag) {
- case NTRU_ENCRYPT_PUBKEY_TAG:
+ case NTRU_PUBKEY_TAG:
if (!pubkey_parse)
return FALSE;
break;
- case NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG:
- case NTRU_ENCRYPT_PRIVKEY_TRITS_TAG:
- case NTRU_ENCRYPT_PRIVKEY_INDICES_TAG:
+ case NTRU_PRIVKEY_DEFAULT_TAG:
+ case NTRU_PRIVKEY_TRITS_TAG:
+ case NTRU_PRIVKEY_INDICES_TAG:
assert(privkey_pack_type);
assert(privkey);
if (pubkey_parse)
}
switch (tag) {
- case NTRU_ENCRYPT_PUBKEY_TAG:
- case NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG:
- case NTRU_ENCRYPT_PRIVKEY_TRITS_TAG:
- case NTRU_ENCRYPT_PRIVKEY_INDICES_TAG:
+ case NTRU_PUBKEY_TAG:
+ case NTRU_PRIVKEY_DEFAULT_TAG:
+ case NTRU_PRIVKEY_TRITS_TAG:
+ case NTRU_PRIVKEY_INDICES_TAG:
/* Version 0:
* byte 0: tag
/* check packing type for product-form private keys */
if (p->is_product_form &&
- (tag == NTRU_ENCRYPT_PRIVKEY_TRITS_TAG))
+ (tag == NTRU_PRIVKEY_TRITS_TAG))
return FALSE;
/* set packed-key length for packed indices */
/* set private-key packing type if defaulted */
- if (tag == NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG) {
+ if (tag == NTRU_PRIVKEY_DEFAULT_TAG) {
if (p->is_product_form ||
(privkey_packed_indices_len <=
privkey_packed_trits_len))
- tag = NTRU_ENCRYPT_PRIVKEY_INDICES_TAG;
+ tag = NTRU_PRIVKEY_INDICES_TAG;
else
- tag = NTRU_ENCRYPT_PRIVKEY_TRITS_TAG;
+ tag = NTRU_PRIVKEY_TRITS_TAG;
}
- if (tag == NTRU_ENCRYPT_PRIVKEY_TRITS_TAG)
+ if (tag == NTRU_PRIVKEY_TRITS_TAG)
privkey_packed_len = privkey_packed_trits_len;
else
privkey_packed_len = privkey_packed_indices_len;
*pubkey = key_blob + 5;
*privkey = *pubkey + pubkey_packed_len;
- *privkey_pack_type = (tag == NTRU_ENCRYPT_PRIVKEY_TRITS_TAG) ?
- NTRU_ENCRYPT_KEY_PACKED_TRITS :
- NTRU_ENCRYPT_KEY_PACKED_INDICES;
+ *privkey_pack_type = (tag == NTRU_PRIVKEY_TRITS_TAG) ?
+ NTRU_KEY_PACKED_TRITS :
+ NTRU_KEY_PACKED_INDICES;
}
/* return parameter set pointer */
- *pubkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS;
+ *pubkey_pack_type = NTRU_KEY_PACKED_COEFFICIENTS;
*params = p;
}
default:
}
return TRUE;
}
-
-
-/* ntru_crypto_ntru_encrypt_key_get_blob_params
- *
- * Returns public and private key packing types and blob lengths given
- * a packing format. For now, only a default packing format exists.
- *
- * Only public-key params may be returned by setting privkey_pack_type
- * and privkey_blob_len to NULL.
- */
-
-void
-ntru_crypto_ntru_encrypt_key_get_blob_params(
- ntru_param_set_t *params, /* in - pointer to
- param set
- parameters */
- uint8_t *pubkey_pack_type, /* out - addr for pubkey
- packing type */
- uint16_t *pubkey_blob_len, /* out - addr for no. of
- bytes in
- pubkey blob */
- uint8_t *privkey_pack_type, /* out - addr for privkey
- packing type */
- uint16_t *privkey_blob_len) /* out - addr for no. of
- bytes in
- privkey blob */
-{
- uint16_t pubkey_packed_len = (params->N * params->q_bits + 7) >> 3;
-
- assert(params);
- assert(pubkey_pack_type);
- assert(pubkey_blob_len);
-
- *pubkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS;
- *pubkey_blob_len = 5 + pubkey_packed_len;
-
- if (privkey_pack_type && privkey_blob_len) {
- uint16_t privkey_packed_trits_len = (params->N + 4) / 5;
- uint16_t privkey_packed_indices_len;
- uint16_t dF;
-
- if (params->is_product_form)
- dF = (uint16_t)( (params->dF_r & 0xff) + /* df1 */
- ((params->dF_r >> 8) & 0xff) + /* df2 */
- ((params->dF_r >> 16) & 0xff)); /* df3 */
- else
- dF = (uint16_t)params->dF_r;
- privkey_packed_indices_len = ((dF << 1) * params->N_bits + 7) >> 3;
-
- if (params->is_product_form ||
- (privkey_packed_indices_len <= privkey_packed_trits_len)) {
- *privkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_INDICES;
- *privkey_blob_len =
- 5 + pubkey_packed_len + privkey_packed_indices_len;
- } else {
- *privkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_TRITS;
- *privkey_blob_len =
- 5 + pubkey_packed_len + privkey_packed_trits_len;
- }
- }
-}
-
-
-/* ntru_crypto_ntru_encrypt_key_create_pubkey_blob
- *
- * Returns a public key blob, packed according to the packing type provided.
- */
-
-void
-ntru_crypto_ntru_encrypt_key_create_pubkey_blob(
- ntru_param_set_t *params, /* in - pointer to
- param set
- parameters */
- uint16_t const *pubkey, /* in - pointer to the
- coefficients
- of the pubkey */
- uint8_t pubkey_pack_type, /* out - pubkey packing
- type */
- uint8_t *pubkey_blob) /* out - addr for the
- pubkey blob */
-{
- assert(params);
- assert(pubkey);
- assert(pubkey_blob);
-
- switch (pubkey_pack_type) {
- case NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS:
- *pubkey_blob++ = NTRU_ENCRYPT_PUBKEY_TAG;
- *pubkey_blob++ = (uint8_t)sizeof(params->oid);
- memcpy(pubkey_blob, params->oid, sizeof(params->oid));
- pubkey_blob += sizeof(params->oid);
- ntru_elements_2_octets(params->N, pubkey, params->q_bits,
- pubkey_blob);
- break;
- default:
- assert(FALSE);
- }
-}
-
-
-/* ntru_crypto_ntru_encrypt_key_create_privkey_blob
- *
- * Returns a private key blob, packed according to the packing type provided.
- */
-
-void
-ntru_crypto_ntru_encrypt_key_create_privkey_blob(
- ntru_param_set_t *params, /* in - pointer to
- param set
- parameters */
- uint16_t const *pubkey, /* in - pointer to the
- coefficients
- of the pubkey */
- uint16_t const *privkey, /* in - pointer to the
- indices of the
- privkey */
- uint8_t privkey_pack_type, /* in - privkey packing
- type */
- uint8_t *buf, /* in - temp, N bytes */
- uint8_t *privkey_blob) /* out - addr for the
- privkey blob */
-{
- assert(params);
- assert(pubkey);
- assert(privkey);
- assert(privkey_blob);
-
- switch (privkey_pack_type) {
- case NTRU_ENCRYPT_KEY_PACKED_TRITS:
- case NTRU_ENCRYPT_KEY_PACKED_INDICES:
-
- /* format header and packed public key */
-
- *privkey_blob++ = NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG;
- *privkey_blob++ = (uint8_t)sizeof(params->oid);
- memcpy(privkey_blob, params->oid, sizeof(params->oid));
- privkey_blob += sizeof(params->oid);
- ntru_elements_2_octets(params->N, pubkey, params->q_bits,
- privkey_blob);
- privkey_blob += (params->N * params->q_bits + 7) >> 3;
-
- /* add packed private key */
-
- if (privkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_TRITS) {
- ntru_indices_2_packed_trits(privkey, (uint16_t)params->dF_r,
- (uint16_t)params->dF_r,
- params->N, buf, privkey_blob);
- } else {
- uint32_t dF;
-
- if (params->is_product_form) {
- dF = (params->dF_r & 0xff) +
- ((params->dF_r >> 8) & 0xff) +
- ((params->dF_r >> 16) & 0xff);
- } else {
- dF = params->dF_r;
- }
- ntru_elements_2_octets((uint16_t)dF << 1, privkey,
- params->N_bits, privkey_blob);
- }
- break;
- default:
- assert(FALSE);
- break;
- }
-}
-
-
#include "ntru_param_set.h"
-/* key-blob definitions */
-
-#define NTRU_ENCRYPT_PUBKEY_TAG 0x01
-#define NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG 0x02
-#define NTRU_ENCRYPT_PRIVKEY_TRITS_TAG 0xfe
-#define NTRU_ENCRYPT_PRIVKEY_INDICES_TAG 0xff
-
-/* packing types */
-
-#define NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS 0x01
-#define NTRU_ENCRYPT_KEY_PACKED_INDICES 0x02
-#define NTRU_ENCRYPT_KEY_PACKED_TRITS 0x03
-
/* function declarations */
uint8_t const **privkey); /* out - addr for ptr to
packed privkey */
-
-/* ntru_crypto_ntru_encrypt_key_get_blob_params
- *
- * Returns public and private key packing types and blob lengths given
- * a packing format. For now, only a default packing format exists.
- *
- * Only public-key params may be returned by setting privkey_pack_type
- * and privkey_blob_len to NULL.
- */
-
-extern void
-ntru_crypto_ntru_encrypt_key_get_blob_params(
- ntru_param_set_t *params, /* in - pointer to
- param set
- parameters */
- uint8_t *pubkey_pack_type, /* out - addr for pubkey
- packing type */
- uint16_t *pubkey_blob_len, /* out - addr for no. of
- bytes in
- pubkey blob */
- uint8_t *privkey_pack_type, /* out - addr for privkey
- packing type */
- uint16_t *privkey_blob_len); /* out - addr for no. of
- bytes in
- privkey blob */
-
-
-/* ntru_crypto_ntru_encrypt_key_create_pubkey_blob
- *
- * Returns a public key blob, packed according to the packing type provided.
- */
-
-extern void
-ntru_crypto_ntru_encrypt_key_create_pubkey_blob(
- ntru_param_set_t *params, /* in - pointer to
- param set
- parameters */
- uint16_t const *pubkey, /* in - pointer to the
- coefficients
- of the pubkey */
- uint8_t pubkey_pack_type, /* out - addr for pubkey
- packing type */
- uint8_t *pubkey_blob); /* out - addr for the
- pubkey blob */
-
-
-/* ntru_crypto_ntru_encrypt_key_recreate_pubkey_blob
- *
- * Returns a public key blob, recreated from an already-packed public key.
- */
-
-extern void
-ntru_crypto_ntru_encrypt_key_recreate_pubkey_blob(
- ntru_param_set_t *params, /* in - pointer to
- param set
- parameters */
- uint16_t packed_pubkey_len, /* in - no. octets in
- packed pubkey */
- uint8_t const *packed_pubkey, /* in - pointer to the
- packed pubkey */
- uint8_t pubkey_pack_type, /* out - pubkey packing
- type */
- uint8_t *pubkey_blob); /* out - addr for the
- pubkey blob */
-
-
-/* ntru_crypto_ntru_encrypt_key_create_privkey_blob
- *
- * Returns a privlic key blob, packed according to the packing type provided.
- */
-
-extern void
-ntru_crypto_ntru_encrypt_key_create_privkey_blob(
- ntru_param_set_t *params, /* in - pointer to
- param set
- parameters */
- uint16_t const *pubkey, /* in - pointer to the
- coefficients
- of the pubkey */
- uint16_t const *privkey, /* in - pointer to the
- indices of the
- privkey */
- uint8_t privkey_pack_type, /* in - privkey packing
- type */
- uint8_t *buf, /* in - temp, N bytes */
- uint8_t *privkey_blob); /* out - addr for the
- privkey blob */
-
-
#endif /* NTRU_CRYPTO_NTRU_ENCRYPT_KEY_H */
return TRUE;
}
-/* ntru_ring_mult_coefficients
- *
- * Multiplies ring element (polynomial) "a" by ring element (polynomial) "b"
- * to produce ring element (polynomial) "c" in (Z/qZ)[X]/(X^N - 1).
- * This is a convolution operation.
- *
- * Ring element "b" has coefficients in the range [0,N).
- *
- * This assumes q is 2^r where 8 < r < 16, so that overflow of the sum
- * beyond 16 bits does not matter.
- */
-
-void
-ntru_ring_mult_coefficients(
- uint16_t const *a, /* in - pointer to polynomial a */
- uint16_t const *b, /* in - pointer to polynomial b */
- uint16_t N, /* in - no. of coefficients in a, b, c */
- uint16_t q, /* in - large modulus */
- uint16_t *c) /* out - address for polynomial c */
-{
- uint16_t const *bptr = b;
- uint16_t mod_q_mask = q - 1;
- uint16_t i, k;
-
- /* c[k] = sum(a[i] * b[k-i]) mod q */
- memset(c, 0, N * sizeof(uint16_t));
- for (k = 0; k < N; k++) {
- i = 0;
- while (i <= k)
- c[k] += a[i++] * *bptr--;
- bptr += N;
- while (i < N)
- c[k] += a[i++] * *bptr--;
- c[k] &= mod_q_mask;
- ++bptr;
- }
-}
-
-
-/* ntru_ring_inv
- *
- * Finds the inverse of a polynomial, a, in (Z/2^rZ)[X]/(X^N - 1).
- *
- * This assumes q is 2^r where 8 < r < 16, so that operations mod q can
- * wait until the end, and only 16-bit arrays need to be used.
- */
-
-bool
-ntru_ring_inv(
- uint16_t *a, /* in - pointer to polynomial a */
- uint16_t N, /* in - no. of coefficients in a */
- uint16_t q, /* in - large modulus */
- uint16_t *t, /* in - temp buffer of 2N elements */
- uint16_t *a_inv) /* out - address for polynomial a^-1 */
-{
- uint8_t *b = (uint8_t *)t; /* b cannot be in a_inv since it must be
- rotated and copied there as a^-1 mod 2 */
- uint8_t *c = b + N; /* c cannot be in a_inv since it exchanges
- with b, and b cannot be in a_inv */
- uint8_t *f = c + N;
- uint8_t *g = (uint8_t *)a_inv; /* g needs N + 1 bytes */
- uint16_t *t2 = t + N;
- uint16_t deg_b;
- uint16_t deg_c;
- uint16_t deg_f;
- uint16_t deg_g;
- uint16_t k = 0;
- bool done = FALSE;
- uint16_t i, j;
-
- /* form a^-1 in (Z/2Z)[X]/X^N - 1) */
- memset(b, 0, (N << 1)); /* clear to init b, c */
-
- /* b(X) = 1 */
- b[0] = 1;
- deg_b = 0;
-
- /* c(X) = 0 (cleared above) */
- deg_c = 0;
-
- /* f(X) = a(X) mod 2 */
- for (i = 0; i < N; i++)
- f[i] = (uint8_t)(a[i] & 1);
- deg_f = N - 1;
-
- /* g(X) = X^N - 1 */
- g[0] = 1;
- memset(g + 1, 0, N - 1);
- g[N] = 1;
- deg_g = N;
-
- /* until f(X) = 1 */
-
- while (!done)
- {
-
- /* while f[0] = 0, f(X) /= X, c(X) *= X, k++ */
-
- for (i = 0; (i <= deg_f) && (f[i] == 0); ++i);
- if (i > deg_f)
- return FALSE;
- if (i) {
- f = f + i;
- deg_f = deg_f - i;
- deg_c = deg_c + i;
- for (j = deg_c; j >= i; j--)
- c[j] = c[j-i];
- for (j = 0; j < i; j++)
- c[j] = 0;
- k = k + i;
- }
-
- /* adjust degree of f(X) if the highest coefficients are zero
- * Note: f[0] = 1 from above so the loop will terminate.
- */
-
- while (f[deg_f] == 0)
- --deg_f;
-
- /* if f(X) = 1, done
- * Note: f[0] = 1 from above, so only check the x term and up
- */
-
- for (i = 1; (i <= deg_f) && (f[i] == 0); ++i);
- if (i > deg_f) {
- done = TRUE;
- break;
- }
-
- /* if deg_f < deg_g, f <-> g, b <-> c */
-
- if (deg_f < deg_g) {
- uint8_t *x;
-
- x = f;
- f = g;
- g = x;
- deg_f ^= deg_g;
- deg_g ^= deg_f;
- deg_f ^= deg_g;
- x = b;
- b = c;
- c = x;
- deg_b ^= deg_c;
- deg_c ^= deg_b;
- deg_b ^= deg_c;
- }
-
- /* f(X) += g(X), b(X) += c(X) */
-
- for (i = 0; i <= deg_g; i++)
- f[i] ^= g[i];
-
- if (deg_c > deg_b)
- deg_b = deg_c;
- for (i = 0; i <= deg_c; i++)
- b[i] ^= c[i];
- }
-
- /* a^-1 in (Z/2Z)[X]/(X^N - 1) = b(X) shifted left k coefficients */
-
- j = 0;
- if (k >= N)
- k = k - N;
- for (i = k; i < N; i++)
- a_inv[j++] = (uint16_t)(b[i]);
- for (i = 0; i < k; i++)
- a_inv[j++] = (uint16_t)(b[i]);
-
- /* lift a^-1 in (Z/2Z)[X]/(X^N - 1) to a^-1 in (Z/qZ)[X]/(X^N -1) */
-
- for (j = 0; j < 4; ++j) { /* assumes 256 < q <= 65536 */
-
- /* a^-1 = a^-1 * (2 - a * a^-1) mod q */
-
- memcpy(t2, a_inv, N * sizeof(uint16_t));
- ntru_ring_mult_coefficients(a, t2, N, q, t);
- for (i = 0; i < N; ++i)
- t[i] = q - t[i];
- t[0] = t[0] + 2;
- ntru_ring_mult_coefficients(t2, t, N, q, a_inv);
- }
-
- return TRUE;
-
-
-}
-
-
uint8_t *ringels, /* in - pointer to trinary ring elements */
uint16_t min_wt); /* in - minimum weight */
-/* ntru_ring_mult_coefficients
- *
- * Multiplies ring element (polynomial) "a" by ring element (polynomial) "b"
- * to produce ring element (polynomial) "c" in (Z/qZ)[X]/(X^N - 1).
- * This is a convolution operation.
- *
- * Ring element "b" has coefficients in the range [0,N).
- *
- * This assumes q is 2^r where 8 < r < 16, so that overflow of the sum
- * beyond 16 bits does not matter.
- */
-
-extern void
-ntru_ring_mult_coefficients(
- uint16_t const *a, /* in - pointer to polynomial a */
- uint16_t const *b, /* in - pointer to polynomial b */
- uint16_t N, /* in - no. of coefficients in a, b, c */
- uint16_t q, /* in - large modulus */
- uint16_t *c); /* out - address for polynomial c */
-
-
-/* ntru_ring_inv
- *
- * Finds the inverse of a polynomial, a, in (Z/2^rZ)[X]/(X^N - 1).
- *
- * This assumes q is 2^r where 8 < r < 16, so that operations mod q can
- * wait until the end, and only 16-bit arrays need to be used.
- */
-
-extern bool
-ntru_ring_inv(
- uint16_t *a, /* in - pointer to polynomial a */
- uint16_t N, /* in - no. of coefficients in a */
- uint16_t q, /* in - large modulus */
- uint16_t *t, /* in - temp buffer of 2N elements */
- uint16_t *a_inv); /* out - address for polynomial a^-1 */
-
-
#endif /* NTRU_CRYPTO_NTRU_POLY_H */
#include "ntru_ke.h"
#include "ntru_drbg.h"
#include "ntru_param_set.h"
+#include "ntru_private_key.h"
+#include "ntru_public_key.h"
#include "ntru_crypto/ntru_crypto.h"
/**
* NTRU Public Key
*/
- chunk_t pub_key;
+ ntru_public_key_t *pubkey;
/**
* NTRU Private Key
*/
- chunk_t priv_key;
+ ntru_private_key_t *privkey;
+
+ /**
+ * NTRU Public Key Encoding
+ */
+ chunk_t pubkey_enc;
/**
* NTRU encrypted shared secret
METHOD(diffie_hellman_t, get_my_public_value, void,
private_ntru_ke_t *this, chunk_t *value)
{
- uint16_t pub_key_len, priv_key_len;
-
*value = chunk_empty;
if (this->responder)
}
else
{
- if (this->pub_key.len == 0)
+ if (!this->pubkey)
{
- /* determine the NTRU public and private key sizes */
- if (ntru_crypto_ntru_encrypt_keygen(this->drbg, this->param_set->id,
- &pub_key_len, NULL,
- &priv_key_len, NULL) != NTRU_OK)
- {
- DBG1(DBG_LIB, "error determining NTRU public and private key "
- "sizes");
- return;
- }
- this->pub_key = chunk_alloc(pub_key_len);
- this->priv_key = chunk_alloc(priv_key_len);
-
/* generate a random NTRU public/private key pair */
- if (ntru_crypto_ntru_encrypt_keygen(this->drbg, this->param_set->id,
- &pub_key_len, this->pub_key.ptr,
- &priv_key_len, this->priv_key.ptr) != NTRU_OK)
+ this->privkey = ntru_private_key_create(this->drbg, this->param_set);
+ if (!this->privkey)
{
DBG1(DBG_LIB, "NTRU keypair generation failed");
- chunk_free(&this->priv_key);
- chunk_free(&this->pub_key);
return;
}
- DBG3(DBG_LIB, "NTRU public key: %B", &this->pub_key);
- DBG4(DBG_LIB, "NTRU private key: %B", &this->priv_key);
+ this->pubkey = this->privkey->get_public_key(this->privkey);
+ this->pubkey_enc = this->pubkey->get_encoding(this->pubkey);
+ this->pubkey_enc = chunk_clone(this->pubkey_enc);
+ DBG3(DBG_LIB, "NTRU public key: %B", &this->pubkey_enc);
}
- *value = chunk_clone(this->pub_key);
+ *value = chunk_clone(this->pubkey_enc);
}
}
METHOD(diffie_hellman_t, set_other_public_value, void,
private_ntru_ke_t *this, chunk_t value)
{
- u_int16_t plaintext_len, ciphertext_len;
+ u_int16_t ciphertext_len;
- if (this->priv_key.len)
+ if (this->privkey)
{
/* initiator decrypting shared secret */
if (value.len == 0)
DBG1(DBG_LIB, "empty NTRU ciphertext");
return;
}
- this->ciphertext = chunk_clone(value);
- DBG3(DBG_LIB, "NTRU ciphertext: %B", &this->ciphertext);
-
- /* determine the size of the maximum plaintext */
- if (ntru_crypto_ntru_decrypt(this->priv_key.len, this->priv_key.ptr,
- this->ciphertext.len, this->ciphertext.ptr,
- &plaintext_len, NULL) != NTRU_OK)
- {
- DBG1(DBG_LIB, "error determining maximum plaintext size");
- return;
- }
- this->shared_secret = chunk_alloc(plaintext_len);
+ DBG3(DBG_LIB, "NTRU ciphertext: %B", &value);
/* decrypt the shared secret */
- if (ntru_crypto_ntru_decrypt(this->priv_key.len, this->priv_key.ptr,
- this->ciphertext.len, this->ciphertext.ptr,
- &plaintext_len, this->shared_secret.ptr) != NTRU_OK)
+ if (!this->privkey->decrypt(this->privkey, value, &this->shared_secret))
{
DBG1(DBG_LIB, "NTRU decryption of shared secret failed");
- chunk_free(&this->shared_secret);
return;
}
- this->shared_secret.len = plaintext_len;
this->computed = TRUE;
}
else
this->responder = TRUE;
/* check the NTRU public key format */
- if (value.len < 5 || value.ptr[0] != 1 || value.ptr[1] != 3)
+ if (value.len < 5 ||
+ value.ptr[0] != NTRU_PUBKEY_TAG ||
+ value.ptr[1] != NTRU_OID_LEN)
{
DBG1(DBG_LIB, "received NTRU public key with invalid header");
return;
}
- if (!memeq(value.ptr + 2, this->param_set->oid, 3))
+ if (!memeq(value.ptr + 2, this->param_set->oid, NTRU_OID_LEN))
{
DBG1(DBG_LIB, "received NTRU public key with wrong OID");
return;
}
- this->pub_key = chunk_clone(value);
+ this->pubkey_enc = chunk_clone(value);
/* shared secret size is chosen as twice the cryptographical strength */
this->shared_secret = chunk_alloc(2 * this->strength / BITS_PER_BYTE);
/* determine the size of the ciphertext */
if (ntru_crypto_ntru_encrypt(this->drbg,
- this->pub_key.len, this->pub_key.ptr,
+ this->pubkey_enc.len, this->pubkey_enc.ptr,
this->shared_secret.len, this->shared_secret.ptr,
&ciphertext_len, NULL) != NTRU_OK)
{
/* encrypt the shared secret */
if (ntru_crypto_ntru_encrypt(this->drbg,
- this->pub_key.len, this->pub_key.ptr,
+ this->pubkey_enc.len, this->pubkey_enc.ptr,
this->shared_secret.len, this->shared_secret.ptr,
&ciphertext_len, this->ciphertext.ptr) != NTRU_OK)
{
METHOD(diffie_hellman_t, destroy, void,
private_ntru_ke_t *this)
{
+ DESTROY_IF(this->privkey);
+ DESTROY_IF(this->pubkey);
this->drbg->destroy(this->drbg);
this->entropy->destroy(this->entropy);
- chunk_free(&this->pub_key);
+ chunk_free(&this->pubkey_enc);
chunk_free(&this->ciphertext);
- chunk_clear(&this->priv_key);
chunk_clear(&this->shared_secret);
free(this);
}
#include "ntru_param_set.h"
+#include <utils/test.h>
+
ENUM(ntru_param_set_id_names, NTRU_EES401EP1, NTRU_EES743EP1,
"ees401ep1",
"ees449ep1",
return NULL;
}
+EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_param_set_get_by_id);
#include <library.h>
/**
+ * Encoding types for NTRU encryption public/private key blobs
+ */
+#define NTRU_PUBKEY_TAG 0x01
+#define NTRU_PRIVKEY_DEFAULT_TAG 0x02
+#define NTRU_PRIVKEY_TRITS_TAG 0xfe
+#define NTRU_PRIVKEY_INDICES_TAG 0xff
+
+/**
+ * Size in octets of the OID designating the NTRU encryption parameter set
+ */
+#define NTRU_OID_LEN 3
+
+/**
+ * Packing types for NTRU encryption public/private keys
+ */
+#define NTRU_KEY_PACKED_COEFFICIENTS 0x01
+#define NTRU_KEY_PACKED_INDICES 0x02
+#define NTRU_KEY_PACKED_TRITS 0x03
+
+/**
* NTRU encryption parameter set ID list
*/
enum ntru_param_set_id_t {
* NTRU encryption parameter set definitions
*/
struct ntru_param_set_t {
- ntru_param_set_id_t id; /* NTRU parameter set ID */
- uint8_t oid[3]; /* pointer to OID */
- uint8_t der_id; /* parameter-set DER id */
- uint8_t N_bits; /* no. of bits in N (i.e. in an index */
- uint16_t N; /* ring dimension */
- uint16_t sec_strength_len; /* no. of octets of security strength */
- uint16_t q; /* big modulus */
- uint8_t q_bits; /* no. of bits in q (i.e. in a coefficient */
- bool is_product_form; /* if product form used */
- uint32_t dF_r; /* no. of +1 or -1 coefficients in ring elements
- F, r */
- uint16_t dg; /* no. - 1 of +1 coefficients or
- no. of -1 coefficients in ring element g */
- uint16_t m_len_max; /* max no. of plaintext octets */
- uint16_t min_msg_rep_wt; /* min. message representative weight */
- uint8_t c_bits; /* no. bits in candidate for deriving an index */
- uint8_t m_len_len; /* no. of octets to hold mLenOctets */
+ ntru_param_set_id_t id; /* NTRU parameter set ID */
+ uint8_t oid[NTRU_OID_LEN]; /* pointer to OID */
+ uint8_t der_id; /* parameter-set DER id */
+ uint8_t N_bits; /* no. of bits in N (i.e. in an index */
+ uint16_t N; /* ring dimension */
+ uint16_t sec_strength_len; /* no. of octets of security strength */
+ uint16_t q; /* big modulus */
+ uint8_t q_bits; /* no. of bits in q (i.e. in a coefficient */
+ bool is_product_form; /* if product form used */
+ uint32_t dF_r; /* no. of +1 or -1 coefficients in ring elements
+ F, r */
+ uint16_t dg; /* no. - 1 of +1 coefficients or
+ no. of -1 coefficients in ring element g */
+ uint16_t m_len_max; /* max no. of plaintext octets */
+ uint16_t min_msg_rep_wt; /* min. message representative weight */
+ uint8_t c_bits; /* no. bits in candidate for deriving an index */
+ uint8_t m_len_len; /* no. of octets to hold mLenOctets */
};
/**
--- /dev/null
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2009-2013 Security Innovation
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "ntru_private_key.h"
+#include "ntru_trits.h"
+#include "ntru_poly.h"
+
+#include "ntru_crypto/ntru_crypto_ntru_convert.h"
+
+#include <utils/debug.h>
+#include <utils/test.h>
+
+typedef struct private_ntru_private_key_t private_ntru_private_key_t;
+
+/**
+ * Private data of an ntru_private_key_t object.
+ */
+struct private_ntru_private_key_t {
+
+ /**
+ * Public ntru_private_key_t interface.
+ */
+ ntru_private_key_t public;
+
+ /**
+ * NTRU Parameter Set
+ */
+ ntru_param_set_t *params;
+
+ /**
+ * Polynomial F which is the private key
+ */
+ ntru_poly_t *privkey;
+
+ /**
+ * Polynomial h which is the public key
+ */
+ uint16_t *pubkey;
+
+ /**
+ * Encoding of the private key
+ */
+ chunk_t encoding;
+
+};
+
+METHOD(ntru_private_key_t, get_public_key, ntru_public_key_t*,
+ private_ntru_private_key_t *this)
+{
+ return ntru_public_key_create(this->params, this->pubkey);
+}
+
+/**
+ * Generate NTRU encryption private key encoding
+ */
+static void generate_encoding(private_ntru_private_key_t *this)
+{
+ size_t pubkey_len, privkey_len, privkey_trits_len, privkey_indices_len;
+ int privkey_pack_type;
+ uint16_t *indices;
+ uint8_t *trits;
+ u_char *enc;
+
+ /* compute public key length encoded as packed coefficients */
+ pubkey_len = (this->params->N * this->params->q_bits + 7) / 8;
+
+ /* compute private key length encoded as packed trits coefficients */
+ privkey_trits_len = (this->params->N + 4) / 5;
+
+ /* compute private key length encoded as packed indices */
+ privkey_indices_len = (this->privkey->get_size(this->privkey) *
+ this->params->N_bits + 7) / 8;
+
+ if (this->params->is_product_form ||
+ privkey_indices_len <= privkey_trits_len)
+ {
+ privkey_pack_type = NTRU_KEY_PACKED_INDICES;
+ privkey_len = privkey_indices_len;
+ }
+ else
+ {
+ privkey_pack_type = NTRU_KEY_PACKED_TRITS;
+ privkey_len = privkey_trits_len;
+ }
+
+ /* allocate memory for private key encoding */
+ this->encoding = chunk_alloc(2 + NTRU_OID_LEN + pubkey_len + privkey_len);
+ enc = this->encoding.ptr;
+
+ /* format header and packed public key */
+ *enc++ = NTRU_PRIVKEY_DEFAULT_TAG;
+ *enc++ = NTRU_OID_LEN;
+ memcpy(enc, this->params->oid, NTRU_OID_LEN);
+ enc += NTRU_OID_LEN;
+ ntru_elements_2_octets(this->params->N, this->pubkey,
+ this->params->q_bits, enc);
+ enc += pubkey_len;
+
+ /* add packed private key */
+ indices = this->privkey->get_indices(this->privkey);
+
+ if (privkey_pack_type == NTRU_KEY_PACKED_TRITS)
+ {
+ /* encode private key as packed trits */
+ trits = malloc(this->params->N);
+ ntru_indices_2_packed_trits(indices, this->params->dF_r,
+ this->params->dF_r, this->params->N, trits, enc);
+ memwipe(trits, this->params->N);
+ free(trits);
+ }
+ else
+ {
+ /* encode private key as packed indices */
+ ntru_elements_2_octets(this->privkey->get_size(this->privkey),
+ indices, this->params->N_bits, enc);
+ }
+}
+
+METHOD(ntru_private_key_t, get_encoding, chunk_t,
+ private_ntru_private_key_t *this)
+{
+ return this->encoding;
+}
+
+/**
+ * Checks that the number of 0, +1, and -1 trinary ring elements meet or exceed
+ * a minimum weight.
+ *
+ * @param N degree of polynomial
+ * @param t array of trinary ring elements
+ * @param min_wt minimum weight
+ * @return TRUE if minimum weight met or exceeded
+ */
+static bool check_min_weight(uint16_t N, uint8_t *t, uint16_t min_wt)
+{
+ uint16_t wt[3];
+ int i;
+
+ wt[0] = wt[1] = wt[2] = 0;
+
+ for (i = 0; i < N; i++)
+ {
+ ++wt[t[i]];
+ }
+
+ return (wt[0] >= min_wt) && (wt[1] >= min_wt) && (wt[2] >= min_wt);
+}
+
+METHOD(ntru_private_key_t, decrypt, bool,
+ private_ntru_private_key_t *this, chunk_t ciphertext, chunk_t *plaintext)
+{
+ hash_algorithm_t hash_algid;
+ size_t t_len, seed1_len, seed2_len;
+ uint16_t *t1, *t2, *t = NULL;
+ uint16_t mod_q_mask, q_mod_p, cmprime_len, cm_len = 0, num_zeros;
+ uint8_t *Mtrin, *M, *cm, *mask_trits, *ptr;
+ int16_t m1 = 0;
+ chunk_t seed = chunk_empty;
+ ntru_trits_t *mask;
+ ntru_poly_t *r_poly;
+ bool success = TRUE;
+ int i;
+
+ *plaintext = chunk_empty;
+
+ if (ciphertext.len != (this->params->N * this->params->q_bits + 7) / 8)
+ {
+ DBG1(DBG_LIB, "wrong NTRU ciphertext length");
+ return FALSE;
+ }
+
+ /* allocate temporary array t */
+ t_len = 2 * this->params->N * sizeof(uint16_t);
+ t = malloc(t_len);
+ t1 = t;
+ t2 = t + this->params->N;
+ Mtrin = (uint8_t *)t1;
+ M = Mtrin + this->params->N;
+
+ /* set hash algorithm based on security strength */
+ hash_algid = (this->params->sec_strength_len <= 20) ? HASH_SHA1 :
+ HASH_SHA256;
+
+ /* set constants */
+ mod_q_mask = this->params->q - 1;
+ q_mod_p = this->params->q % 3;
+
+ /* unpack the ciphertext */
+ ntru_octets_2_elements(ciphertext.len, ciphertext.ptr,
+ this->params->q_bits, t2);
+
+ /* form cm':
+ * F * e
+ * A = e * (1 + pF) mod q = e + pFe mod q
+ * a = A in the range [-q/2, q/2)
+ * cm' = a mod p
+ */
+ this->privkey->ring_mult(this->privkey, t2, t1);
+
+ cmprime_len = this->params->N;
+ if (this->params->is_product_form)
+ {
+ --cmprime_len;
+ for (i = 0; i < cmprime_len; i++)
+ {
+ t1[i] = (t2[i] + 3 * t1[i]) & mod_q_mask;
+ if (t1[i] >= (this->params->q / 2))
+ {
+ t1[i] -= q_mod_p;
+ }
+ Mtrin[i] = (uint8_t)(t1[i] % 3);
+ if (Mtrin[i] == 1)
+ {
+ ++m1;
+ }
+ else if (Mtrin[i] == 2)
+ {
+ --m1;
+ }
+ }
+ }
+ else
+ {
+ for (i = 0; i < cmprime_len; i++)
+ {
+ t1[i] = (t2[i] + 3 * t1[i]) & mod_q_mask;
+ if (t1[i] >= (this->params->q / 2))
+ {
+ t1[i] -= q_mod_p;
+ }
+ Mtrin[i] = (uint8_t)(t1[i] % 3);
+ }
+ }
+
+ /**
+ * check that the candidate message representative meets
+ * minimum weight requirements
+ */
+ if (this->params->is_product_form)
+ {
+ success = (abs(m1) <= this->params->min_msg_rep_wt);
+ }
+ else
+ {
+ success = check_min_weight(cmprime_len, Mtrin,
+ this->params->min_msg_rep_wt);
+ }
+ if (!success)
+ {
+ DBG1(DBG_LIB, "decryption failed due to unsufficient minimum weight");
+ }
+
+ /* form cR = e - cm' mod q */
+ for (i = 0; i < cmprime_len; i++)
+ {
+ if (Mtrin[i] == 1)
+ {
+ t2[i] = (t2[i] - 1) & mod_q_mask;
+ }
+ else if (Mtrin[i] == 2)
+ {
+ t2[i] = (t2[i] + 1) & mod_q_mask;
+ }
+ }
+ if (this->params->is_product_form)
+ {
+ t2[i] = (t2[i] + m1) & mod_q_mask;
+ }
+
+ /* allocate memory for the larger of the two seeds */
+ seed1_len = (this->params->N + 3)/4;
+ seed2_len = 3 + 2*this->params->sec_strength_len + this->params->m_len_max;
+ seed = chunk_alloc(max(seed1_len, seed2_len));
+ seed.len = seed1_len;
+
+ /* form cR mod 4 */
+ ntru_coeffs_mod4_2_octets(this->params->N, t2, seed.ptr);
+
+ /* form mask */
+ mask = ntru_trits_create(this->params->N, hash_algid, seed);
+ if (!mask)
+ {
+ DBG1(DBG_LIB, "mask creation failed");
+ success = FALSE;
+ goto err;
+ }
+
+ mask_trits = mask->get_trits(mask);
+
+ /* form cMtrin by subtracting mask from cm', mod p */
+ for (i = 0; i < cmprime_len; i++)
+ {
+ Mtrin[i] -= mask_trits[i];
+ if (Mtrin[i] >= 3)
+ {
+ Mtrin[i] += 3;
+ }
+ }
+ mask->destroy(mask);
+
+ if (this->params->is_product_form)
+ {
+ /* set the last trit to zero since that's what it was, and
+ * because it can't be calculated from (cm' - mask) since
+ * we don't have the correct value for the last cm' trit
+ */
+ Mtrin[i] = 0;
+ }
+
+ /* convert cMtrin to cM (Mtrin to Mbin) */
+ if (!ntru_trits_2_bits(Mtrin, this->params->N, M))
+ {
+ success = FALSE;
+ goto err;
+ }
+
+ /* skip the random padding */
+ ptr = M + this->params->sec_strength_len;
+
+ /* validate the padded message cM and copy cm to m_buf */
+ if (this->params->m_len_len == 2)
+ {
+ cm_len = (uint16_t)(*ptr++) << 16;
+ }
+ cm_len |= (uint16_t)(*ptr++);
+
+ if (cm_len > this->params->m_len_max)
+ {
+ cm_len = this->params->m_len_max;
+ DBG1(DBG_LIB, "NTRU message length is larger than maximum length");
+ success = FALSE;
+ }
+ cm = ptr;
+ ptr += cm_len;
+
+ /* check if the remaining padding consists of zeros */
+ num_zeros = this->params->m_len_max - cm_len + 1;
+ for (i = 0; i < num_zeros; i++)
+ {
+ if (ptr[i] != 0)
+ {
+ DBG1(DBG_LIB, "non-zero trailing padding detected");
+ success = FALSE;
+ break;
+ }
+ }
+
+ /* form sData (OID || m || b || hTrunc) */
+ ptr = seed.ptr;
+ memcpy(ptr, this->params->oid, 3);
+ ptr += 3;
+ memcpy(ptr, cm, cm_len);
+ ptr += cm_len;
+ memcpy(ptr, M, this->params->sec_strength_len);
+ ptr += this->params->sec_strength_len;
+ memcpy(ptr, this->encoding.ptr + 2 + NTRU_OID_LEN,
+ this->params->sec_strength_len);
+ ptr += this->params->sec_strength_len;
+ seed.len = ptr - seed.ptr;
+
+ /* generate cr */
+ DBG2(DBG_LIB, "generate polynomial r");
+ r_poly = ntru_poly_create_from_seed(hash_algid, seed,
+ this->params->c_bits, this->params->N,
+ this->params->q, this->params->dF_r,
+ this->params->dF_r, this->params->is_product_form);
+ if (!r_poly)
+ {
+ success = FALSE;
+ goto err;
+ }
+
+ /* output plaintext in allocated chunk */
+ *plaintext = chunk_clone(chunk_create(cm, cm_len));
+
+ /* form cR' = h * cr */
+ r_poly->ring_mult(r_poly, this->pubkey, t1);
+ r_poly->destroy(r_poly);
+
+ /* compare cR' to cR */
+ for (i = 0; i < this->params->N; i++)
+ {
+ if (t[i] != t2[i])
+ {
+ DBG1(DBG_LIB, "cR' does not equal cR'");
+ success = FALSE;
+ }
+ }
+ memwipe(t, t_len);
+
+err:
+ /* cleanup */
+ chunk_clear(&seed);
+ free(t);
+
+ return success;
+}
+
+METHOD(ntru_private_key_t, destroy, void,
+ private_ntru_private_key_t *this)
+{
+ DESTROY_IF(this->privkey);
+ chunk_clear(&this->encoding);
+ free(this->pubkey);
+ free(this);
+}
+
+/**
+ * Multiplies ring element (polynomial) "a" by ring element (polynomial) "b"
+ * to produce ring element (polynomial) "c" in (Z/qZ)[X]/(X^N - 1).
+ * This is a convolution operation.
+ *
+ * Ring element "b" has coefficients in the range [0,N).
+ *
+ * This assumes q is 2^r where 8 < r < 16, so that overflow of the sum
+ * beyond 16 bits does not matter.
+ *
+ * @param a polynomial a
+ * @param b polynomial b
+ * @param N no. of coefficients in a, b, c
+ * @param q large modulus
+ * @param c polynomial c = a * b
+ */
+static void ring_mult_c(uint16_t *a, uint16_t *b, uint16_t N, uint16_t q,
+ uint16_t *c)
+{
+ uint16_t *bptr = b;
+ uint16_t mod_q_mask = q - 1;
+ int i, k;
+
+ /* c[k] = sum(a[i] * b[k-i]) mod q */
+ memset(c, 0, N * sizeof(uint16_t));
+ for (k = 0; k < N; k++)
+ {
+ i = 0;
+ while (i <= k)
+ {
+ c[k] += a[i++] * *bptr--;
+ }
+ bptr += N;
+ while (i < N)
+ {
+ c[k] += a[i++] * *bptr--;
+ }
+ c[k] &= mod_q_mask;
+ ++bptr;
+ }
+}
+
+/**
+ * Finds the inverse of a polynomial a in (Z/2^rZ)[X]/(X^N - 1).
+ *
+ * This assumes q is 2^r where 8 < r < 16, so that operations mod q can
+ * wait until the end, and only 16-bit arrays need to be used.
+ *
+ * @param a polynomial a
+ * @param N no. of coefficients in a
+ * @param q large modulus
+ * @param t temporary buffer of size 2N elements
+ * @param a_inv polynomial for inverse of a
+ */
+static bool ring_inv(uint16_t *a, uint16_t N, uint16_t q, uint16_t *t,
+ uint16_t *a_inv)
+{
+ uint8_t *b = (uint8_t *)t;
+ uint8_t *c = b + N;
+ uint8_t *f = c + N;
+ uint8_t *g = (uint8_t *)a_inv;
+ uint16_t *t2 = t + N;
+ uint16_t deg_b, deg_c, deg_f, deg_g;
+ bool done = FALSE;
+ int i, j, k = 0;
+
+ /* form a^-1 in (Z/2Z)[X]/X^N - 1) */
+ memset(b, 0, 2 * N); /* clear to init b, c */
+
+ /* b(X) = 1 */
+ b[0] = 1;
+ deg_b = 0;
+
+ /* c(X) = 0 (cleared above) */
+ deg_c = 0;
+
+ /* f(X) = a(X) mod 2 */
+ for (i = 0; i < N; i++)
+ {
+ f[i] = (uint8_t)(a[i] & 1);
+ }
+ deg_f = N - 1;
+
+ /* g(X) = X^N - 1 */
+ g[0] = 1;
+ memset(g + 1, 0, N - 1);
+ g[N] = 1;
+ deg_g = N;
+
+ /* until f(X) = 1 */
+ while (!done)
+ {
+ /* while f[0] = 0, f(X) /= X, c(X) *= X, k++ */
+ for (i = 0; (i <= deg_f) && (f[i] == 0); ++i);
+
+ if (i > deg_f)
+ {
+ return FALSE;
+ }
+ if (i)
+ {
+ f = f + i;
+ deg_f = deg_f - i;
+ deg_c = deg_c + i;
+ for (j = deg_c; j >= i; j--)
+ {
+ c[j] = c[j-i];
+ }
+ for (j = 0; j < i; j++)
+ {
+ c[j] = 0;
+ }
+ k = k + i;
+ }
+
+ /* adjust degree of f(X) if the highest coefficients are zero
+ * Note: f[0] = 1 from above so the loop will terminate.
+ */
+ while (f[deg_f] == 0)
+ {
+ --deg_f;
+ }
+
+ /* if f(X) = 1, done
+ * Note: f[0] = 1 from above, so only check the x term and up
+ */
+ for (i = 1; (i <= deg_f) && (f[i] == 0); ++i);
+
+ if (i > deg_f)
+ {
+ done = TRUE;
+ break;
+ }
+
+ /* if deg_f < deg_g, f <-> g, b <-> c */
+ if (deg_f < deg_g)
+ {
+ uint8_t *x;
+
+ x = f;
+ f = g;
+ g = x;
+ deg_f ^= deg_g;
+ deg_g ^= deg_f;
+ deg_f ^= deg_g;
+ x = b;
+ b = c;
+ c = x;
+ deg_b ^= deg_c;
+ deg_c ^= deg_b;
+ deg_b ^= deg_c;
+ }
+
+ /* f(X) += g(X), b(X) += c(X) */
+ for (i = 0; i <= deg_g; i++)
+ {
+ f[i] ^= g[i];
+ }
+ if (deg_c > deg_b)
+ {
+ deg_b = deg_c;
+ }
+ for (i = 0; i <= deg_c; i++)
+ {
+ b[i] ^= c[i];
+ }
+ }
+
+ /* a^-1 in (Z/2Z)[X]/(X^N - 1) = b(X) shifted left k coefficients */
+ j = 0;
+ if (k >= N)
+ {
+ k = k - N;
+ }
+ for (i = k; i < N; i++)
+ {
+ a_inv[j++] = (uint16_t)(b[i]);
+ }
+ for (i = 0; i < k; i++)
+ {
+ a_inv[j++] = (uint16_t)(b[i]);
+ }
+
+ /* lift a^-1 in (Z/2Z)[X]/(X^N - 1) to a^-1 in (Z/qZ)[X]/(X^N -1) */
+ for (j = 0; j < 4; ++j) /* assumes 256 < q <= 65536 */
+ {
+ /* a^-1 = a^-1 * (2 - a * a^-1) mod q */
+ memcpy(t2, a_inv, N * sizeof(uint16_t));
+ ring_mult_c(a, t2, N, q, t);
+ for (i = 0; i < N; ++i)
+ {
+ t[i] = q - t[i];
+ }
+ t[0] = t[0] + 2;
+ ring_mult_c(t2, t, N, q, a_inv);
+ }
+
+ return TRUE;
+}
+
+/*
+ * Described in header.
+ */
+ntru_private_key_t *ntru_private_key_create(ntru_drbg_t *drbg, ntru_param_set_t *params)
+{
+ private_ntru_private_key_t *this;
+ size_t t_len;
+ uint16_t *t1, *t2, *t = NULL;
+ uint16_t mod_q_mask;
+ hash_algorithm_t hash_algid;
+ ntru_poly_t *g_poly;
+ chunk_t seed;
+ int i;
+
+ INIT(this,
+ .public = {
+ .get_public_key = _get_public_key,
+ .get_encoding = _get_encoding,
+ .decrypt = _decrypt,
+ .destroy = _destroy,
+ },
+ .params = params,
+ .pubkey = malloc(params->N * sizeof(uint16_t)),
+ );
+
+ /* set hash algorithm and seed length based on security strength */
+ if (params->sec_strength_len <= 20)
+ {
+ hash_algid = HASH_SHA1;
+ }
+ else
+ {
+ hash_algid = HASH_SHA256;
+ }
+ seed =chunk_alloc(params->sec_strength_len + 8);
+
+ /* get random seed for generating trinary F as a list of indices */
+ if (!drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE,
+ seed.len, seed.ptr))
+ {
+ goto err;
+ }
+
+ DBG2(DBG_LIB, "generate polynomial F");
+ this->privkey = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits,
+ params->N, params->q,
+ params->dF_r, params->dF_r,
+ params->is_product_form);
+ if (!this->privkey)
+ {
+ goto err;
+ }
+
+ /* allocate temporary array t */
+ t_len = 3 * params->N * sizeof(uint16_t);
+ t = malloc(t_len);
+ t1 = t + 2 * params->N;
+
+ /* extend sparse private key polynomial f to N array elements */
+ this->privkey->get_array(this->privkey, t1);
+
+ /* set mask for large modulus */
+ mod_q_mask = params->q - 1;
+
+ /* form f = 1 + pF */
+ for (i = 0; i < params->N; i++)
+ {
+ t1[i] = (t1[i] * 3) & mod_q_mask;
+ }
+ t1[0] = (t1[0] + 1) & mod_q_mask;
+
+ /* use the public key array as a temporary buffer */
+ t2 = this->pubkey;
+
+ /* find f^-1 in (Z/qZ)[X]/(X^N - 1) */
+ if (!ring_inv(t1, params->N, params->q, t, t2))
+ {
+ goto err;
+ }
+
+ /* get random seed for generating trinary g as a list of indices */
+ if (!drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE,
+ seed.len, seed.ptr))
+ {
+ goto err;
+ }
+
+ DBG2(DBG_LIB, "generate polynomial g");
+ g_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits,
+ params->N, params->q, params->dg + 1,
+ params->dg, FALSE);
+ if (!g_poly)
+ {
+ goto err;
+ }
+
+ /* compute public key polynomial h = p * (f^-1 * g) mod q */
+ g_poly->ring_mult(g_poly, t2, t2);
+ g_poly->destroy(g_poly);
+
+ for (i = 0; i < params->N; i++)
+ {
+ this->pubkey[i] = (t2[i] * 3) & mod_q_mask;
+ }
+
+ /* cleanup temporary storage */
+ chunk_clear(&seed);
+ memwipe(t, t_len);
+ free(t);
+
+ /* generate private key encoding */
+ generate_encoding(this);
+
+ return &this->public;
+
+err:
+ chunk_free(&seed);
+ free(t);
+ destroy(this);
+
+ return NULL;
+}
+
+EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_private_key_create);
--- /dev/null
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ntru_private_key ntru_private_key
+ * @{ @ingroup ntru_p
+ */
+
+#ifndef NTRU_PRIVATE_KEY_H_
+#define NTRU_PRIVATE_KEY_H_
+
+typedef struct ntru_private_key_t ntru_private_key_t;
+
+#include "ntru_drbg.h"
+#include "ntru_param_set.h"
+#include "ntru_public_key.h"
+
+#include <library.h>
+
+/**
+ * Implements an NTRU encryption public/private key pair
+ */
+struct ntru_private_key_t {
+
+
+ /**
+ * Returns the NTRU encryption public key as an encoded binary blob
+ *
+ * @return NTRU encryption public key (must be freed after use)
+ */
+ ntru_public_key_t* (*get_public_key)(ntru_private_key_t *this);
+
+ /**
+ * Returns the packed encoding of the NTRU encryption private key
+ *
+ * @return Packed encoding of NTRU encryption private key
+ */
+ chunk_t (*get_encoding)(ntru_private_key_t *this);
+
+ /**
+ * Decrypts an NTRU ciphertext
+ *
+ * @param ciphertext NTRU Ciphertext
+ * @param plaintext Plaintext
+ * @return TRUE if decryption was successful
+ */
+ bool (*decrypt)(ntru_private_key_t *this, chunk_t ciphertext,
+ chunk_t *plaintext);
+
+ /**
+ * Destroy ntru_private_key_t object
+ */
+ void (*destroy)(ntru_private_key_t *this);
+};
+
+/**
+ * Creates an NTRU encryption public/private key pair using a NIST DRBG
+ *
+ * @param drbg Digital Random Bit Generator used for key generation
+ * @param params NTRU encryption parameter set to be used
+ */
+ntru_private_key_t *ntru_private_key_create(ntru_drbg_t *drbg, ntru_param_set_t *params);
+
+
+#endif /** NTRU_PRIVATE_KEY_H_ @}*/
+
--- /dev/null
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Copyright (C) 2009-2013 Security Innovation
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "ntru_public_key.h"
+
+#include "ntru_crypto/ntru_crypto_ntru_convert.h"
+
+#include <utils/debug.h>
+
+typedef struct private_ntru_public_key_t private_ntru_public_key_t;
+
+/**
+ * Private data of an ntru_public_key_t object.
+ */
+struct private_ntru_public_key_t {
+ /**
+ * Public ntru_public_key_t interface.
+ */
+ ntru_public_key_t public;
+
+ /**
+ * NTRU Parameter Set
+ */
+ ntru_param_set_t *params;
+
+ /**
+ * Polynomial h which is the public key
+ */
+ uint16_t *pubkey;
+
+ /**
+ * Encoding of the public key
+ */
+ chunk_t encoding;
+
+};
+
+METHOD(ntru_public_key_t, get_encoding, chunk_t,
+ private_ntru_public_key_t *this)
+{
+ if (!this->encoding.len)
+ {
+ size_t pubkey_len;
+ u_char *enc;
+
+ /* compute public key length encoded as packed coefficients */
+ pubkey_len = (this->params->N * this->params->q_bits + 7) / 8;
+
+ /* allocate memory for public key encoding */
+ this->encoding = chunk_alloc(2 + NTRU_OID_LEN + pubkey_len);
+ enc = this->encoding.ptr;
+
+ /* format header and packed public key */
+ *enc++ = NTRU_PUBKEY_TAG;
+ *enc++ = NTRU_OID_LEN;
+ memcpy(enc, this->params->oid, NTRU_OID_LEN);
+ enc += NTRU_OID_LEN;
+ ntru_elements_2_octets(this->params->N, this->pubkey,
+ this->params->q_bits, enc);
+ }
+ return this->encoding;
+}
+
+METHOD(ntru_public_key_t, destroy, void,
+ private_ntru_public_key_t *this)
+{
+ chunk_clear(&this->encoding);
+ free(this->pubkey);
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+ntru_public_key_t *ntru_public_key_create(ntru_param_set_t *params,
+ uint16_t *pubkey)
+{
+ private_ntru_public_key_t *this;
+ int i;
+
+ INIT(this,
+ .public = {
+ .get_encoding = _get_encoding,
+ .destroy = _destroy,
+ },
+ .params = params,
+ .pubkey = malloc(params->N * sizeof(uint16_t)),
+ );
+
+ for (i = 0; i < params->N; i++)
+ {
+ this->pubkey[i] = pubkey[i];
+ }
+
+ return &this->public;
+}
--- /dev/null
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ntru_public_key ntru_public_key
+ * @{ @ingroup ntru_p
+ */
+
+#ifndef NTRU_PUBLIC_KEY_H_
+#define NTRU_PUBLIC_KEY_H_
+
+typedef struct ntru_public_key_t ntru_public_key_t;
+
+#include "ntru_param_set.h"
+
+#include <library.h>
+
+/**
+ * Implements an NTRU encryption public key
+ */
+struct ntru_public_key_t {
+
+ /**
+ * Returns the packed encoding of the NTRU encryption public key
+ *
+ * @return Packed encoding of NTRU encryption public key
+ */
+ chunk_t (*get_encoding)(ntru_public_key_t *this);
+
+ /**
+ * Destroy ntru_public_key_t object
+ */
+ void (*destroy)(ntru_public_key_t *this);
+};
+
+/**
+ * Creates an NTRU encryption public key
+ *
+ * @param params NTRU encryption parameter set to be used
+ * @param pubkey Coefficients of public key polynomial h
+ */
+ntru_public_key_t *ntru_public_key_create(ntru_param_set_t *params,
+ uint16_t *pubkey);
+
+
+#endif /** NTRU_PUBLIC_KEY_H_ @}*/
+
#include <plugins/ntru/ntru_mgf1.h>
#include <plugins/ntru/ntru_trits.h>
#include <plugins/ntru/ntru_poly.h>
+#include <plugins/ntru/ntru_param_set.h>
+#include <plugins/ntru/ntru_private_key.h>
#include <utils/test.h>
IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_drbg_create, ntru_drbg_t*,
uint32_t indices_len_p, uint32_t indices_len_m,
bool is_product_form)
+IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_param_set_get_by_id, ntru_param_set_t* ,
+ ntru_param_set_id_t id)
+
+IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_private_key_create, ntru_private_key_t*,
+ ntru_drbg_t *drbg, ntru_param_set_t *params)
+
/**
* NTRU parameter sets to test
*/
}
END_TEST
+START_TEST(test_ntru_param_set)
+{
+ ck_assert(ntru_param_set_get_by_id(-1) == NULL);
+ ck_assert(ntru_param_set_get_by_id(16) == NULL);
+}
+END_TEST
+
+typedef struct {
+ ntru_param_set_id_t id;
+ chunk_t entropy;
+ chunk_t encoding;
+} privkey_test_t;
+
+privkey_test_t privkey_tests[] = {
+ {
+ NTRU_EES401EP1,
+ chunk_from_chars(
+ 0x0C, 0x2F, 0x24, 0xE1, 0xA4, 0x81, 0x26, 0xA2,
+ 0x6C, 0xEA, 0xCD, 0x1A, 0xF3, 0xEB, 0x3D, 0xBF,
+ 0xEA, 0xAE, 0xC3, 0x0D, 0xC1),
+ chunk_from_chars(
+ 0x02, 0x03, 0x00, 0x02, 0x04, 0x3E, 0xF3, 0xCB,
+ 0x7A, 0x58, 0x13, 0x75, 0xBB, 0x87, 0xF5, 0xBF,
+ 0x2E, 0x18, 0xAE, 0x03, 0xAF, 0xB8, 0x33, 0x85,
+ 0xD8, 0xBF, 0x8A, 0xB5, 0x8C, 0xA6, 0xDF, 0x03,
+ 0x90, 0x1E, 0xE4, 0x83, 0xA4, 0x95, 0x40, 0xB5,
+ 0x08, 0x92, 0x29, 0xD8, 0x83, 0xA8, 0x42, 0xB2,
+ 0x69, 0xC2, 0x00, 0x8B, 0xAE, 0x80, 0x00, 0x4F,
+ 0x3D, 0xDD, 0xFB, 0xDB, 0x9A, 0xD8, 0x0F, 0xFF,
+ 0xBC, 0x21, 0xD5, 0xE6, 0x04, 0x9C, 0xDD, 0x3B,
+ 0x2D, 0x16, 0x4B, 0xC7, 0x3D, 0xBE, 0xDE, 0xBB,
+ 0x6F, 0xF4, 0x8A, 0x31, 0xCD, 0x23, 0x19, 0xC2,
+ 0x3C, 0xE1, 0xE2, 0xEE, 0xE4, 0xE7, 0x2E, 0xFC,
+ 0x5C, 0xDD, 0xAD, 0x0C, 0x9D, 0x98, 0xC5, 0x18,
+ 0x2A, 0x80, 0x21, 0x93, 0x61, 0xC4, 0x9A, 0x16,
+ 0xE8, 0x9B, 0xF7, 0x3B, 0x6D, 0x06, 0x91, 0x9E,
+ 0x71, 0x59, 0xBE, 0x8E, 0x65, 0x61, 0xB2, 0x69,
+ 0x9C, 0x82, 0x58, 0x0D, 0x63, 0x7A, 0x1F, 0x2A,
+ 0x1C, 0x2C, 0x92, 0x8C, 0x8D, 0xCA, 0x2B, 0x45,
+ 0x24, 0x79, 0xDB, 0x7F, 0x1D, 0x2F, 0xAB, 0x88,
+ 0x8C, 0x1D, 0xE3, 0x15, 0x8F, 0xCD, 0x46, 0x8C,
+ 0x45, 0x20, 0x88, 0x1C, 0x17, 0xE0, 0xE5, 0x89,
+ 0xF4, 0x60, 0x56, 0x3C, 0x6B, 0x9F, 0x2A, 0xD9,
+ 0xD0, 0xAE, 0x3B, 0xB6, 0xC2, 0xB7, 0x58, 0xC6,
+ 0x6E, 0x09, 0x36, 0x21, 0x0B, 0xDD, 0xE9, 0x52,
+ 0x33, 0x27, 0x39, 0xC8, 0x51, 0x59, 0x69, 0x25,
+ 0xC6, 0x3D, 0x19, 0x5C, 0x5E, 0x74, 0xD0, 0x62,
+ 0xD9, 0x26, 0x90, 0xC7, 0x64, 0x92, 0xA8, 0x72,
+ 0xD1, 0x77, 0x1F, 0x78, 0xC5, 0x11, 0xBD, 0x5D,
+ 0x3C, 0x1B, 0x1F, 0x8B, 0x5B, 0xE4, 0x5D, 0xA1,
+ 0x27, 0x6D, 0x20, 0x24, 0x32, 0x53, 0xF3, 0xB0,
+ 0xE6, 0x71, 0x61, 0xCC, 0xFC, 0x4A, 0x06, 0xDA,
+ 0xBE, 0xD7, 0x9F, 0x2F, 0xEB, 0x44, 0xD0, 0x8A,
+ 0x7D, 0x8E, 0x82, 0xF5, 0x84, 0xCF, 0x8E, 0xE5,
+ 0x4B, 0xA4, 0x30, 0x77, 0xBD, 0x14, 0xB9, 0x75,
+ 0x02, 0x68, 0xDF, 0x71, 0x89, 0x81, 0xF2, 0x95,
+ 0xC3, 0x67, 0x6E, 0x37, 0xE4, 0xD0, 0xC9, 0x1E,
+ 0x02, 0xDE, 0x2D, 0x79, 0x99, 0xE8, 0x7D, 0x5C,
+ 0x99, 0xF2, 0x1A, 0xDE, 0x12, 0x9B, 0xD1, 0x83,
+ 0x9B, 0x01, 0xD3, 0xEB, 0x2B, 0x8E, 0x9C, 0xA5,
+ 0x19, 0xE8, 0x2E, 0xFE, 0x23, 0x6E, 0xAD, 0x8F,
+ 0x3C, 0xAF, 0xB9, 0xE6, 0xDB, 0x07, 0xA4, 0x31,
+ 0x02, 0x2B, 0x6A, 0xA0, 0xFB, 0x51, 0x6C, 0xD0,
+ 0x26, 0xD5, 0xAD, 0x29, 0x65, 0x10, 0xCE, 0xF8,
+ 0x84, 0x4D, 0x1E, 0x37, 0x92, 0xA2, 0xD1, 0xFA,
+ 0xF6, 0xC0, 0x36, 0x4C, 0x23, 0x3A, 0x42, 0xAA,
+ 0xB8, 0x0D, 0x4E, 0xD4, 0x40, 0x61, 0xD5, 0x36,
+ 0x62, 0x23, 0x7C, 0x1C, 0x5E, 0xEA, 0x16, 0xAD,
+ 0x4F, 0x30, 0xF9, 0x16, 0x99, 0xCE, 0xC5, 0x50,
+ 0xAC, 0x8F, 0x6F, 0x98, 0xD7, 0xE3, 0x89, 0x6E,
+ 0x3A, 0x12, 0xCE, 0xA7, 0xA4, 0x17, 0x74, 0xDC,
+ 0xDB, 0xFA, 0xFF, 0xF9, 0x35, 0xD7, 0xF5, 0x77,
+ 0x03, 0xF5, 0xBF, 0x81, 0x6C, 0x9F, 0x62, 0xA6,
+ 0x8A, 0x5B, 0xA3, 0xEF, 0x9D, 0xC3, 0xF6, 0x3A,
+ 0x6A, 0xC0, 0x42, 0x71, 0xAF, 0x90, 0xCA, 0x1D,
+ 0x86, 0x78, 0xD7, 0x2C, 0xFE, 0xB6, 0x99, 0x15,
+ 0x8C, 0x10, 0x42, 0x92, 0x2C, 0x05, 0x43, 0x92,
+ 0x69, 0x05, 0x8D, 0x9E, 0xBC, 0xAB, 0x8F, 0x28,
+ 0xAA, 0x4B, 0xFB, 0x25, 0xD9, 0xAD, 0x29, 0xFF,
+ 0x33, 0x65, 0x14, 0xC3, 0x75, 0x1F, 0xCF, 0xFC,
+ 0x20, 0x83, 0xBF, 0xB9, 0xA5, 0x4B, 0x7B, 0xD9,
+ 0x07, 0x5C, 0xA1, 0xD1, 0x5A, 0x3E, 0x94, 0xF8,
+ 0x03, 0xDE, 0xB8, 0x94, 0x11, 0x92, 0x80, 0x77,
+ 0x57, 0x45, 0x1E, 0x6B, 0xA5, 0x15, 0xDB, 0x48,
+ 0xB6, 0x9E, 0x02, 0xF1, 0x61, 0x4A, 0xAC, 0x1D,
+ 0x49, 0xBC, 0xA9, 0x3F, 0x03, 0x50, 0xAC, 0x02,
+ 0x8E, 0x84, 0xE0, 0x12, 0x37, 0x76, 0xBC, 0x4A,
+ 0xF9, 0xC6, 0x74, 0x36, 0xFC, 0x92, 0x1D, 0x59,
+ 0x0C, 0x04, 0xD2, 0x14, 0xB7, 0x11, 0xE9, 0xE2,
+ 0xFE, 0x0C, 0xE1, 0xDA, 0x8B, 0xCA, 0x10, 0xA1,
+ 0x60, 0xB6, 0x57, 0x51, 0x00, 0xD6, 0x5B, 0x55,
+ 0x09, 0x60, 0xE8, 0x00, 0x40, 0x45, 0x56, 0xBA,
+ 0x83, 0x1E, 0x36, 0x12, 0x59, 0x4B, 0x19, 0x00,
+ 0x53, 0xAE, 0x62, 0xA6, 0x29, 0x39, 0xED, 0x87,
+ 0x24, 0x37, 0x1E, 0x1B, 0xCF, 0x3F, 0x3A, 0x71,
+ 0x31, 0xB5, 0x50, 0x8D, 0x4B, 0x53, 0x53, 0x75,
+ 0x3F, 0x33, 0x39, 0x09, 0x2A, 0x78, 0xA8, 0x71,
+ 0x3E, 0x63, 0xC5, 0x61, 0x73, 0xB6, 0xE1, 0x71,
+ 0x16, 0xDA, 0x06, 0xBF, 0x3F, 0x22, 0x74, 0x89,
+ 0x08, 0xD2, 0x05, 0x0B, 0x16, 0xC8, 0xF0, 0x17,
+ 0x4E, 0xA2, 0x65, 0x67, 0x6D, 0x02)
+ },
+ {
+ NTRU_EES743EP1,
+ chunk_from_chars(
+ 0x9B, 0xAB, 0x57, 0xDB, 0x2C, 0x60, 0x83, 0x48,
+ 0x9F, 0xC9, 0x70, 0x8F, 0x69, 0xF7, 0xB4, 0xBB,
+ 0x63, 0x5C, 0x9A, 0x63, 0x07, 0x80, 0x17, 0xD3,
+ 0xCD, 0xB1, 0x57, 0x79, 0xFE, 0x8D, 0x81, 0x70,
+ 0xEB, 0x50, 0xFA, 0x05, 0xFB, 0x97, 0xB2, 0xAB,
+ 0x25, 0xED, 0xD8, 0x18, 0x1C, 0xFE, 0x96, 0x7D),
+ chunk_from_chars(
+ 0x02, 0x03, 0x00, 0x06, 0x10, 0x14, 0x53, 0x73,
+ 0x56, 0xF5, 0xA9, 0x34, 0xDE, 0xA6, 0x4D, 0x46,
+ 0x05, 0x9E, 0x80, 0xAE, 0xB6, 0x74, 0x91, 0xFF,
+ 0xFB, 0x48, 0xD3, 0x5C, 0x61, 0x12, 0x46, 0x02,
+ 0x9F, 0x53, 0x45, 0x87, 0x47, 0xBD, 0x6B, 0x26,
+ 0xF7, 0x36, 0xD3, 0x99, 0x1B, 0xD7, 0xEA, 0xA3,
+ 0xA8, 0x94, 0xFF, 0x93, 0x46, 0x7C, 0x2C, 0x5F,
+ 0x87, 0x8C, 0x38, 0xB3, 0x7B, 0xC6, 0x49, 0xE2,
+ 0x88, 0xCA, 0x67, 0x89, 0xD0, 0x6D, 0x7C, 0xAE,
+ 0x7C, 0x98, 0x84, 0xDA, 0x6B, 0x93, 0x92, 0xEF,
+ 0x4A, 0xD1, 0x4A, 0xD2, 0x5B, 0x13, 0xF8, 0x59,
+ 0x15, 0x2E, 0xBC, 0x70, 0x8D, 0x2D, 0xA9, 0x47,
+ 0xA1, 0x99, 0x19, 0x3F, 0x67, 0xE8, 0x18, 0xA7,
+ 0x17, 0x07, 0xB3, 0x14, 0xF6, 0x20, 0xA1, 0xD8,
+ 0x33, 0xE8, 0x08, 0x6A, 0xC1, 0x39, 0x99, 0x08,
+ 0xB4, 0x88, 0xEB, 0x48, 0x7D, 0xFB, 0xF5, 0xEF,
+ 0x03, 0x0D, 0x25, 0xB7, 0x98, 0xF3, 0xF1, 0x15,
+ 0x63, 0xE4, 0x0F, 0xFD, 0x54, 0x9F, 0x56, 0xE9,
+ 0xD1, 0x44, 0xE5, 0x89, 0x66, 0x14, 0x91, 0x1C,
+ 0xFD, 0xD6, 0xFD, 0x38, 0xAE, 0x39, 0xE3, 0xF7,
+ 0xCD, 0x77, 0xC2, 0xEA, 0x2E, 0xE4, 0xB7, 0x2B,
+ 0xBA, 0x7A, 0xD1, 0x75, 0xB8, 0x28, 0x65, 0x18,
+ 0xF4, 0xC6, 0xBD, 0xD0, 0x17, 0x7E, 0xEA, 0x86,
+ 0x7E, 0xFC, 0x95, 0xD6, 0x4C, 0x92, 0x01, 0xC3,
+ 0xFF, 0x04, 0x9B, 0xF8, 0xD6, 0xB3, 0x8F, 0x72,
+ 0xEF, 0x64, 0x09, 0x61, 0xF8, 0xE4, 0x48, 0xFC,
+ 0x0D, 0xEE, 0xEF, 0xA2, 0x9F, 0x3A, 0x2B, 0x1A,
+ 0xFB, 0x8B, 0xA0, 0x9C, 0x11, 0x0B, 0x97, 0x75,
+ 0x30, 0x7C, 0xB8, 0x9F, 0xEE, 0x3B, 0x53, 0x85,
+ 0x7D, 0xE9, 0xCB, 0xC4, 0x4D, 0xD7, 0x7F, 0x59,
+ 0x10, 0x72, 0x19, 0x3A, 0xC9, 0x38, 0xFE, 0xE8,
+ 0xB3, 0x06, 0x55, 0x8D, 0xA2, 0x5A, 0x3D, 0x79,
+ 0x67, 0x0E, 0x90, 0xC9, 0x25, 0x6D, 0x45, 0x9C,
+ 0x39, 0x79, 0x5F, 0x18, 0x35, 0x9F, 0xC1, 0x49,
+ 0x08, 0x6F, 0x1C, 0x47, 0x09, 0x0D, 0x49, 0x7C,
+ 0x3C, 0x7B, 0xB1, 0x09, 0x92, 0x1C, 0x4E, 0x5A,
+ 0xDA, 0x74, 0x9E, 0xBB, 0x55, 0x9D, 0xBB, 0x1E,
+ 0x43, 0x28, 0x62, 0xAF, 0x02, 0xB0, 0x1A, 0xEA,
+ 0x13, 0x0A, 0x70, 0x0F, 0x60, 0x0F, 0x62, 0xA2,
+ 0x4E, 0x1F, 0xB2, 0xEA, 0x06, 0xDD, 0x18, 0x02,
+ 0x6C, 0xF3, 0x82, 0xF1, 0x80, 0x7F, 0xA7, 0x2F,
+ 0xCC, 0xC6, 0x18, 0xEA, 0xFF, 0x1F, 0xAD, 0xC6,
+ 0xBA, 0x0C, 0x0E, 0x04, 0xB2, 0x58, 0x1D, 0xB6,
+ 0x01, 0xA3, 0x97, 0xDF, 0x7D, 0x9B, 0xB5, 0x0A,
+ 0xAD, 0x30, 0x2B, 0xC5, 0x67, 0x40, 0x07, 0xF1,
+ 0xD5, 0x6C, 0x11, 0x10, 0xE1, 0x69, 0x30, 0xAD,
+ 0x90, 0x06, 0xDB, 0xF8, 0xEA, 0x92, 0x9B, 0x39,
+ 0x57, 0x38, 0x7B, 0xE4, 0xB2, 0xA2, 0x89, 0xFD,
+ 0xB1, 0x6D, 0x88, 0x41, 0x62, 0x4D, 0x18, 0xB6,
+ 0x3F, 0x12, 0x81, 0xDE, 0xE6, 0xDC, 0x4A, 0x31,
+ 0x61, 0x26, 0xB1, 0x4B, 0x95, 0xC1, 0x69, 0xDC,
+ 0xDC, 0xAC, 0xD0, 0x15, 0xFC, 0x21, 0xC5, 0x20,
+ 0x5F, 0x97, 0x76, 0x41, 0xC1, 0xF2, 0xD7, 0x95,
+ 0x1D, 0x25, 0x23, 0x36, 0x86, 0xFA, 0x7E, 0xF4,
+ 0x14, 0x9F, 0x9D, 0x9F, 0xB2, 0xBB, 0x25, 0x1D,
+ 0xD5, 0x7A, 0x6F, 0x9E, 0xF7, 0xEF, 0x9D, 0x63,
+ 0x1E, 0xD5, 0xDE, 0x6A, 0xE6, 0x46, 0x48, 0x1F,
+ 0xE1, 0x0C, 0x4D, 0x82, 0xC9, 0x19, 0x3B, 0x65,
+ 0xA4, 0x06, 0x13, 0xB7, 0x04, 0xB1, 0x62, 0xF7,
+ 0x08, 0xAE, 0xED, 0x42, 0x6D, 0xCC, 0x6C, 0xA6,
+ 0x06, 0x06, 0x41, 0x3E, 0x0C, 0x89, 0x4C, 0xBD,
+ 0x00, 0x4F, 0x0E, 0xA9, 0x72, 0x06, 0x21, 0x82,
+ 0xD2, 0xB6, 0x6C, 0xB0, 0xB0, 0x01, 0x5B, 0xDD,
+ 0x05, 0xCE, 0x71, 0x6E, 0x00, 0x58, 0xC7, 0xA6,
+ 0x5B, 0xF6, 0xFB, 0x6B, 0x62, 0xB1, 0xE8, 0x4D,
+ 0xAC, 0xC0, 0x6B, 0xF4, 0x40, 0x69, 0xEE, 0x0D,
+ 0xE7, 0x82, 0x61, 0x8D, 0x35, 0x01, 0x97, 0x4E,
+ 0xF2, 0xCC, 0xF5, 0x7F, 0xBF, 0xE4, 0xEC, 0x9C,
+ 0xC4, 0xD2, 0xD9, 0x65, 0x78, 0x98, 0xD8, 0xB0,
+ 0xFA, 0xA8, 0xFB, 0xB0, 0xCE, 0x22, 0x5D, 0x0B,
+ 0x27, 0xDF, 0x0E, 0x63, 0x42, 0xFE, 0x89, 0x13,
+ 0x99, 0xB2, 0x02, 0x0B, 0xF6, 0x04, 0xB6, 0xAF,
+ 0x9F, 0x8C, 0xA6, 0x17, 0x0D, 0xD9, 0x5B, 0x45,
+ 0xE4, 0x08, 0x53, 0x51, 0xE0, 0xD5, 0x22, 0x72,
+ 0xBE, 0xAD, 0x74, 0x69, 0xB9, 0xFB, 0x91, 0xF8,
+ 0xC1, 0x89, 0x28, 0x71, 0x27, 0x62, 0xB1, 0xF0,
+ 0xFD, 0x78, 0xBC, 0x82, 0xFE, 0x76, 0xBE, 0x7B,
+ 0x47, 0x79, 0x32, 0x71, 0xAD, 0xD6, 0x76, 0x46,
+ 0xFB, 0x32, 0xE8, 0x4B, 0x98, 0x9A, 0xC6, 0x85,
+ 0xF2, 0xF1, 0x8A, 0xEC, 0xC2, 0x4E, 0x9B, 0x2F,
+ 0x2D, 0x6F, 0xC9, 0x9B, 0xB6, 0x14, 0x35, 0x6D,
+ 0xD6, 0x5B, 0xF3, 0x02, 0x5A, 0xE5, 0xBD, 0x00,
+ 0xF7, 0x6E, 0x51, 0xA7, 0xDB, 0x19, 0xAE, 0x01,
+ 0x01, 0x05, 0x94, 0x23, 0xF7, 0x5B, 0x07, 0x79,
+ 0xFF, 0x39, 0x58, 0x9C, 0x2A, 0xF7, 0x7E, 0x5D,
+ 0x81, 0xF9, 0x59, 0xFE, 0xB9, 0x9A, 0x96, 0x63,
+ 0x1F, 0x65, 0xF6, 0xF0, 0x3D, 0xEA, 0xD7, 0xC2,
+ 0x8A, 0xCF, 0xB5, 0x58, 0x74, 0x77, 0x23, 0xD6,
+ 0x72, 0x58, 0xA8, 0xAE, 0x31, 0x8A, 0x59, 0xEA,
+ 0x69, 0x14, 0x6A, 0x20, 0x78, 0x79, 0x28, 0x5A,
+ 0xE1, 0x76, 0x6F, 0xA6, 0x1A, 0x9E, 0x47, 0xD2,
+ 0xAF, 0x63, 0xF8, 0x06, 0xF6, 0xD8, 0xD5, 0x14,
+ 0xA8, 0xD1, 0xEE, 0x96, 0xCE, 0xBB, 0x8E, 0x22,
+ 0x69, 0x2F, 0x52, 0x06, 0xB6, 0x6F, 0xC8, 0x99,
+ 0x96, 0xEA, 0xC6, 0x1D, 0x96, 0x4C, 0x69, 0x95,
+ 0xFE, 0x74, 0x04, 0x3C, 0x55, 0xD9, 0x5F, 0xE0,
+ 0x41, 0x21, 0x43, 0x21, 0x5A, 0x50, 0x5D, 0x8B,
+ 0xE8, 0xB2, 0x51, 0x1B, 0x7C, 0x63, 0x50, 0xAE,
+ 0x97, 0x4F, 0xBA, 0x7D, 0xF2, 0xB6, 0xB6, 0x16,
+ 0x1D, 0x47, 0x9E, 0x19, 0x68, 0xD4, 0x6B, 0x2B,
+ 0x75, 0xCD, 0xAE, 0x65, 0x33, 0x38, 0xF6, 0x6D,
+ 0xC7, 0x3E, 0x46, 0x98, 0x9E, 0x98, 0x8B, 0x45,
+ 0x11, 0xA7, 0x12, 0x05, 0xB0, 0x01, 0xC3, 0x51,
+ 0xA0, 0xEE, 0x7C, 0x16, 0xD1, 0x42, 0x96, 0xC4,
+ 0xF0, 0x7B, 0x71, 0xCD, 0x50, 0x38, 0xA4, 0xB0,
+ 0x6E, 0x6F, 0xE0, 0xBD, 0xC4, 0xF7, 0x96, 0x2B,
+ 0xF1, 0x6D, 0x9F, 0xF3, 0x71, 0x89, 0xFA, 0xB4,
+ 0x44, 0xA4, 0x32, 0xDC, 0xB2, 0x55, 0x13, 0x31,
+ 0x83, 0x29, 0x66, 0x21, 0x3E, 0x89, 0xF8, 0x78,
+ 0x97, 0x9C, 0x64, 0xF9, 0x2C, 0x0A, 0x88, 0xBC,
+ 0xCA, 0x6F, 0x83, 0x42, 0xF6, 0xD7, 0x00, 0xC4,
+ 0x19, 0x52, 0xB0, 0x31, 0xA8, 0xBA, 0xE8, 0xD4,
+ 0xAD, 0x4B, 0x5D, 0xC0, 0x01, 0x20, 0x6C, 0xBB,
+ 0x1D, 0x9A, 0x1D, 0xD4, 0x19, 0xFD, 0x33, 0xAB,
+ 0xA0, 0x54, 0x50, 0x91, 0xE9, 0x75, 0x5C, 0x7E,
+ 0x7E, 0xB3, 0x24, 0x79, 0xAE, 0x10, 0x3C, 0xB4,
+ 0xB7, 0x0A, 0x1D, 0x86, 0xAD, 0x06, 0x95, 0xCB,
+ 0x84, 0x9B, 0x0E, 0x8B, 0x77, 0x7E, 0x3E, 0xD2,
+ 0xA6, 0xDF, 0xAD, 0x4E, 0xFB, 0x69, 0x23, 0xAC,
+ 0x7A, 0xCB, 0xAA, 0xB0, 0x22, 0xDD, 0xD2, 0xC6,
+ 0xC7, 0xAD, 0xD7, 0xDE, 0xEC, 0x6F, 0x08, 0x41,
+ 0x54, 0xD5, 0x52, 0xDC, 0x77, 0xE4, 0x72, 0xF9,
+ 0x16, 0xB1, 0xC9, 0xAF, 0xB1, 0x3B, 0x18, 0x99,
+ 0x20, 0x9F, 0x79, 0x63, 0x7B, 0x07, 0xC7, 0x35,
+ 0xDF, 0xBB, 0xCE, 0x66, 0x93, 0x1B, 0xF5, 0x82,
+ 0x25, 0x67, 0xC1, 0xF2, 0xF0, 0x89, 0x0F, 0xEF,
+ 0x84, 0x0D, 0x63, 0xB6, 0x7B, 0xD0, 0x40, 0x8E,
+ 0xDB, 0x94, 0xCC, 0x71, 0x3C, 0xDB, 0x36, 0x14,
+ 0x34, 0xFD, 0xA0, 0xB0, 0xC1, 0x45, 0x31, 0xF8,
+ 0x8D, 0xD8, 0x23, 0xB1, 0x05, 0x14, 0xA9, 0x55,
+ 0x3A, 0x1A, 0x37, 0x48, 0x68, 0x89, 0x3F, 0x15,
+ 0x25, 0xD4, 0x99, 0x53, 0x4C, 0x85, 0x98, 0x78,
+ 0x1D, 0x35, 0x4A, 0x83, 0x79, 0x9A, 0x29, 0x90,
+ 0x2B, 0x45, 0x76, 0x0C, 0x13, 0x80, 0x4A, 0xE0,
+ 0x40, 0xED, 0x6B, 0x2E, 0x2A, 0x43, 0xA9, 0x28,
+ 0xB0, 0x2F, 0x89, 0x01, 0x6B, 0x39, 0x8C, 0x5E,
+ 0x80, 0x61, 0xD9, 0xEE, 0x0F, 0x41, 0x75, 0xB5,
+ 0xAE, 0xB6, 0xC2, 0x42, 0x49, 0x8D, 0x89, 0xD8,
+ 0xF4, 0x78, 0x1D, 0x90, 0x46, 0x26, 0x4C, 0x56,
+ 0xB7, 0xC0, 0xD9, 0x98, 0x7B, 0x07, 0xA1, 0x20)
+ }
+};
+
+START_TEST(test_ntru_privkey)
+{
+ rng_t *entropy;
+ ntru_drbg_t *drbg;
+ ntru_private_key_t *privkey;
+ ntru_public_key_t *pubkey;
+ ntru_param_set_t *params;
+ uint32_t strength;
+ chunk_t encoding, privkey_encoding, pubkey_encoding;
+
+ params = ntru_param_set_get_by_id(privkey_tests[_i].id);
+ strength = params->sec_strength_len * BITS_PER_BYTE;
+ entropy = test_rng_create(privkey_tests[_i].entropy);
+ drbg = ntru_drbg_create(strength, chunk_from_str("IKE NTRU-KE"), entropy);
+ ck_assert(drbg != NULL);
+
+ privkey = ntru_private_key_create(drbg, params);
+ ck_assert(privkey);
+
+ privkey_encoding = privkey->get_encoding(privkey);
+ encoding = privkey_tests[_i].encoding;
+ ck_assert(chunk_equals(privkey_encoding, encoding));
+
+
+ pubkey= privkey->get_public_key(privkey);
+ pubkey_encoding = pubkey->get_encoding(pubkey);
+ encoding = chunk_clone(encoding);
+ encoding.ptr[0] = NTRU_PUBKEY_TAG;
+ encoding.len = pubkey_encoding.len;
+ ck_assert(chunk_equals(pubkey_encoding, encoding));
+
+ /* get encoding a second time without generating it again internally */
+ pubkey_encoding = pubkey->get_encoding(pubkey);
+
+ chunk_free(&encoding);
+ privkey->destroy(privkey);
+ pubkey->destroy(pubkey);
+}
+END_TEST
+
START_TEST(test_ntru_ke)
{
chunk_t pub_key, cipher_text, i_shared_secret, r_shared_secret;
diffie_hellman_t *i_ntru, *r_ntru;
char buf[10];
- int n, len;
+ int k, n, len;
status_t status;
+ k = (_i) / countof(parameter_sets);
+ n = (_i) % countof(parameter_sets);
+
len = snprintf(buf, sizeof(buf), "%N", diffie_hellman_group_names,
- params[_i].group);
+ params[k].group);
ck_assert(len == 8);
- ck_assert(streq(buf, params[_i].group_name));
-
- for (n = 0; n < countof(parameter_sets); n++)
- {
- lib->settings->set_str(lib->settings,
- "libstrongswan.plugins.ntru.parameter_set",
- parameter_sets[n]);
+ ck_assert(streq(buf, params[k].group_name));
- i_ntru = lib->crypto->create_dh(lib->crypto, params[_i].group);
- ck_assert(i_ntru != NULL);
- ck_assert(i_ntru->get_dh_group(i_ntru) == params[_i].group);
+ lib->settings->set_str(lib->settings,
+ "libstrongswan.plugins.ntru.parameter_set", parameter_sets[n]);
- i_ntru->get_my_public_value(i_ntru, &pub_key);
- ck_assert(pub_key.len > 0);
+ i_ntru = lib->crypto->create_dh(lib->crypto, params[k].group);
+ ck_assert(i_ntru != NULL);
+ ck_assert(i_ntru->get_dh_group(i_ntru) == params[k].group);
- r_ntru = lib->crypto->create_dh(lib->crypto, params[_i].group);
- ck_assert(r_ntru != NULL);
+ i_ntru->get_my_public_value(i_ntru, &pub_key);
+ ck_assert(pub_key.len > 0);
- r_ntru->set_other_public_value(r_ntru, pub_key);
- r_ntru->get_my_public_value(r_ntru, &cipher_text);
- ck_assert(cipher_text.len > 0);
+ r_ntru = lib->crypto->create_dh(lib->crypto, params[k].group);
+ ck_assert(r_ntru != NULL);
- status = r_ntru->get_shared_secret(r_ntru, &r_shared_secret);
- ck_assert(status == SUCCESS);
- ck_assert(r_shared_secret.len > 0);
+ r_ntru->set_other_public_value(r_ntru, pub_key);
+ r_ntru->get_my_public_value(r_ntru, &cipher_text);
+ ck_assert(cipher_text.len > 0);
- i_ntru->set_other_public_value(i_ntru, cipher_text);
- status = i_ntru->get_shared_secret(i_ntru, &i_shared_secret);
+ status = r_ntru->get_shared_secret(r_ntru, &r_shared_secret);
+ ck_assert(status == SUCCESS);
+ ck_assert(r_shared_secret.len > 0);
- if (status == SUCCESS)
- {
- ck_assert(chunk_equals(i_shared_secret, r_shared_secret));
- }
- else
- {
- ck_assert(i_shared_secret.len == 0);
- }
+ i_ntru->set_other_public_value(i_ntru, cipher_text);
+ status = i_ntru->get_shared_secret(i_ntru, &i_shared_secret);
+ ck_assert(status == SUCCESS);
+ ck_assert(chunk_equals(i_shared_secret, r_shared_secret));
- chunk_clear(&i_shared_secret);
- chunk_clear(&r_shared_secret);
- chunk_free(&pub_key);
- chunk_free(&cipher_text);
- i_ntru->destroy(i_ntru);
- r_ntru->destroy(r_ntru);
- }
+ chunk_clear(&i_shared_secret);
+ chunk_clear(&r_shared_secret);
+ chunk_free(&pub_key);
+ chunk_free(&cipher_text);
+ i_ntru->destroy(i_ntru);
+ r_ntru->destroy(r_ntru);
}
END_TEST
tcase_add_loop_test(tc, test_ntru_array, 0, countof(array_tests));
suite_add_tcase(s, tc);
+ tc = tcase_create("param_set");
+ tcase_add_test(tc, test_ntru_param_set);
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("privkey");
+ tcase_add_loop_test(tc, test_ntru_privkey, 0, countof(privkey_tests));
+ suite_add_tcase(s, tc);
+
tc = tcase_create("ke");
- tcase_add_loop_test(tc, test_ntru_ke, 0, countof(params));
+ tcase_add_loop_test(tc, test_ntru_ke, 0,
+ countof(params) * countof(parameter_sets));
suite_add_tcase(s, tc);
tc = tcase_create("retransmission");