diff options
author | Peter Dettman <peter.dettman@bouncycastle.org> | 2022-11-03 18:59:52 +0700 |
---|---|---|
committer | Peter Dettman <peter.dettman@bouncycastle.org> | 2022-11-03 18:59:52 +0700 |
commit | 18c7d7e154c48b729ded47601c9b0ddd4f74650b (patch) | |
tree | 30e0d05f017ce07e4705e7a7257e505ef27f445f | |
parent | EmbedAllSources, remove SourceLink (diff) | |
download | BouncyCastle.NET-ed25519-18c7d7e154c48b729ded47601c9b0ddd4f74650b.tar.xz |
Clenaup warnings
54 files changed, 953 insertions, 1014 deletions
diff --git a/crypto/src/asn1/Asn1GeneralizedTime.cs b/crypto/src/asn1/Asn1GeneralizedTime.cs index e844c8ca2..139384c1a 100644 --- a/crypto/src/asn1/Asn1GeneralizedTime.cs +++ b/crypto/src/asn1/Asn1GeneralizedTime.cs @@ -11,8 +11,7 @@ namespace Org.BouncyCastle.Asn1 * Base class representing the ASN.1 GeneralizedTime type. * <p> * The main difference between these and UTC time is a 4 digit year. - * </p> - * <p> + * </p><p> * One second resolution date+time on UTC timezone (Z) * with 4 digit year (valid from 0001 to 9999). * </p><p> @@ -24,18 +23,18 @@ namespace Org.BouncyCastle.Asn1 * * <h3>11: Restrictions on BER employed by both CER and DER</h3> * <h4>11.7 GeneralizedTime </h4> - * <p> + * </p><p> * <b>11.7.1</b> The encoding shall terminate with a "Z", * as described in the ITU-T Rec. X.680 | ISO/IEC 8824-1 clause on * GeneralizedTime. * </p><p> * <b>11.7.2</b> The seconds element shall always be present. - * </p> - * <p> + * </p><p> * <b>11.7.3</b> The fractional-seconds elements, if present, * shall omit all trailing zeros; if the elements correspond to 0, * they shall be wholly omitted, and the decimal point element also * shall be omitted. + * </p> */ public class Asn1GeneralizedTime : Asn1Object diff --git a/crypto/src/asn1/cmp/CertReqTemplateContent.cs b/crypto/src/asn1/cmp/CertReqTemplateContent.cs index b229cd28b..c25c71ad1 100644 --- a/crypto/src/asn1/cmp/CertReqTemplateContent.cs +++ b/crypto/src/asn1/cmp/CertReqTemplateContent.cs @@ -9,12 +9,13 @@ namespace Org.BouncyCastle.Asn1.Cmp * GenRep: {id-it 19}, CertReqTemplateContent | < absent > * <p> * CertReqTemplateValue ::= CertReqTemplateContent - * <p> + * </p><p> * CertReqTemplateContent ::= SEQUENCE { * certTemplate CertTemplate, * keySpec Controls OPTIONAL } - * <p> + * </p><p> * Controls ::= SEQUENCE SIZE (1..MAX) OF AttributeTypeAndValue + * </p> */ public class CertReqTemplateContent : Asn1Encodable diff --git a/crypto/src/asn1/cmp/CmpObjectIdentifiers.cs b/crypto/src/asn1/cmp/CmpObjectIdentifiers.cs index fa83841a4..1b3227c47 100644 --- a/crypto/src/asn1/cmp/CmpObjectIdentifiers.cs +++ b/crypto/src/asn1/cmp/CmpObjectIdentifiers.cs @@ -234,8 +234,9 @@ namespace Org.BouncyCastle.Asn1.Cmp * 1.2.840.113549.1.9.16.1.21 * <p> * id-ct OBJECT IDENTIFIER ::= { id-smime 1 } -- content types - * <p> + * </p><p> * id-ct-encKeyWithID OBJECT IDENTIFIER ::= {id-ct 21} + * </p> */ public static readonly DerObjectIdentifier ct_encKeyWithID = new DerObjectIdentifier("1.2.840.113549.1.9.16.1.21"); diff --git a/crypto/src/asn1/cmp/CrlSource.cs b/crypto/src/asn1/cmp/CrlSource.cs index 13aaa526a..9e2526ec2 100644 --- a/crypto/src/asn1/cmp/CrlSource.cs +++ b/crypto/src/asn1/cmp/CrlSource.cs @@ -12,7 +12,7 @@ namespace Org.BouncyCastle.Asn1.Cmp * CRLSource ::= CHOICE { * dpn [0] DistributionPointName, * issuer [1] GeneralNames } - * <p> + * </p> */ public class CrlSource : Asn1Encodable, IAsn1Choice diff --git a/crypto/src/asn1/cmp/RootCaKeyUpdateContent.cs b/crypto/src/asn1/cmp/RootCaKeyUpdateContent.cs index b1eaf616d..696b08b94 100644 --- a/crypto/src/asn1/cmp/RootCaKeyUpdateContent.cs +++ b/crypto/src/asn1/cmp/RootCaKeyUpdateContent.cs @@ -7,14 +7,15 @@ namespace Org.BouncyCastle.Asn1.Cmp * GenRep: {id-it 18}, RootCaKeyUpdateContent | < absent > * <p> * RootCaCertValue ::= CMPCertificate - * <p> + * </p><p> * RootCaKeyUpdateValue ::= RootCaKeyUpdateContent - * <p> + * </p><p> * RootCaKeyUpdateContent ::= SEQUENCE { * newWithNew CMPCertificate, * newWithOld [0] CMPCertificate OPTIONAL, * oldWithNew [1] CMPCertificate OPTIONAL * } + * </p> */ public class RootCaKeyUpdateContent : Asn1Encodable diff --git a/crypto/src/cms/CMSAuthenticatedDataGenerator.cs b/crypto/src/cms/CMSAuthenticatedDataGenerator.cs index 6c68bccd1..f6827157c 100644 --- a/crypto/src/cms/CMSAuthenticatedDataGenerator.cs +++ b/crypto/src/cms/CMSAuthenticatedDataGenerator.cs @@ -62,9 +62,7 @@ namespace Org.BouncyCastle.Cms Asn1Encodable asn1Params = GenerateAsn1Parameters(macOid, encKeyBytes); - ICipherParameters cipherParameters; - macAlgId = GetAlgorithmIdentifier( - macOid, encKey, asn1Params, out cipherParameters); + macAlgId = GetAlgorithmIdentifier(macOid, encKey, asn1Params, out var cipherParameters); IMac mac = MacUtilities.GetMac(macOid); // TODO Confirm no ParametersWithRandom needed @@ -72,7 +70,7 @@ namespace Org.BouncyCastle.Cms // mac.Init(cipherParameters); mac.Init(encKey); - MemoryStream bOut = new MemoryStream(); + var bOut = new MemoryStream(); Stream mOut = new TeeOutputStream(bOut, new MacSink(mac)); content.Write(mOut); @@ -97,7 +95,7 @@ namespace Org.BouncyCastle.Cms throw new CmsException("exception decoding algorithm parameters.", e); } - Asn1EncodableVector recipientInfos = new Asn1EncodableVector(); + var recipientInfos = new Asn1EncodableVector(); foreach (RecipientInfoGenerator rig in recipientInfoGenerators) { @@ -115,11 +113,11 @@ namespace Org.BouncyCastle.Cms } } - ContentInfo eci = new ContentInfo(CmsObjectIdentifiers.Data, encContent); - - ContentInfo contentInfo = new ContentInfo( - CmsObjectIdentifiers.AuthenticatedData, - new AuthenticatedData(null, new DerSet(recipientInfos), macAlgId, null, eci, null, macResult, null)); + var eci = new ContentInfo(CmsObjectIdentifiers.Data, encContent); + + var contentInfo = new ContentInfo( + CmsObjectIdentifiers.AuthenticatedData, + new AuthenticatedData(null, new DerSet(recipientInfos), macAlgId, null, eci, null, macResult, null)); return new CmsAuthenticatedData(contentInfo); } diff --git a/crypto/src/crypto/engines/Grain128AEADEngine.cs b/crypto/src/crypto/engines/Grain128AEADEngine.cs index 174d010f3..c05cb0115 100644 --- a/crypto/src/crypto/engines/Grain128AEADEngine.cs +++ b/crypto/src/crypto/engines/Grain128AEADEngine.cs @@ -43,7 +43,7 @@ namespace Org.BouncyCastle.Crypto.Engines */ public void Init(bool forEncryption, ICipherParameters param) { - /** + /* * Grain encryption and decryption is completely symmetrical, so the * 'forEncryption' is irrelevant. */ @@ -62,7 +62,7 @@ namespace Org.BouncyCastle.Crypto.Engines if (keyBytes.Length != 16) throw new ArgumentException("Grain-128AEAD key must be 128 bits long"); - /** + /* * Initialize variables. */ workingIV = new byte[keyBytes.Length]; @@ -238,7 +238,7 @@ namespace Org.BouncyCastle.Crypto.Engines workingKey = keyBytes; workingIV = ivBytes; - /** + /* * Load NFSR and LFSR */ Pack.LE_To_UInt32(workingKey, 0, nfsr); diff --git a/crypto/src/crypto/modes/OCBBlockCipher.cs b/crypto/src/crypto/modes/OCBBlockCipher.cs index 8cc701cca..e67b4e9af 100644 --- a/crypto/src/crypto/modes/OCBBlockCipher.cs +++ b/crypto/src/crypto/modes/OCBBlockCipher.cs @@ -13,7 +13,7 @@ namespace Org.BouncyCastle.Crypto.Modes /// <para>https://mailarchive.ietf.org/arch/msg/cfrg/qLTveWOdTJcLn4HP3ev-vrj05Vg/</para> /// Text reproduced below: /// <para> - /// Phillip Rogaway<rogaway@cs.ucdavis.edu&rt; Sat, 27 February 2021 02:46 UTC + /// Phillip Rogaway<rogaway@cs.ucdavis.edu> Sat, 27 February 2021 02:46 UTC /// /// I can confirm that I have abandoned all OCB patents and placed into the public domain all OCB-related IP of /// mine. While I have been telling people this for quite some time, I don't think I ever made a proper announcement diff --git a/crypto/src/pqc/crypto/cmce/CmceEngine.cs b/crypto/src/pqc/crypto/cmce/CmceEngine.cs index 10b08e708..96595ecc0 100644 --- a/crypto/src/pqc/crypto/cmce/CmceEngine.cs +++ b/crypto/src/pqc/crypto/cmce/CmceEngine.cs @@ -173,7 +173,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Cmce { buf[i] = perm[i]; buf[i] <<= 31; - buf[i] |= i; + buf[i] |= (uint)i; buf[i] &= 0x7fffffffffffffffL; // getting rid of signed longs } Sort64(buf, 0, buf.Length); @@ -1162,7 +1162,9 @@ namespace Org.BouncyCastle.Pqc.Crypto.Cmce { for (x = 0; x < n; ++x) { - temp[(int)x] = ((GetQShort(temp, (int)(qIndex + x)) ^ 1) << 16) | GetQShort(temp, (int)((qIndex) + (x ^ 1))); + ushort t0 = (ushort)GetQShort(temp, (int)(qIndex + x)); + ushort t1 = (ushort)GetQShort(temp, (int)(qIndex + (x ^ 1))); + temp[(int)x] = ((t0 ^ 1) << 16) | t1; } } Sort32(temp, 0, (int)n); /* A = (id<<16)+pibar */ @@ -1181,7 +1183,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Cmce for (x = 0; x < n; ++x) { - temp[(int)x] = (int)((temp[(int)x] << 16) | x); /* A = (pibar<<16)+id */ + temp[(int)x] = (int)((uint)(temp[(int)x] << 16) | x); /* A = (pibar<<16)+id */ } Sort32(temp, 0, (int)n); /* A = (id<<16)+pibar^-1 */ @@ -1204,7 +1206,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Cmce for (x = 0; x < n; ++x) { - temp[(int)x] = (int)(((temp[(int)(n + x)] & ~0x3ff) << 6) | x); /* A = (p<<16)+id */ + temp[(int)x] = (int)(((uint)(temp[(int)(n + x)] & ~0x3ff) << 6) | x); /* A = (p<<16)+id */ } Sort32(temp, 0, (int)n); /* A = (id<<16)+p^{-1} */ @@ -1241,7 +1243,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Cmce /* B = (p<<16)+c */ for (x = 0; x < n; ++x) { - temp[(int)x] = (int)((temp[(int)(n + x)] & ~0xffff) | x); + temp[(int)x] = (int)((uint)(temp[(int)(n + x)] & ~0xffff) | x); } Sort32(temp, 0, (int)n); /* A = (id<<16)+p^(-1) */ for (x = 0; x < n; ++x) @@ -1375,7 +1377,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Cmce { buf[i] = perm[i]; buf[i] <<= 31; - buf[i] |= i; + buf[i] |= (uint)i; // buf[i] &= 0x7fffffffffffffffL; // getting rid of signed longs } // Sort32 the buffer diff --git a/crypto/src/pqc/crypto/crystals/dilithium/PolyVecK.cs b/crypto/src/pqc/crypto/crystals/dilithium/PolyVecK.cs index facbc1f33..315ce6ab0 100644 --- a/crypto/src/pqc/crypto/crystals/dilithium/PolyVecK.cs +++ b/crypto/src/pqc/crypto/crystals/dilithium/PolyVecK.cs @@ -2,21 +2,20 @@ { internal class PolyVecK { - public Poly[] Vec; - private DilithiumEngine Engine; - private int Mode; - private int PolyVecBytes; - private int K; - private int L; + public readonly Poly[] Vec; + private readonly DilithiumEngine Engine; + //private readonly int Mode; + private readonly int K; + //private readonly int L; public PolyVecK(DilithiumEngine Engine) { this.Engine = Engine; - Mode = Engine.Mode; + //Mode = Engine.Mode; K = Engine.K; - L = Engine.L; + //L = Engine.L; Vec = new Poly[K]; - + for (int i = 0; i < K; i++) { Vec[i] = new Poly(Engine); @@ -25,9 +24,8 @@ public void UniformEta(byte[] seed, ushort nonce) { - int i; ushort n = nonce; - for (i = 0; i < K; i++) + for (int i = 0; i < K; i++) { Vec[i].UniformEta(seed, n++); } @@ -99,8 +97,7 @@ public void PackW1(byte[] r) { - int i; - for (i = 0; i < K; i++) + for (int i = 0; i < K; i++) { Vec[i].PackW1(r, i * Engine.PolyW1PackedBytes); } @@ -119,21 +116,18 @@ for (int i = 0; i < K; ++i) { if (Vec[i].CheckNorm(bound)) - { return true; - } } return false; } public int MakeHint(PolyVecK v0, PolyVecK v1) { - int i, s = 0; - for (i = 0; i < K; ++i) + int s = 0; + for (int i = 0; i < K; ++i) { s += Vec[i].PolyMakeHint(v0.Vec[i], v1.Vec[i]); } - return s; } @@ -152,6 +146,5 @@ Vec[i].ShiftLeft(); } } - } } diff --git a/crypto/src/pqc/crypto/crystals/dilithium/PolyVecL.cs b/crypto/src/pqc/crypto/crystals/dilithium/PolyVecL.cs index 58c286768..0a87c2070 100644 --- a/crypto/src/pqc/crypto/crystals/dilithium/PolyVecL.cs +++ b/crypto/src/pqc/crypto/crystals/dilithium/PolyVecL.cs @@ -2,17 +2,16 @@ { internal class PolyVecL { - public Poly[] Vec; - private DilithiumEngine Engine; - private int Mode; - private int PolyVecBytes; - private int L; - private int K; + public readonly Poly[] Vec; + //private DilithiumEngine Engine; + //private int Mode; + private readonly int L; + private readonly int K; public PolyVecL(DilithiumEngine Engine) { - this.Engine = Engine; - Mode = Engine.Mode; + //this.Engine = Engine; + //Mode = Engine.Mode; L = Engine.L; K = Engine.K; Vec = new Poly[L]; @@ -24,8 +23,7 @@ public void UniformEta(byte[] seed, ushort nonce) { - int i; - for (i = 0; i < L; i++) + for (int i = 0; i < L; i++) { Vec[i].UniformEta(seed, nonce++); } diff --git a/crypto/src/pqc/crypto/crystals/kyber/KyberEngine.cs b/crypto/src/pqc/crypto/crystals/kyber/KyberEngine.cs index bf9d5ee3c..e30115a95 100644 --- a/crypto/src/pqc/crypto/crystals/kyber/KyberEngine.cs +++ b/crypto/src/pqc/crypto/crystals/kyber/KyberEngine.cs @@ -138,7 +138,6 @@ namespace Org.BouncyCastle.Pqc.Crypto.Crystals.Kyber internal void KemDecrypt(byte[] sharedSecret, byte[] cipherText, byte[] secretKey) { - int i; byte[] buf = new byte[2 * SymBytes], kr = new byte[2 * SymBytes], cmp = new byte[CipherTextBytes]; byte[] pk = Arrays.CopyOfRange(secretKey, IndCpaSecretKeyBytes, secretKey.Length); m_indCpa.Decrypt(buf, cipherText, secretKey); @@ -161,7 +160,6 @@ namespace Org.BouncyCastle.Pqc.Crypto.Crystals.Kyber private void CMov(byte[] r, byte[] x, int len, bool b) { - int i; if (b) { Array.Copy(x, 0, r, 0, len); diff --git a/crypto/src/pqc/crypto/crystals/kyber/KyberIndCpa.cs b/crypto/src/pqc/crypto/crystals/kyber/KyberIndCpa.cs index b3be4770d..9400b776e 100644 --- a/crypto/src/pqc/crypto/crystals/kyber/KyberIndCpa.cs +++ b/crypto/src/pqc/crypto/crystals/kyber/KyberIndCpa.cs @@ -138,7 +138,6 @@ namespace Org.BouncyCastle.Pqc.Crypto.Crystals.Kyber private void PackPublicKey(out byte[] pk, PolyVec pkpv, byte[] seed) { - int i; pk = new byte[m_engine.IndCpaPublicKeyBytes]; pkpv.ToBytes(pk); Array.Copy(seed, 0, pk, m_engine.PolyVecBytes, KyberEngine.SymBytes); @@ -146,7 +145,6 @@ namespace Org.BouncyCastle.Pqc.Crypto.Crystals.Kyber private void UnpackPublicKey(PolyVec pkpv, byte[] seed, byte[] pk) { - int i; pkpv.FromBytes(pk); Array.Copy(pk, m_engine.PolyVecBytes, seed, 0, KyberEngine.SymBytes); } diff --git a/crypto/src/pqc/crypto/falcon/FalconKeyPairGenerator.cs b/crypto/src/pqc/crypto/falcon/FalconKeyPairGenerator.cs index eafd1a9eb..68f90c97f 100644 --- a/crypto/src/pqc/crypto/falcon/FalconKeyPairGenerator.cs +++ b/crypto/src/pqc/crypto/falcon/FalconKeyPairGenerator.cs @@ -8,7 +8,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Falcon { private FalconKeyGenerationParameters parameters; private SecureRandom random; - private FalconNIST nist; + private FalconNist nist; private uint logn; private uint noncelen; @@ -18,32 +18,31 @@ namespace Org.BouncyCastle.Pqc.Crypto.Falcon { this.parameters = (FalconKeyGenerationParameters)param; this.random = param.Random; - this.logn = ((FalconKeyGenerationParameters)param).Parameters.LogN; - this.noncelen = ((FalconKeyGenerationParameters)param).Parameters.NonceLength; - this.nist = new FalconNIST(random, logn, noncelen); + this.logn = (uint)((FalconKeyGenerationParameters)param).Parameters.LogN; + this.noncelen = (uint)((FalconKeyGenerationParameters)param).Parameters.NonceLength; + this.nist = new FalconNist(random, logn, noncelen); int n = 1 << (int)this.logn; - int sk_coeff_size = 8; - if (n == 1024) - { - sk_coeff_size = 5; - } - else if (n == 256 || n == 512) - { - sk_coeff_size = 6; - } - else if (n == 64 || n == 128) - { - sk_coeff_size = 7; - } + //int sk_coeff_size = 8; + //if (n == 1024) + //{ + // sk_coeff_size = 5; + //} + //else if (n == 256 || n == 512) + //{ + // sk_coeff_size = 6; + //} + //else if (n == 64 || n == 128) + //{ + // sk_coeff_size = 7; + //} this.pk_size = 1 + (14 * n / 8); } public AsymmetricCipherKeyPair GenerateKeyPair() { - byte[] pk, sk, f, g, F; - nist.crypto_sign_keypair(out pk, out f, out g, out F); - FalconParameters p = ((FalconKeyGenerationParameters)this.parameters).Parameters; + nist.crypto_sign_keypair(out byte[] pk, out byte[] f, out byte[] g, out byte[] F); + FalconParameters p = this.parameters.Parameters; FalconPrivateKeyParameters privk = new FalconPrivateKeyParameters(p, f, g, F, pk); FalconPublicKeyParameters pubk = new FalconPublicKeyParameters(p, pk); return new AsymmetricCipherKeyPair(pubk, privk); diff --git a/crypto/src/pqc/crypto/falcon/FalconKeyParameters.cs b/crypto/src/pqc/crypto/falcon/FalconKeyParameters.cs index 95a546994..bb1252706 100644 --- a/crypto/src/pqc/crypto/falcon/FalconKeyParameters.cs +++ b/crypto/src/pqc/crypto/falcon/FalconKeyParameters.cs @@ -3,7 +3,7 @@ using Org.BouncyCastle.Crypto; namespace Org.BouncyCastle.Pqc.Crypto.Falcon { - public class FalconKeyParameters + public abstract class FalconKeyParameters : AsymmetricKeyParameter { private FalconParameters parameters; diff --git a/crypto/src/pqc/crypto/falcon/FalconNIST.cs b/crypto/src/pqc/crypto/falcon/FalconNIST.cs index cce790734..0d2ba46e0 100644 --- a/crypto/src/pqc/crypto/falcon/FalconNIST.cs +++ b/crypto/src/pqc/crypto/falcon/FalconNIST.cs @@ -1,10 +1,11 @@ using System; + using Org.BouncyCastle.Security; using Org.BouncyCastle.Utilities; namespace Org.BouncyCastle.Pqc.Crypto.Falcon { - class FalconNIST + internal class FalconNist { private FalconCodec codec; private FalconVrfy vrfy; @@ -26,7 +27,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Falcon return this.CRYPTO_BYTES; } - internal FalconNIST(SecureRandom random, uint logn, uint noncelen) { + internal FalconNist(SecureRandom random, uint logn, uint noncelen) { this.logn = logn; this.codec = new FalconCodec(); this.common = new FalconCommon(); diff --git a/crypto/src/pqc/crypto/falcon/FalconParameters.cs b/crypto/src/pqc/crypto/falcon/FalconParameters.cs index 4a9bc598f..10d22a241 100644 --- a/crypto/src/pqc/crypto/falcon/FalconParameters.cs +++ b/crypto/src/pqc/crypto/falcon/FalconParameters.cs @@ -1,16 +1,17 @@ using Org.BouncyCastle.Crypto; +using System; namespace Org.BouncyCastle.Pqc.Crypto.Falcon { public sealed class FalconParameters : ICipherParameters { - public static FalconParameters falcon_512 = new FalconParameters("falcon512", 9, 40); - public static FalconParameters falcon_1024 = new FalconParameters("falcon1024", 10, 40); + public static readonly FalconParameters falcon_512 = new FalconParameters("falcon512", 9, 40); + public static readonly FalconParameters falcon_1024 = new FalconParameters("falcon1024", 10, 40); - private string name; - private uint logn; - private uint nonce_length; + private readonly string name; + private readonly uint logn; + private readonly uint nonce_length; private FalconParameters(string name, uint logn, uint nonce_length) { @@ -19,9 +20,9 @@ namespace Org.BouncyCastle.Pqc.Crypto.Falcon this.nonce_length = nonce_length; } - public uint LogN => logn; + public int LogN => Convert.ToInt32(logn); - public uint NonceLength => nonce_length; + public int NonceLength => Convert.ToInt32(nonce_length); public string Name => name; } diff --git a/crypto/src/pqc/crypto/falcon/FalconPrivateKeyParameters.cs b/crypto/src/pqc/crypto/falcon/FalconPrivateKeyParameters.cs index c912a222c..12b055add 100644 --- a/crypto/src/pqc/crypto/falcon/FalconPrivateKeyParameters.cs +++ b/crypto/src/pqc/crypto/falcon/FalconPrivateKeyParameters.cs @@ -3,13 +3,13 @@ using Org.BouncyCastle.Utilities; namespace Org.BouncyCastle.Pqc.Crypto.Falcon { - public class FalconPrivateKeyParameters + public sealed class FalconPrivateKeyParameters : FalconKeyParameters { - private byte[] pk; - private byte[] f; - private byte[] g; - private byte[] F; + private readonly byte[] pk; + private readonly byte[] f; + private readonly byte[] g; + private readonly byte[] F; public FalconPrivateKeyParameters(FalconParameters parameters, byte[] f, byte[] g, byte[] F, byte[] pk_encoded) : base(true, parameters) @@ -30,7 +30,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Falcon return Arrays.Clone(pk); } - public byte[] GetSpolyf() + public byte[] GetSpolyLittleF() { return Arrays.Clone(f); } @@ -40,7 +40,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Falcon return Arrays.Clone(g); } - public byte[] GetSpolyF() + public byte[] GetSpolyBigF() { return Arrays.Clone(F); } diff --git a/crypto/src/pqc/crypto/falcon/FalconPublicKeyParameters.cs b/crypto/src/pqc/crypto/falcon/FalconPublicKeyParameters.cs index 72bb11948..fa6b627ab 100644 --- a/crypto/src/pqc/crypto/falcon/FalconPublicKeyParameters.cs +++ b/crypto/src/pqc/crypto/falcon/FalconPublicKeyParameters.cs @@ -2,10 +2,10 @@ using Org.BouncyCastle.Utilities; namespace Org.BouncyCastle.Pqc.Crypto.Falcon { - public class FalconPublicKeyParameters + public sealed class FalconPublicKeyParameters : FalconKeyParameters { - private byte[] publicKey; + private readonly byte[] publicKey; public FalconPublicKeyParameters(FalconParameters parameters, byte[] h) : base(false, parameters) diff --git a/crypto/src/pqc/crypto/falcon/FalconSigner.cs b/crypto/src/pqc/crypto/falcon/FalconSigner.cs index f581386ee..e77e84102 100644 --- a/crypto/src/pqc/crypto/falcon/FalconSigner.cs +++ b/crypto/src/pqc/crypto/falcon/FalconSigner.cs @@ -9,7 +9,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Falcon : IMessageSigner { private byte[] encodedkey; - private FalconNIST nist; + private FalconNist nist; public void Init(bool forSigning, ICipherParameters param) { @@ -19,29 +19,29 @@ namespace Org.BouncyCastle.Pqc.Crypto.Falcon { FalconPrivateKeyParameters skparam = (FalconPrivateKeyParameters)withRandom.Parameters; encodedkey = skparam.GetEncoded(); - nist = new FalconNIST( + nist = new FalconNist( withRandom.Random, - skparam.Parameters.LogN, - skparam.Parameters.NonceLength); + (uint)skparam.Parameters.LogN, + (uint)skparam.Parameters.NonceLength); } else { FalconPrivateKeyParameters skparam = (FalconPrivateKeyParameters)param; encodedkey = ((FalconPrivateKeyParameters)param).GetEncoded(); - nist = new FalconNIST( + nist = new FalconNist( CryptoServicesRegistrar.GetSecureRandom(), - skparam.Parameters.LogN, - skparam.Parameters.NonceLength); + (uint)skparam.Parameters.LogN, + (uint)skparam.Parameters.NonceLength); } } else { FalconPublicKeyParameters pkparam = (FalconPublicKeyParameters)param; encodedkey = pkparam.GetEncoded(); - nist = new FalconNIST( + nist = new FalconNist( CryptoServicesRegistrar.GetSecureRandom(), - pkparam.Parameters.LogN, - pkparam.Parameters.NonceLength); + (uint)pkparam.Parameters.LogN, + (uint)pkparam.Parameters.NonceLength); } } diff --git a/crypto/src/pqc/crypto/hqc/ReedSolomon.cs b/crypto/src/pqc/crypto/hqc/ReedSolomon.cs index 8e7fc664d..25a8c7997 100644 --- a/crypto/src/pqc/crypto/hqc/ReedSolomon.cs +++ b/crypto/src/pqc/crypto/hqc/ReedSolomon.cs @@ -28,7 +28,6 @@ namespace Org.BouncyCastle.Pqc.Crypto.Hqc for (int j = 0; j < paramG; j++) { tmp[j] = GFCalculator.mult(gateValue, rsPoly[j]); - int n = 1; } for (int j = n1 - paramK - 1; j > 0; j--) diff --git a/crypto/src/pqc/crypto/lms/Composer.cs b/crypto/src/pqc/crypto/lms/Composer.cs index b897f4b68..6ad044e34 100644 --- a/crypto/src/pqc/crypto/lms/Composer.cs +++ b/crypto/src/pqc/crypto/lms/Composer.cs @@ -1,4 +1,3 @@ -using System; using System.IO; using Org.BouncyCastle.Utilities; @@ -38,7 +37,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Lms return this; } - public Composer U16Str(uint n) + public Composer U16Str(int n) { n &= 0xFFFF; bos.WriteByte((byte)(n >> 8)); @@ -72,7 +71,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Lms return this; } - public Composer Bytes(byte[][] arrays) + public Composer Bytes2(byte[][] arrays) { foreach (byte[] array in arrays) { @@ -81,7 +80,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Lms return this; } - public Composer Bytes(byte[][] arrays, int start, int end) + public Composer Bytes2(byte[][] arrays, int start, int end) { int j = start; while (j != end) diff --git a/crypto/src/pqc/crypto/lms/LMOtsParameters.cs b/crypto/src/pqc/crypto/lms/LMOtsParameters.cs index e05b1650a..60bf28d50 100644 --- a/crypto/src/pqc/crypto/lms/LMOtsParameters.cs +++ b/crypto/src/pqc/crypto/lms/LMOtsParameters.cs @@ -1,3 +1,4 @@ +using System; using System.Collections.Generic; using Org.BouncyCastle.Asn1; @@ -53,7 +54,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Lms public int Ls => m_ls; - public uint SigLen => m_sigLen; + public int SigLen => Convert.ToInt32(m_sigLen); public DerObjectIdentifier DigestOid => m_digestOid; diff --git a/crypto/src/pqc/crypto/lms/LMOtsPrivateKey.cs b/crypto/src/pqc/crypto/lms/LMOtsPrivateKey.cs index e9df6fbfd..20b717af6 100644 --- a/crypto/src/pqc/crypto/lms/LMOtsPrivateKey.cs +++ b/crypto/src/pqc/crypto/lms/LMOtsPrivateKey.cs @@ -30,7 +30,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Lms LmsUtilities.ByteArray(m_I, ctx); LmsUtilities.U32Str(m_q, ctx); - LmsUtilities.U16Str(LMOts.D_MESG, ctx); + LmsUtilities.U16Str((short)LMOts.D_MESG, ctx); LmsUtilities.ByteArray(C, ctx); return new LmsContext(this, sigParams, ctx, C, path); diff --git a/crypto/src/pqc/crypto/lms/LMOtsPublicKey.cs b/crypto/src/pqc/crypto/lms/LMOtsPublicKey.cs index 09e8b2951..ef3d4aced 100644 --- a/crypto/src/pqc/crypto/lms/LMOtsPublicKey.cs +++ b/crypto/src/pqc/crypto/lms/LMOtsPublicKey.cs @@ -109,7 +109,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Lms LmsUtilities.ByteArray(m_I, ctx); LmsUtilities.U32Str(m_q, ctx); - LmsUtilities.U16Str(LMOts.D_MESG, ctx); + LmsUtilities.U16Str((short)LMOts.D_MESG, ctx); LmsUtilities.ByteArray(signature.C, ctx); return new LmsContext(this, signature, ctx); @@ -121,7 +121,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Lms LmsUtilities.ByteArray(m_I, ctx); LmsUtilities.U32Str(m_q, ctx); - LmsUtilities.U16Str(LMOts.D_MESG, ctx); + LmsUtilities.U16Str((short)LMOts.D_MESG, ctx); LmsUtilities.ByteArray(signature.OtsSignature.C, ctx); return new LmsContext(this, signature, ctx); diff --git a/crypto/src/pqc/crypto/lms/LMS.cs b/crypto/src/pqc/crypto/lms/LMS.cs index 3c17b0a1e..6174d3889 100644 --- a/crypto/src/pqc/crypto/lms/LMS.cs +++ b/crypto/src/pqc/crypto/lms/LMS.cs @@ -100,7 +100,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Lms H.BlockUpdate(I, 0, I.Length); LmsUtilities.U32Str(node_num, H); - LmsUtilities.U16Str(D_LEAF, H); + LmsUtilities.U16Str((short)D_LEAF, H); H.BlockUpdate(Kc, 0, Kc.Length); H.DoFinal(tmp, 0); @@ -113,7 +113,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Lms // is odd H.BlockUpdate(I, 0, I.Length); LmsUtilities.U32Str(node_num / 2, H); - LmsUtilities.U16Str(D_INTR, H); + LmsUtilities.U16Str((short)D_INTR, H); H.BlockUpdate(path[i], 0, path[i].Length); H.BlockUpdate(tmp, 0, tmp.Length); H.DoFinal(tmp, 0); @@ -122,7 +122,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Lms { H.BlockUpdate(I, 0, I.Length); LmsUtilities.U32Str(node_num / 2, H); - LmsUtilities.U16Str(D_INTR, H); + LmsUtilities.U16Str((short)D_INTR, H); H.BlockUpdate(tmp, 0, tmp.Length); H.BlockUpdate(path[i], 0, path[i].Length); H.DoFinal(tmp, 0); diff --git a/crypto/src/pqc/crypto/lms/LMSPrivateKeyParameters.cs b/crypto/src/pqc/crypto/lms/LMSPrivateKeyParameters.cs index dcdeb7ab5..278cbb04b 100644 --- a/crypto/src/pqc/crypto/lms/LMSPrivateKeyParameters.cs +++ b/crypto/src/pqc/crypto/lms/LMSPrivateKeyParameters.cs @@ -324,7 +324,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Lms { LmsUtilities.ByteArray(this.GetI(), tDigest); LmsUtilities.U32Str(r, tDigest); - LmsUtilities.U16Str(Lms.D_LEAF, tDigest); + LmsUtilities.U16Str((short)Lms.D_LEAF, tDigest); // // These can be pre generated at the time of key generation and held within the private key. // However it will cost memory to have them stick around. @@ -343,7 +343,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Lms LmsUtilities.ByteArray(this.GetI(), tDigest); LmsUtilities.U32Str(r, tDigest); - LmsUtilities.U16Str(Lms.D_INTR, tDigest); + LmsUtilities.U16Str((short)Lms.D_INTR, tDigest); LmsUtilities.ByteArray(t2r, tDigest); LmsUtilities.ByteArray(t2rPlus1, tDigest); T = new byte[tDigest.GetDigestSize()]; diff --git a/crypto/src/pqc/crypto/lms/LMSSignature.cs b/crypto/src/pqc/crypto/lms/LMSSignature.cs index f5d355297..a1ae475c1 100644 --- a/crypto/src/pqc/crypto/lms/LMSSignature.cs +++ b/crypto/src/pqc/crypto/lms/LMSSignature.cs @@ -123,7 +123,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Lms .U32Str(q) .Bytes(otsSignature.GetEncoded()) .U32Str(parameter.ID) - .Bytes(y) + .Bytes2(y) .Build(); } diff --git a/crypto/src/pqc/crypto/lms/LM_OTS.cs b/crypto/src/pqc/crypto/lms/LM_OTS.cs index c3cd3da90..0aa5c580e 100644 --- a/crypto/src/pqc/crypto/lms/LM_OTS.cs +++ b/crypto/src/pqc/crypto/lms/LM_OTS.cs @@ -220,7 +220,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Lms IDigest finalContext = DigestUtilities.GetDigest(parameter.DigestOid); LmsUtilities.ByteArray(I, finalContext); LmsUtilities.U32Str(q, finalContext); - LmsUtilities.U16Str(D_PBLC, finalContext); + LmsUtilities.U16Str((short)D_PBLC, finalContext); byte[] tmp = Composer.Compose() .Bytes(I) diff --git a/crypto/src/pqc/crypto/lms/LmsUtils.cs b/crypto/src/pqc/crypto/lms/LmsUtils.cs index da3f457d2..e99dfe585 100644 --- a/crypto/src/pqc/crypto/lms/LmsUtils.cs +++ b/crypto/src/pqc/crypto/lms/LmsUtils.cs @@ -14,7 +14,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Lms d.Update((byte)(n)); } - public static void U16Str(ushort n, IDigest d) + public static void U16Str(short n, IDigest d) { d.Update((byte)(n >> 8)); d.Update((byte)(n)); diff --git a/crypto/src/pqc/crypto/picnic/KMatrices.cs b/crypto/src/pqc/crypto/picnic/KMatrices.cs index 64e6be00a..a6d280985 100644 --- a/crypto/src/pqc/crypto/picnic/KMatrices.cs +++ b/crypto/src/pqc/crypto/picnic/KMatrices.cs @@ -1,5 +1,3 @@ -using Org.BouncyCastle.Utilities; - namespace Org.BouncyCastle.Pqc.Crypto.Picnic { internal class KMatrices @@ -9,36 +7,35 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic private int columns; private uint[] data; - public KMatrices(int nmatrices, int rows, int columns, uint[] data) + internal KMatrices(int nmatrices, int rows, int columns, uint[] data) { this.nmatrices = nmatrices; this.rows = rows; this.columns = columns; this.data = data; } - - public int GetNmatrices() + internal int GetNmatrices() { return nmatrices; } - public int GetSize() + internal int GetSize() { return rows * columns; } - public int GetRows() + internal int GetRows() { return rows; } - public int GetColumns() + internal int GetColumns() { return columns; } - public uint[] GetData() + internal uint[] GetData() { return data; } @@ -48,20 +45,21 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic : KMatrices { private int matrixPointer; - public int GetMatrixPointer() + + internal int GetMatrixPointer() { return matrixPointer; } - public void SetMatrixPointer(int matrixPointer) + internal void SetMatrixPointer(int matrixPointer) { this.matrixPointer = matrixPointer; } - public KMatricesWithPointer(KMatrices m) + internal KMatricesWithPointer(KMatrices m) : base(m.GetNmatrices(), m.GetRows(), m.GetColumns(), m.GetData()) { this.matrixPointer = 0; } } -} \ No newline at end of file +} diff --git a/crypto/src/pqc/crypto/picnic/Msg.cs b/crypto/src/pqc/crypto/picnic/Msg.cs index 4a8c145e7..a9a13b383 100644 --- a/crypto/src/pqc/crypto/picnic/Msg.cs +++ b/crypto/src/pqc/crypto/picnic/Msg.cs @@ -1,12 +1,12 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic { - public class Msg + internal class Msg { internal byte[][] msgs; // One for each player internal int pos; internal int unopened; // Index of the unopened party, or -1 if all parties opened (when signing) - public Msg(PicnicEngine engine) + internal Msg(PicnicEngine engine) { msgs = new byte[engine.numMPCParties][]; // engine.andSizeBytes for (int i = 0; i < engine.numMPCParties; i++) @@ -17,4 +17,4 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic unopened = -1; } } -} \ No newline at end of file +} diff --git a/crypto/src/pqc/crypto/picnic/PicnicEngine.cs b/crypto/src/pqc/crypto/picnic/PicnicEngine.cs index 0e2a4b54f..5557ddcff 100644 --- a/crypto/src/pqc/crypto/picnic/PicnicEngine.cs +++ b/crypto/src/pqc/crypto/picnic/PicnicEngine.cs @@ -8,17 +8,17 @@ using Org.BouncyCastle.Utilities; namespace Org.BouncyCastle.Pqc.Crypto.Picnic { - public class PicnicEngine + internal sealed class PicnicEngine { // same for all parameter sets - protected internal static readonly int saltSizeBytes = 32; + internal static readonly int saltSizeBytes = 32; private static readonly uint MAX_DIGEST_SIZE = 64; private static readonly int WORD_SIZE_BITS = 32; // the word size for the implementation. Not a LowMC parameter private static readonly uint LOWMC_MAX_STATE_SIZE = 64; - protected internal static readonly uint LOWMC_MAX_WORDS = (LOWMC_MAX_STATE_SIZE / 4); - protected internal static readonly uint LOWMC_MAX_KEY_BITS = 256; - protected internal static readonly uint LOWMC_MAX_AND_GATES = (3 * 38 * 10 + 4); /* Rounded to nearest byte */ + internal static readonly uint LOWMC_MAX_WORDS = (LOWMC_MAX_STATE_SIZE / 4); + internal static readonly uint LOWMC_MAX_KEY_BITS = 256; + internal static readonly uint LOWMC_MAX_AND_GATES = (3 * 38 * 10 + 4); /* Rounded to nearest byte */ private static readonly uint MAX_AUX_BYTES = ((LOWMC_MAX_AND_GATES + LOWMC_MAX_KEY_BITS) / 8 + 1); /* Maximum lengths in bytes */ @@ -28,8 +28,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic /** Largest serialized public key size, in bytes */ private static readonly uint PICNIC_MAX_PRIVATEKEY_SIZE = (3 * PICNIC_MAX_LOWMC_BLOCK_SIZE + 2); - /** Largest serialized private key size, in bytes */ - private static readonly uint PICNIC_MAX_SIGNATURE_SIZE = 209522; + //private static readonly uint PICNIC_MAX_SIGNATURE_SIZE = 209522; /** Largest signature size, in bytes */ @@ -47,45 +46,45 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic // varies between parameter sets - protected internal int numRounds; + internal int numRounds; private int numSboxes; - protected internal int stateSizeBits; - protected internal int stateSizeBytes; - protected internal int stateSizeWords; - protected internal int andSizeBytes; + internal int stateSizeBits; + internal int stateSizeBytes; + internal int stateSizeWords; + internal int andSizeBytes; private int UnruhGWithoutInputBytes; - protected internal int UnruhGWithInputBytes; - protected internal int numMPCRounds; // T - protected internal int numOpenedRounds; // u - protected internal int numMPCParties; // N - protected internal int seedSizeBytes; - protected internal int digestSizeBytes; - protected internal int pqSecurityLevel; + internal int UnruhGWithInputBytes; + internal int numMPCRounds; // T + internal int numOpenedRounds; // u + internal int numMPCParties; // N + internal int seedSizeBytes; + internal int digestSizeBytes; + internal int pqSecurityLevel; /// private uint transform; private int parameters; - protected internal IXof digest; + internal IXof digest; private int signatureLength; - public int GetSecretKeySize() + internal int GetSecretKeySize() { return CRYPTO_SECRETKEYBYTES; } - public int GetPublicKeySize() + internal int GetPublicKeySize() { return CRYPTO_PUBLICKEYBYTES; } - public int GetSignatureSize(int messageLength) + internal int GetSignatureSize(int messageLength) { return CRYPTO_BYTES + messageLength; } //todo dont do this - public int GetTrueSignatureSize() + internal int GetTrueSignatureSize() { return signatureLength + 4; } @@ -95,174 +94,174 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic parameters = picnicParams; switch (parameters) { - case 1: - case 2: - /*Picnic_L1_FS - Picnic_L1_UR*/ - pqSecurityLevel = 64; - stateSizeBits = 128; - numMPCRounds = 219; - numMPCParties = 3; - numSboxes = 10; - numRounds = 20; - digestSizeBytes = 32; - break; - case 3: - case 4: - /* Picnic_L3_FS - Picnic_L3_UR*/ - pqSecurityLevel = 96; - stateSizeBits = 192; - numMPCRounds = 329; - numMPCParties = 3; - numSboxes = 10; - numRounds = 30; - digestSizeBytes = 48; - break; - case 5: - case 6: - /* Picnic_L5_FS - Picnic_L5_UR*/ - pqSecurityLevel = 128; - stateSizeBits = 256; - numMPCRounds = 438; - numMPCParties = 3; - numSboxes = 10; - numRounds = 38; - digestSizeBytes = 64; - break; - case 7: - /*Picnic3_L1*/ - pqSecurityLevel = 64; - stateSizeBits = 129; - numMPCRounds = 250; - numOpenedRounds = 36; - numMPCParties = 16; - numSboxes = 43; - numRounds = 4; - digestSizeBytes = 32; - break; - case 8: - /*Picnic3_L3*/ - pqSecurityLevel = 96; - stateSizeBits = 192; - numMPCRounds = 419; - numOpenedRounds = 52; - numMPCParties = 16; - numSboxes = 64; - numRounds = 4; - digestSizeBytes = 48; - break; - case 9: - /*Picnic3_L5*/ - pqSecurityLevel = 128; - stateSizeBits = 255; - numMPCRounds = 601; - numOpenedRounds = 68; - numMPCParties = 16; - numSboxes = 85; - numRounds = 4; - digestSizeBytes = 64; - break; - case 10: - /*Picnic_L1_full*/ - pqSecurityLevel = 64; - stateSizeBits = 129; - numMPCRounds = 219; - numMPCParties = 3; - numSboxes = 43; - numRounds = 4; - digestSizeBytes = 32; - break; - case 11: - /*Picnic_L3_full*/ - pqSecurityLevel = 96; - stateSizeBits = 192; - numMPCRounds = 329; - numMPCParties = 3; - numSboxes = 64; - numRounds = 4; - digestSizeBytes = 48; - break; - case 12: - /*Picnic_L5_full*/ - pqSecurityLevel = 128; - stateSizeBits = 255; - numMPCRounds = 438; - numMPCParties = 3; - numSboxes = 85; - numRounds = 4; - digestSizeBytes = 64; - break; + case 1: + case 2: + /*Picnic_L1_FS + Picnic_L1_UR*/ + pqSecurityLevel = 64; + stateSizeBits = 128; + numMPCRounds = 219; + numMPCParties = 3; + numSboxes = 10; + numRounds = 20; + digestSizeBytes = 32; + break; + case 3: + case 4: + /* Picnic_L3_FS + Picnic_L3_UR*/ + pqSecurityLevel = 96; + stateSizeBits = 192; + numMPCRounds = 329; + numMPCParties = 3; + numSboxes = 10; + numRounds = 30; + digestSizeBytes = 48; + break; + case 5: + case 6: + /* Picnic_L5_FS + Picnic_L5_UR*/ + pqSecurityLevel = 128; + stateSizeBits = 256; + numMPCRounds = 438; + numMPCParties = 3; + numSboxes = 10; + numRounds = 38; + digestSizeBytes = 64; + break; + case 7: + /*Picnic3_L1*/ + pqSecurityLevel = 64; + stateSizeBits = 129; + numMPCRounds = 250; + numOpenedRounds = 36; + numMPCParties = 16; + numSboxes = 43; + numRounds = 4; + digestSizeBytes = 32; + break; + case 8: + /*Picnic3_L3*/ + pqSecurityLevel = 96; + stateSizeBits = 192; + numMPCRounds = 419; + numOpenedRounds = 52; + numMPCParties = 16; + numSboxes = 64; + numRounds = 4; + digestSizeBytes = 48; + break; + case 9: + /*Picnic3_L5*/ + pqSecurityLevel = 128; + stateSizeBits = 255; + numMPCRounds = 601; + numOpenedRounds = 68; + numMPCParties = 16; + numSboxes = 85; + numRounds = 4; + digestSizeBytes = 64; + break; + case 10: + /*Picnic_L1_full*/ + pqSecurityLevel = 64; + stateSizeBits = 129; + numMPCRounds = 219; + numMPCParties = 3; + numSboxes = 43; + numRounds = 4; + digestSizeBytes = 32; + break; + case 11: + /*Picnic_L3_full*/ + pqSecurityLevel = 96; + stateSizeBits = 192; + numMPCRounds = 329; + numMPCParties = 3; + numSboxes = 64; + numRounds = 4; + digestSizeBytes = 48; + break; + case 12: + /*Picnic_L5_full*/ + pqSecurityLevel = 128; + stateSizeBits = 255; + numMPCRounds = 438; + numMPCParties = 3; + numSboxes = 85; + numRounds = 4; + digestSizeBytes = 64; + break; } switch (parameters) { - case 1: /*Picnic_L1_FS*/ - CRYPTO_SECRETKEYBYTES = 49; - CRYPTO_PUBLICKEYBYTES = 33; - CRYPTO_BYTES = 34036; - break; - case 2: /* Picnic_L1_UR*/ - CRYPTO_SECRETKEYBYTES = 49; - CRYPTO_PUBLICKEYBYTES = 33; - CRYPTO_BYTES = 53965; - break; - case 3: /*Picnic_L3_FS*/ - CRYPTO_SECRETKEYBYTES = 73; - CRYPTO_PUBLICKEYBYTES = 49; - CRYPTO_BYTES = 76784; - break; - case 4: /*Picnic_L3_UR*/ - CRYPTO_SECRETKEYBYTES = 73; - CRYPTO_PUBLICKEYBYTES = 49; - CRYPTO_BYTES = 121857; - break; - case 5: /*Picnic_L5_FS*/ - CRYPTO_SECRETKEYBYTES = 97; - CRYPTO_PUBLICKEYBYTES = 65; - CRYPTO_BYTES = 132876; - break; - case 6: /*Picnic_L5_UR*/ - CRYPTO_SECRETKEYBYTES = 97; - CRYPTO_PUBLICKEYBYTES = 65; - CRYPTO_BYTES = 209526; - break; - case 7: /*Picnic3_L1*/ - CRYPTO_SECRETKEYBYTES = 52; - CRYPTO_PUBLICKEYBYTES = 35; - CRYPTO_BYTES = 14612; - break; - case 8: /*Picnic3_L3*/ - CRYPTO_SECRETKEYBYTES = 73; - CRYPTO_PUBLICKEYBYTES = 49; - CRYPTO_BYTES = 35028; - break; - case 9: /*Picnic3_L5*/ - CRYPTO_SECRETKEYBYTES = 97; - CRYPTO_PUBLICKEYBYTES = 65; - CRYPTO_BYTES = 61028; - break; - case 10: /*Picnic_L1_full*/ - CRYPTO_SECRETKEYBYTES = 52; - CRYPTO_PUBLICKEYBYTES = 35; - CRYPTO_BYTES = 32061; - break; - case 11: /*Picnic_L3_full*/ - CRYPTO_SECRETKEYBYTES = 73; - CRYPTO_PUBLICKEYBYTES = 49; - CRYPTO_BYTES = 71179; - break; - case 12: /*Picnic_L5_full*/ - CRYPTO_SECRETKEYBYTES = 97; - CRYPTO_PUBLICKEYBYTES = 65; - CRYPTO_BYTES = 126286; - break; - default: - CRYPTO_SECRETKEYBYTES = -1; - CRYPTO_PUBLICKEYBYTES = -1; - CRYPTO_BYTES = -1; - break; + case 1: /*Picnic_L1_FS*/ + CRYPTO_SECRETKEYBYTES = 49; + CRYPTO_PUBLICKEYBYTES = 33; + CRYPTO_BYTES = 34036; + break; + case 2: /* Picnic_L1_UR*/ + CRYPTO_SECRETKEYBYTES = 49; + CRYPTO_PUBLICKEYBYTES = 33; + CRYPTO_BYTES = 53965; + break; + case 3: /*Picnic_L3_FS*/ + CRYPTO_SECRETKEYBYTES = 73; + CRYPTO_PUBLICKEYBYTES = 49; + CRYPTO_BYTES = 76784; + break; + case 4: /*Picnic_L3_UR*/ + CRYPTO_SECRETKEYBYTES = 73; + CRYPTO_PUBLICKEYBYTES = 49; + CRYPTO_BYTES = 121857; + break; + case 5: /*Picnic_L5_FS*/ + CRYPTO_SECRETKEYBYTES = 97; + CRYPTO_PUBLICKEYBYTES = 65; + CRYPTO_BYTES = 132876; + break; + case 6: /*Picnic_L5_UR*/ + CRYPTO_SECRETKEYBYTES = 97; + CRYPTO_PUBLICKEYBYTES = 65; + CRYPTO_BYTES = 209526; + break; + case 7: /*Picnic3_L1*/ + CRYPTO_SECRETKEYBYTES = 52; + CRYPTO_PUBLICKEYBYTES = 35; + CRYPTO_BYTES = 14612; + break; + case 8: /*Picnic3_L3*/ + CRYPTO_SECRETKEYBYTES = 73; + CRYPTO_PUBLICKEYBYTES = 49; + CRYPTO_BYTES = 35028; + break; + case 9: /*Picnic3_L5*/ + CRYPTO_SECRETKEYBYTES = 97; + CRYPTO_PUBLICKEYBYTES = 65; + CRYPTO_BYTES = 61028; + break; + case 10: /*Picnic_L1_full*/ + CRYPTO_SECRETKEYBYTES = 52; + CRYPTO_PUBLICKEYBYTES = 35; + CRYPTO_BYTES = 32061; + break; + case 11: /*Picnic_L3_full*/ + CRYPTO_SECRETKEYBYTES = 73; + CRYPTO_PUBLICKEYBYTES = 49; + CRYPTO_BYTES = 71179; + break; + case 12: /*Picnic_L5_full*/ + CRYPTO_SECRETKEYBYTES = 97; + CRYPTO_PUBLICKEYBYTES = 65; + CRYPTO_BYTES = 126286; + break; + default: + CRYPTO_SECRETKEYBYTES = -1; + CRYPTO_PUBLICKEYBYTES = -1; + CRYPTO_BYTES = -1; + break; } // calculated depending on above parameters @@ -304,7 +303,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic digest = new ShakeDigest(shakeSize); } - public bool crypto_sign_open(byte[] m, byte[] sm, byte[] pk) + internal bool crypto_sign_open(byte[] m, byte[] sm, byte[] pk) { uint sigLen = Pack.LE_To_UInt32(sm, 0); byte[] m_from_sm = Arrays.CopyOfRange(sm, 4, 4 + m.Length); @@ -432,7 +431,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic return status; } - void VerifyProof(Signature.Proof proof, View view1, View view2, int challenge, byte[] salt, + private void VerifyProof(Signature.Proof proof, View view1, View view2, int challenge, byte[] salt, uint roundNumber, byte[] tmp, uint[] plaintext, Tape tape) { Array.Copy(proof.communicatedBits, 0, view2.communicatedBits, 0, andSizeBytes); @@ -534,7 +533,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic mpc_LowMC_verify(view1, view2, tape, tmp_ints, plaintext, challenge); } - void mpc_LowMC_verify(View view1, View view2, Tape tapes, uint[] tmp, uint[] plaintext, int challenge) + private void mpc_LowMC_verify(View view1, View view2, Tape tapes, uint[] tmp, uint[] plaintext, int challenge) { Utils.Fill(tmp, 0, tmp.Length, 0); @@ -576,7 +575,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic Array.Copy(tmp, 3 * stateSizeWords, view2.outputShare, 0, stateSizeWords); } - void mpc_substitution_verify(uint[] state, Tape rand, View view1, View view2) + private void mpc_substitution_verify(uint[] state, Tape rand, View view1, View view2) { uint[] a = new uint[2]; uint[] b = new uint[2]; @@ -611,7 +610,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic } } - void mpc_AND_verify(uint[] in1, uint[] in2, uint[] output, Tape rand, View view1, View view2) + private void mpc_AND_verify(uint[] in1, uint[] in2, uint[] output, Tape rand, View view1, View view2) { uint[] r = {Utils.GetBit(rand.tapes[0], rand.pos), Utils.GetBit(rand.tapes[1], rand.pos)}; @@ -646,7 +645,6 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic } - private int DeserializeSignature(Signature sig, byte[] sigBytes, uint sigBytesLen, int sigBytesOffset) { Signature.Proof[] proofs = sig.proofs; @@ -1086,7 +1084,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic return true; } - public void crypto_sign(byte[] sm, byte[] m, byte[] sk) + internal void crypto_sign(byte[] sm, byte[] m, byte[] sk) { picnic_sign(sk, m, sm); Array.Copy(m, 0, sm, 4, m.Length); @@ -1142,7 +1140,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic /*** Serialization functions ***/ - int SerializeSignature(Signature sig, byte[] sigBytes, int sigOffset) + private int SerializeSignature(Signature sig, byte[] sigBytes, int sigOffset) { Signature.Proof[] proofs = sig.proofs; byte[] challengeBits = sig.challengeBits; @@ -1204,7 +1202,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic return sigByteIndex - sigOffset; } - int GetChallenge(byte[] challenge, int round) + private int GetChallenge(byte[] challenge, int round) { return (Utils.GetBit(challenge, 2 * round + 1) << 1) | Utils.GetBit(challenge, 2 * round); } @@ -1418,7 +1416,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic } /* Caller must allocate the first parameter */ - void Prove(Signature.Proof proof, int challenge, byte[] seeds, int seedsOffset, + private void Prove(Signature.Proof proof, int challenge, byte[] seeds, int seedsOffset, View[] views, byte[][] commitments, byte[][] gs) { if (challenge == 0) @@ -1456,7 +1454,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic } } - void H3(uint[] circuitOutput, uint[] plaintext, uint[][][] viewOutputs, + private void H3(uint[] circuitOutput, uint[] plaintext, uint[][][] viewOutputs, byte[][][] AS, byte[] challengeBits, byte[] salt, byte[] message, byte[][][] gs) { @@ -1659,7 +1657,6 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic int stateOffset; for (int i = 0; i < numSboxes * 3; i += 3) { - for (int j = 0; j < 3; j++) { stateOffset = ((3 + j) * stateSizeWords) * 32; @@ -1748,7 +1745,6 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic digest.Update((byte) 2); digest.BlockUpdate(seed, seedOffset, seedSizeBytes); digest.OutputFinal(tape, 0, digestSizeBytes); -// Console.Error.Write("tape: " + Hex.toHexString(tape)); /* Expand the hashed seed, salt, round and player indices, and output * length to create the tape. */ @@ -1949,7 +1945,6 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic return missingLeaves; } - private void HCP(byte[] challengeHash, uint[] challengeC, uint[] challengeP, byte[][] Ch, byte[] hCv, byte[] salt, uint[] pubKey, uint[] plaintext, byte[] message) { @@ -1971,7 +1966,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic } } - static int BitsToChunks(int chunkLenBits, byte[] input, int inputLen, uint[] chunks) + private static int BitsToChunks(int chunkLenBits, byte[] input, int inputLen, uint[] chunks) { if (chunkLenBits > inputLen * 8) { @@ -1992,7 +1987,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic return chunkCount; } - static uint AppendUnique(uint[] list, uint value, uint position) + private static uint AppendUnique(uint[] list, uint value, uint position) { if (position == 0) { @@ -2171,7 +2166,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic return true; } - static uint Extend(uint bit) + private static uint Extend(uint bit) { return ~(bit - 1); } @@ -2233,7 +2228,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic } } - protected internal void aux_mpc_sbox(uint[] input, uint[] output, Tape tape) + internal void aux_mpc_sbox(uint[] input, uint[] output, Tape tape) { for (int i = 0; i < numSboxes * 3; i += 3) { @@ -2341,7 +2336,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic digest.OutputFinal(saltAndRoot, 0, saltAndRoot.Length); } - static bool is_picnic3(int parameters) + private static bool is_picnic3(int parameters) { return parameters == 7 /*Picnic3_L1*/ || parameters == 8 /*Picnic3_L3*/ || @@ -2349,7 +2344,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic } //todo return int; - public void crypto_sign_keypair(byte[] pk, byte[] sk, SecureRandom random) + internal void crypto_sign_keypair(byte[] pk, byte[] sk, SecureRandom random) { // set array sizes byte[] plaintext_bytes = new byte[PICNIC_MAX_LOWMC_BLOCK_SIZE]; @@ -2474,7 +2469,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic } } - protected internal void xor_array(uint[] output, uint[] in1, uint[] in2, int in2_offset, int length) + internal void xor_array(uint[] output, uint[] in1, uint[] in2, int in2_offset, int length) { for (int i = 0; i < length; i++) { @@ -2482,12 +2477,12 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic } } - protected internal void matrix_mul(uint[] output, uint[] state, uint[] matrix, int matrixOffset) + internal void matrix_mul(uint[] output, uint[] state, uint[] matrix, int matrixOffset) { matrix_mul_offset(output, 0, state, 0, matrix, matrixOffset); } - protected void matrix_mul_offset(uint[] output, int outputOffset, uint[] state, int stateOffset, uint[] matrix, + internal void matrix_mul_offset(uint[] output, int outputOffset, uint[] state, int stateOffset, uint[] matrix, int matrixOffset) { // Use temp to correctly handle the case when state = output diff --git a/crypto/src/pqc/crypto/picnic/Signature2.cs b/crypto/src/pqc/crypto/picnic/Signature2.cs index 7659fb314..c6f44380c 100644 --- a/crypto/src/pqc/crypto/picnic/Signature2.cs +++ b/crypto/src/pqc/crypto/picnic/Signature2.cs @@ -1,7 +1,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic { - public class Signature2 + internal class Signature2 { internal byte[] salt; internal byte[] iSeedInfo; // Info required to recompute the tree of all initial seeds @@ -14,7 +14,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic internal Proof2[] proofs; // One proof for each online execution the verifier checks //todo initialize in engine! - public Signature2(PicnicEngine engine) + internal Signature2(PicnicEngine engine) { challengeHash = new byte[engine.digestSizeBytes]; salt = new byte[PicnicEngine.saltSizeBytes]; @@ -23,7 +23,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic proofs = new Proof2[engine.numMPCRounds]; } - public class Proof2 + internal class Proof2 { internal byte[] seedInfo; // Information required to compute the tree with seeds of of all opened parties internal int seedInfoLen; // Length of seedInfo buffer @@ -32,7 +32,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic internal byte[] input; // Masked input used in online execution internal byte[] msgs; // Broadcast messages of unopened party P[t] - public Proof2(PicnicEngine engine) + internal Proof2(PicnicEngine engine) { seedInfo = null; seedInfoLen = 0; @@ -45,6 +45,3 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic } } } - - - diff --git a/crypto/src/pqc/crypto/picnic/Tape.cs b/crypto/src/pqc/crypto/picnic/Tape.cs index dd1a44de8..c433b3267 100644 --- a/crypto/src/pqc/crypto/picnic/Tape.cs +++ b/crypto/src/pqc/crypto/picnic/Tape.cs @@ -1,125 +1,128 @@ using Org.BouncyCastle.Crypto.Utilities; -using Org.BouncyCastle.Pqc.Crypto.Picnic; using Org.BouncyCastle.Utilities; -public class Tape +namespace Org.BouncyCastle.Pqc.Crypto.Picnic { - internal byte[][] tapes; - internal int pos; - int nTapes; - - private PicnicEngine engine; - public Tape(PicnicEngine engine) + internal class Tape { - this.engine = engine; - tapes = new byte[engine.numMPCParties][]; //[2 * engine.andSizeBytes]; - for (int i = 0; i < engine.numMPCParties; i++) - { - tapes[i] = new byte[2 * engine.andSizeBytes]; - } - pos = 0; - nTapes = engine.numMPCParties; - } + internal byte[][] tapes; + internal int pos; + int nTapes; - protected internal void SetAuxBits(byte[] input) - { - int last = engine.numMPCParties - 1; - int pos = 0; - int n = engine.stateSizeBits; + private PicnicEngine engine; - for(int j = 0; j < engine.numRounds; j++) + internal Tape(PicnicEngine engine) { - for(int i = 0; i < n; i++) + this.engine = engine; + tapes = new byte[engine.numMPCParties][]; //[2 * engine.andSizeBytes]; + for (int i = 0; i < engine.numMPCParties; i++) { - Utils.SetBit(this.tapes[last], n + n*2*j + i, Utils.GetBit(input, pos++)); + tapes[i] = new byte[2 * engine.andSizeBytes]; } + pos = 0; + nTapes = engine.numMPCParties; } - } - - /* Input is the tapes for one parallel repitition; i.e., tapes[t] - * Updates the random tapes of all players with the mask values for the output of - * AND gates, and computes the N-th party's share such that the AND gate invariant - * holds on the mask values. - */ - protected internal void ComputeAuxTape(byte[] inputs) - { - uint[] roundKey = new uint[PicnicEngine.LOWMC_MAX_WORDS]; - uint[] x = new uint[PicnicEngine.LOWMC_MAX_WORDS]; - uint[] y = new uint[PicnicEngine.LOWMC_MAX_WORDS]; - uint[] key = new uint[PicnicEngine.LOWMC_MAX_WORDS]; - uint[] key0 = new uint[PicnicEngine.LOWMC_MAX_WORDS]; - key0[engine.stateSizeWords - 1] = 0; - TapesToParityBits(key0, engine.stateSizeBits); - -// System.out.print("key0: "); -// for (int i = 0; i < key0.Length; i++) -// {System.out.printf("%08x ", key0[i]);}System.out.Println(); - - // key = key0 x KMatrix[0]^(-1) - KMatricesWithPointer current = LowmcConstants.Instance.KMatrixInv(engine, 0); - engine.matrix_mul(key, key0, current.GetData(), current.GetMatrixPointer()); - -// System.out.print("key: "); -// for (int i = 0; i < key0.Length; i++) -// {System.out.printf("%08x ", key[i]);}System.out.Println(); + internal void SetAuxBits(byte[] input) + { + int last = engine.numMPCParties - 1; + int pos = 0; + int n = engine.stateSizeBits; + for(int j = 0; j < engine.numRounds; j++) + { + for(int i = 0; i < n; i++) + { + Utils.SetBit(this.tapes[last], n + n*2*j + i, Utils.GetBit(input, pos++)); + } + } + } - if(inputs != null) + /* Input is the tapes for one parallel repitition; i.e., tapes[t] + * Updates the random tapes of all players with the mask values for the output of + * AND gates, and computes the N-th party's share such that the AND gate invariant + * holds on the mask values. + */ + internal void ComputeAuxTape(byte[] inputs) { - Pack.UInt32_To_LE(Arrays.CopyOf(key, engine.stateSizeWords), inputs, 0); - } + uint[] roundKey = new uint[PicnicEngine.LOWMC_MAX_WORDS]; + uint[] x = new uint[PicnicEngine.LOWMC_MAX_WORDS]; + uint[] y = new uint[PicnicEngine.LOWMC_MAX_WORDS]; + uint[] key = new uint[PicnicEngine.LOWMC_MAX_WORDS]; + uint[] key0 = new uint[PicnicEngine.LOWMC_MAX_WORDS]; + key0[engine.stateSizeWords - 1] = 0; + TapesToParityBits(key0, engine.stateSizeBits); - for (int r = engine.numRounds; r > 0; r--) - { - current = LowmcConstants.Instance.KMatrix(engine, r); - engine.matrix_mul(roundKey, key, current.GetData(), current.GetMatrixPointer()); // roundKey = key * KMatrix(r) + // System.out.print("key0: "); + // for (int i = 0; i < key0.Length; i++) + // {System.out.printf("%08x ", key0[i]);}System.out.Println(); + + // key = key0 x KMatrix[0]^(-1) + KMatricesWithPointer current = LowmcConstants.Instance.KMatrixInv(engine, 0); + engine.matrix_mul(key, key0, current.GetData(), current.GetMatrixPointer()); - engine.xor_array(x, x, roundKey, 0, engine.stateSizeWords); + // System.out.print("key: "); + // for (int i = 0; i < key0.Length; i++) + // {System.out.printf("%08x ", key[i]);}System.out.Println(); - current = LowmcConstants.Instance.LMatrixInv(engine, r-1); - engine.matrix_mul(y, x, current.GetData(), current.GetMatrixPointer()); - if(r == 1) + if(inputs != null) { - // Use key as input - System.Array.Copy(key0, 0, x, 0, key0.Length); + Pack.UInt32_To_LE(Arrays.CopyOf(key, engine.stateSizeWords), inputs, 0); } - else + + + for (int r = engine.numRounds; r > 0; r--) { - this.pos = engine.stateSizeBits * 2 * (r - 1); - // Read input mask shares from tapes - TapesToParityBits(x, engine.stateSizeBits); + current = LowmcConstants.Instance.KMatrix(engine, r); + engine.matrix_mul(roundKey, key, current.GetData(), current.GetMatrixPointer()); // roundKey = key * KMatrix(r) + + engine.xor_array(x, x, roundKey, 0, engine.stateSizeWords); + + current = LowmcConstants.Instance.LMatrixInv(engine, r-1); + engine.matrix_mul(y, x, current.GetData(), current.GetMatrixPointer()); + + if(r == 1) + { + // Use key as input + System.Array.Copy(key0, 0, x, 0, key0.Length); + } + else + { + this.pos = engine.stateSizeBits * 2 * (r - 1); + // Read input mask shares from tapes + TapesToParityBits(x, engine.stateSizeBits); + } + + this.pos = engine.stateSizeBits * 2 * (r - 1) + engine.stateSizeBits; + engine.aux_mpc_sbox(x, y, this); } - this.pos = engine.stateSizeBits * 2 * (r - 1) + engine.stateSizeBits; - engine.aux_mpc_sbox(x, y, this); + // Reset the random tape counter so that the online execution uses the + // same random bits as when computing the aux shares + this.pos = 0; } - // Reset the random tape counter so that the online execution uses the - // same random bits as when computing the aux shares - this.pos = 0; - } - - private void TapesToParityBits(uint[] output, int outputBitLen) - { - for (int i = 0; i < outputBitLen; i++) + private void TapesToParityBits(uint[] output, int outputBitLen) { - Utils.SetBitInWordArray(output, i, Utils.Parity16(TapesToWord())); + for (int i = 0; i < outputBitLen; i++) + { + Utils.SetBitInWordArray(output, i, Utils.Parity16(TapesToWord())); + } } - } - - protected internal uint TapesToWord() - { - byte[] shares = new byte[4]; - for (int i = 0; i < 16; i++) + internal uint TapesToWord() { - byte bit = Utils.GetBit(this.tapes[i], this.pos); - Utils.SetBit(shares, i, bit); + byte[] shares = new byte[4]; + + for (int i = 0; i < 16; i++) + { + byte bit = Utils.GetBit(this.tapes[i], this.pos); + Utils.SetBit(shares, i, bit); + } + this.pos++; + return Pack.LE_To_UInt32(shares, 0); } - this.pos++; - return Pack.LE_To_UInt32(shares, 0); } -} \ No newline at end of file +} diff --git a/crypto/src/pqc/crypto/picnic/Tree.cs b/crypto/src/pqc/crypto/picnic/Tree.cs index 50f844a52..80b2f87ba 100644 --- a/crypto/src/pqc/crypto/picnic/Tree.cs +++ b/crypto/src/pqc/crypto/picnic/Tree.cs @@ -1,12 +1,11 @@ using System; + using Org.BouncyCastle.Crypto.Utilities; -using Org.BouncyCastle.Pqc.Crypto.Picnic; using Org.BouncyCastle.Utilities; namespace Org.BouncyCastle.Pqc.Crypto.Picnic { - - public class Tree + internal sealed class Tree { private static int MAX_SEED_SIZE_BYTES = 32; private uint MAX_AUX_BYTES; @@ -22,17 +21,17 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic private PicnicEngine engine; - protected internal byte[][] GetLeaves() + internal byte[][] GetLeaves() { return this.nodes; } - protected internal uint GetLeavesOffset() + internal uint GetLeavesOffset() { return this.numNodes - this.numLeaves; } - public Tree(PicnicEngine engine, uint numLeaves, int dataSize) + internal Tree(PicnicEngine engine, uint numLeaves, int dataSize) { this.engine = engine; MAX_AUX_BYTES = ((PicnicEngine.LOWMC_MAX_AND_GATES + PicnicEngine.LOWMC_MAX_KEY_BITS) / 8 + 1); @@ -69,7 +68,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic /* Create a Merkle tree by hashing up all nodes. * leafData must have Length this.numNodes, but some may be NULL. */ - protected internal void BuildMerkleTree(byte[][] leafData, byte[] salt) + internal void BuildMerkleTree(byte[][] leafData, byte[] salt) { uint firstLeaf = this.numNodes - this.numLeaves; @@ -92,7 +91,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic } /* verifyMerkleTree: verify for each leaf that is set */ - protected internal int VerifyMerkleTree(byte[][] leafData, byte[] salt) + internal int VerifyMerkleTree(byte[][] leafData, byte[] salt) { uint firstLeaf = this.numNodes - this.numLeaves; @@ -131,7 +130,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic return 0; } - protected internal int ReconstructSeeds(uint[] hideList, uint hideListSize, + internal int ReconstructSeeds(uint[] hideList, uint hideListSize, byte[] input, uint inputLen, byte[] salt, uint repIndex) { int ret = 0; @@ -163,7 +162,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic } /* Serialze the missing nodes that the verifier will require to check commitments for non-missing leaves */ - protected internal byte[] OpenMerkleTree(uint[] missingLeaves, uint missingLeavesSize, int[] outputSizeBytes) + internal byte[] OpenMerkleTree(uint[] missingLeaves, uint missingLeavesSize, int[] outputSizeBytes) { uint[] revealedSize = new uint[1]; uint[] revealed = this.GetRevealedMerkleNodes(missingLeaves, missingLeavesSize, revealedSize); @@ -293,7 +292,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic } - protected internal uint RevealSeedsSize(uint[] hideList, uint hideListSize) + internal uint RevealSeedsSize(uint[] hideList, uint hideListSize) { uint[] numNodesRevealed = new uint[1]; numNodesRevealed[0] = 0; @@ -301,7 +300,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic return numNodesRevealed[0] * (uint)engine.seedSizeBytes; } - protected internal int RevealSeeds(uint[] hideList, uint hideListSize, byte[] output, int outputSize) + internal int RevealSeeds(uint[] hideList, uint hideListSize, byte[] output, int outputSize) { // byte[] outputBase = Arrays.clone(output); uint[] revealedSize = new uint[1]; @@ -330,7 +329,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic return output.Length - outLen; } - protected internal uint OpenMerkleTreeSize(uint[] missingLeaves, uint missingLeavesSize) + internal uint OpenMerkleTreeSize(uint[] missingLeaves, uint missingLeavesSize) { uint[] revealedSize = new uint[1]; uint[] revealed = this.GetRevealedMerkleNodes(missingLeaves, missingLeavesSize, revealedSize); @@ -454,15 +453,14 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic this.haveNode[parent] = true; } - - protected internal byte[] GetLeaf(uint leafIndex) + internal byte[] GetLeaf(uint leafIndex) { uint firstLeaf = this.numNodes - this.numLeaves; return this.nodes[firstLeaf + leafIndex]; } /* addMerkleNodes: deserialize and add the data for nodes provided by the committer */ - protected internal int AddMerkleNodes(uint[] missingLeaves, uint missingLeavesSize, byte[] input, uint inputSize) + internal int AddMerkleNodes(uint[] missingLeaves, uint missingLeavesSize, byte[] input, uint inputSize) { // if (inputSize > INT_MAX) { // return -1; @@ -495,7 +493,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic return 0; } - protected internal void GenerateSeeds(byte[] rootSeed, byte[] salt, uint repIndex) + internal void GenerateSeeds(byte[] rootSeed, byte[] salt, uint repIndex) { this.nodes[0] = rootSeed; this.haveNode[0] = true; @@ -578,6 +576,5 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic return this.exists[i] == 1; } - } -} \ No newline at end of file +} diff --git a/crypto/src/pqc/crypto/picnic/View.cs b/crypto/src/pqc/crypto/picnic/View.cs index d72afa9d4..cac47631a 100644 --- a/crypto/src/pqc/crypto/picnic/View.cs +++ b/crypto/src/pqc/crypto/picnic/View.cs @@ -1,18 +1,16 @@ -using Org.BouncyCastle.Pqc.Crypto.Picnic; - namespace Org.BouncyCastle.Pqc.Crypto.Picnic { - public class View + internal class View { internal uint[] inputShare; internal byte[] communicatedBits; internal uint[] outputShare; - public View(PicnicEngine engine) + internal View(PicnicEngine engine) { inputShare = new uint[engine.stateSizeBytes]; communicatedBits = new byte[engine.andSizeBytes]; outputShare = new uint[engine.stateSizeBytes]; } } -} \ No newline at end of file +} diff --git a/crypto/src/pqc/crypto/sike/Fpx.cs b/crypto/src/pqc/crypto/sike/Fpx.cs index 9ba332753..140b36afb 100644 --- a/crypto/src/pqc/crypto/sike/Fpx.cs +++ b/crypto/src/pqc/crypto/sike/Fpx.cs @@ -29,7 +29,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike } // Cyclotomic squaring on elements of norm 1, using a^(p+1) = 1. - protected internal void sqr_Fp2_cycl(ulong[][] a, ulong[] one) + internal void sqr_Fp2_cycl(ulong[][] a, ulong[] one) { ulong[] t0 = new ulong[engine.param.NWORDS_FIELD]; @@ -44,7 +44,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike // n-way simultaneous inversion using Montgomery's trick. // SECURITY NOTE: This function does not run in constant time. // Also, vec and out CANNOT be the same variable! - protected internal void mont_n_way_inv(ulong[][][] vec, uint n, ulong[][][] output) + internal void mont_n_way_inv(ulong[][][] vec, uint n, ulong[][][] output) { ulong[][] t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD); int i; @@ -68,7 +68,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike // Copy a field element, c = a. - protected internal void fpcopy(ulong[] a, long aOffset, ulong[] c) + internal void fpcopy(ulong[] a, long aOffset, ulong[] c) { for (uint i = 0; i < engine.param.NWORDS_FIELD; i++) { @@ -77,21 +77,21 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike } // GF(p^2) addition without correction, c = a+b in GF(p^2). - protected internal void mp2_add(ulong[][] a, ulong[][] b, ulong[][] c) + internal void mp2_add(ulong[][] a, ulong[][] b, ulong[][] c) { mp_add(a[0], b[0], c[0], engine.param.NWORDS_FIELD); mp_add(a[1], b[1], c[1], engine.param.NWORDS_FIELD); } // Modular correction, a = a in GF(p^2). - protected internal void fp2correction(ulong[][] a) + internal void fp2correction(ulong[][] a) { fpcorrectionPRIME(a[0]); fpcorrectionPRIME(a[1]); } // Multiprecision addition, c = a+b, where lng(a) = lng(b) = nwords. Returns the carry bit. - protected internal ulong mp_add(ulong[] a, ulong[] b, ulong[] c, uint nwords) + internal ulong mp_add(ulong[] a, ulong[] b, ulong[] c, uint nwords) { ulong carry = 0; @@ -169,7 +169,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike // Is x = 0? return 1 (TRUE) if condition is true, 0 (FALSE) otherwise. // SECURITY NOTE: This function does not run in constant-time. - protected internal bool is_felm_zero(ulong[] x) + internal bool is_felm_zero(ulong[] x) { for (uint i = 0; i < engine.param.NWORDS_FIELD; i++) { @@ -205,7 +205,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike // Test if a is a square in GF(p^2) and return 1 if true, 0 otherwise // If a is a quadratic residue, s will be assigned with a partially computed square root of a - protected internal bool is_sqr_fp2(ulong[][] a, ulong[] s) + internal bool is_sqr_fp2(ulong[][] a, ulong[] s) { uint i; ulong[] a0 = new ulong[engine.param.NWORDS_FIELD], @@ -365,7 +365,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike // GF(p^2) inversion using Montgomery arithmetic, a = (a0-i*a1)/(a0^2+a1^2) // This uses the binary GCD for inversion in fp and is NOT constant time!!! - protected internal void fp2inv_mont_bingcd(ulong[][] a) + internal void fp2inv_mont_bingcd(ulong[][] a) { ulong[][] t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD); @@ -381,7 +381,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike } // GF(p^2) division by two, c = a/2 in GF(p^2). - protected internal void fp2div2(ulong[][] a, ulong[][] c) + internal void fp2div2(ulong[][] a, ulong[][] c) { //todo/org : make fp class and change this to generic fpdiv2 fpdiv2_PRIME(a[0], c[0]); @@ -606,7 +606,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike Debug.Assert(t == 0); } - protected internal static bool subarrayEquals(ulong[] a, ulong[] b, uint length) + internal static bool subarrayEquals(ulong[] a, ulong[] b, uint length) { // if(a.Length < length || b.Length < length) // return false; @@ -619,7 +619,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike return true; } - protected internal static bool subarrayEquals(ulong[][] a, ulong[][] b, uint length) + internal static bool subarrayEquals(ulong[][] a, ulong[][] b, uint length) { int nwords_feild = b[0].Length; // if(a[0].Length < length || b[0].Length < length) @@ -633,7 +633,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike return true; } - protected internal static bool subarrayEquals(ulong[][] a, ulong[][] b, uint bOffset, uint length) + internal static bool subarrayEquals(ulong[][] a, ulong[][] b, uint bOffset, uint length) { int nwords_feild = b[0].Length; // if(a[0].Length*2 < length || b[0].Length*2 < length) @@ -647,7 +647,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike return true; } - protected internal static bool subarrayEquals(ulong[][] a, ulong[] b, uint bOffset, uint length) + internal static bool subarrayEquals(ulong[][] a, ulong[] b, uint bOffset, uint length) { int nwords_field = a[0].Length; // if(a[0].Length < length || b.Length < length) @@ -662,9 +662,8 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike } // Computes square roots of elements in (Fp2)^2 using Hamburg's trick. - protected internal void sqrt_Fp2(ulong[][] u, ulong[][] y) + internal void sqrt_Fp2(ulong[][] u, ulong[][] y) { - ulong[] t0 = new ulong[engine.param.NWORDS_FIELD], t1 = new ulong[engine.param.NWORDS_FIELD], t2 = new ulong[engine.param.NWORDS_FIELD], @@ -714,7 +713,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike // GF(p^2) squaring using Montgomery arithmetic, c = a^2 in GF(p^2). // Inputs: a = a0+a1*i, where a0, a1 are in [0, 2*p-1] // Output: c = c0+c1*i, where c0, c1 are in [0, 2*p-1] - protected internal void fp2sqr_mont(ulong[][] a, ulong[][] c) + internal void fp2sqr_mont(ulong[][] a, ulong[][] c) { ulong[] t1 = new ulong[engine.param.NWORDS_FIELD], t2 = new ulong[engine.param.NWORDS_FIELD], @@ -731,7 +730,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike // Modular addition, c = a+b mod PRIME. // Inputs: a, b in [0, 2*PRIME-1] // Output: c in [0, 2*PRIME-1] - protected internal void fpaddPRIME(ulong[] a, ulong[] b, ulong[] c) + internal void fpaddPRIME(ulong[] a, ulong[] b, ulong[] c) { ulong i, carry = 0; ulong mask; @@ -769,7 +768,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike } // Cyclotomic cubing on elements of norm 1, using a^(p+1) = 1. - protected internal void cube_Fp2_cycl(ulong[][] a, ulong[] one) + internal void cube_Fp2_cycl(ulong[][] a, ulong[] one) { ulong[] t0 = new ulong[engine.param.NWORDS_FIELD]; @@ -786,7 +785,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike // Modular subtraction, c = a-b mod PRIME. // Inputs: a, b in [0, 2*PRIME-1] // Output: c in [0, 2*PRIME-1] - protected internal void fpsubPRIME(ulong[] a, ulong[] b, uint bOffset, ulong[] c) + internal void fpsubPRIME(ulong[] a, ulong[] b, uint bOffset, ulong[] c) { ulong i, borrow = 0; ulong mask; @@ -811,7 +810,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike } } - protected internal void fpsubPRIME(ulong[] a, uint aOffset, ulong[] b, ulong[] c) + internal void fpsubPRIME(ulong[] a, uint aOffset, ulong[] b, ulong[] c) { ulong i, borrow = 0; ulong mask; @@ -836,7 +835,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike } } - protected internal void fpsubPRIME(ulong[] a, ulong[] b, ulong[] c) + internal void fpsubPRIME(ulong[] a, ulong[] b, ulong[] c) { ulong i, borrow = 0; ulong mask; @@ -864,7 +863,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike // todo/org : move to fp_generic // Modular negation, a = -a mod PRIME. // Input/output: a in [0, 2*PRIME-1] - protected internal void fpnegPRIME(ulong[] a) + internal void fpnegPRIME(ulong[] a) { ulong i, borrow = 0; @@ -881,7 +880,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike // todo/org : move to fp_generic // Conversion of a GF(p^2) element from Montgomery representation to standard representation, // c_i = ma_i*R^(-1) = a_i in GF(p^2). - protected internal void from_fp2mont(ulong[][] ma, ulong[][] c) + internal void from_fp2mont(ulong[][] ma, ulong[][] c) { from_mont(ma[0], c[0]); from_mont(ma[1], c[1]); @@ -889,7 +888,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike // todo/org : move to fp_generic // Conversion of GF(p^2) element from Montgomery to standard representation, and encoding by removing leading 0 bytes - protected internal void fp2_encode(ulong[][] x, byte[] enc, uint encOffset) + internal void fp2_encode(ulong[][] x, byte[] enc, uint encOffset) { ulong[][] t = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD); @@ -899,7 +898,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike } // Parse byte sequence back uinto GF(p^2) element, and conversion to Montgomery representation - protected internal void fp2_decode(byte[] x, ulong[][] dec, uint xOffset) + internal void fp2_decode(byte[] x, ulong[][] dec, uint xOffset) { decode_to_digits(x, xOffset, dec[0], engine.param.FP2_ENCODED_BYTES / 2, engine.param.NWORDS_FIELD); decode_to_digits(x,xOffset + (engine.param.FP2_ENCODED_BYTES/2), dec[1], engine.param.FP2_ENCODED_BYTES / 2, engine.param.NWORDS_FIELD); @@ -907,7 +906,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike } // Conversion of elements in Z_r to Montgomery representation, where the order r is up to NBITS_ORDER bits. - protected internal void to_Montgomery_mod_order(ulong[] a, ulong[] mc, ulong[] order, ulong[] Montgomery_rprime, ulong[] Montgomery_Rprime) + internal void to_Montgomery_mod_order(ulong[] a, ulong[] mc, ulong[] order, ulong[] Montgomery_rprime, ulong[] Montgomery_Rprime) { Montgomery_multiply_mod_order(a, Montgomery_Rprime, mc, order, Montgomery_rprime); } @@ -916,7 +915,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike // ma, mb and mc are assumed to be in Montgomery representation. // The Montgomery constant r' = -r^(-1) mod 2^(log_2(r)) is the value "Montgomery_rprime", where r is the order. // Assume log_2(r) is a multiple of RADIX bits - protected internal void Montgomery_multiply_mod_order(ulong[] ma, ulong[] mb, ulong[] mc, ulong[] order, ulong[] Montgomery_rprime) + internal void Montgomery_multiply_mod_order(ulong[] ma, ulong[] mb, ulong[] mc, ulong[] order, ulong[] Montgomery_rprime) { ulong i, cout = 0, bout = 0; ulong mask; @@ -949,7 +948,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike // Inversion of an odd uinteger modulo an even uinteger of the form 2^m. // Algorithm 3: Explicit Quadratic Modular inverse modulo 2^m from Dumas'12: http://arxiv.org/pdf/1209.6626.pdf // If the input is invalid (even), the function outputs c = a. - protected internal void inv_mod_orderA(ulong[] a, ulong[] c) + internal void inv_mod_orderA(ulong[] a, ulong[] c) { uint i, f, s = 0; ulong[] am1 = new ulong[engine.param.NWORDS_ORDER], @@ -999,7 +998,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike // Multiprecision comba multiply, c = a*b, where lng(a) = lng(b) = nwords. // NOTE: a and c CANNOT be the same variable! - protected internal void multiply(ulong[] a, ulong[] b, ulong[] c, uint nwords) + internal void multiply(ulong[] a, ulong[] b, ulong[] c, uint nwords) { ulong i, j; ulong t = 0, u = 0, v = 0; @@ -1187,7 +1186,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike } // Montgomery inversion modulo order, c = a^(-1)*R mod order. - protected internal void Montgomery_inversion_mod_order_bingcd(ulong[] a, ulong[] c, ulong[] order, ulong[] Montgomery_rprime, ulong[] Montgomery_Rprime) + internal void Montgomery_inversion_mod_order_bingcd(ulong[] a, ulong[] c, ulong[] order, ulong[] Montgomery_rprime, ulong[] Montgomery_Rprime) { ulong[] x = new ulong[engine.param.NWORDS_ORDER], t = new ulong[engine.param.NWORDS_ORDER]; @@ -1211,7 +1210,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike } // Conversion of elements in Z_r from Montgomery to standard representation, where the order is up to NBITS_ORDER bits. - protected internal void from_Montgomery_mod_order(ulong[] ma, ulong[] c, ulong[] order, ulong[] Montgomery_rprime) + internal void from_Montgomery_mod_order(ulong[] ma, ulong[] c, ulong[] order, ulong[] Montgomery_rprime) { ulong[] one = new ulong[engine.param.NWORDS_ORDER]; one[0] = 1; @@ -1221,7 +1220,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike // Computes the input modulo 3 // The input is assumed to be NWORDS_ORDER ulong - protected internal uint mod3(ulong[] a) + internal uint mod3(ulong[] a) { ulong result = 0; for (int i = 0; i < engine.param.NWORDS_ORDER; ++i) @@ -1234,7 +1233,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike // Conversion of a GF(p^2) element to Montgomery representation, // mc_i = a_i*R^2*R^(-1) = a_i*R in GF(p^2). - protected internal void to_fp2mont(ulong[][] a, ulong[][] mc) + internal void to_fp2mont(ulong[][] a, ulong[][] mc) { to_mont(a[0], mc[0]); to_mont(a[1], mc[1]); @@ -1251,7 +1250,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike // todo/org : move to fp_generic // Modular correction to reduce field element a in [0, 2*PRIME-1] to [0, PRIME-1]. - protected internal void fpcorrectionPRIME(ulong[] a) + internal void fpcorrectionPRIME(ulong[] a) { ulong i, borrow = 0; ulong mask; @@ -1276,7 +1275,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike } } - protected internal byte cmp_f2elm(ulong[][] x, ulong[][] y) + internal byte cmp_f2elm(ulong[][] x, ulong[][] y) { // Comparison of two GF(p^2) elements in constant time. // Is x != y? return -1 if condition is true, 0 otherwise. ulong[][] a = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), @@ -1298,7 +1297,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike // Encoding digits to bytes according to endianness - protected internal void encode_to_bytes(ulong[] x, byte[] enc, uint encOffset, uint nbytes) + internal void encode_to_bytes(ulong[] x, byte[] enc, uint encOffset, uint nbytes) { byte[] test = new byte[((nbytes*4+7)&~7)]; Pack.UInt64_To_LE(x, test, 0); @@ -1306,7 +1305,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike } // Decoding bytes to digits according to endianness - protected internal void decode_to_digits(byte[] x, uint xOffset, ulong[] dec, uint nbytes, uint ndigits) + internal void decode_to_digits(byte[] x, uint xOffset, ulong[] dec, uint nbytes, uint ndigits) { // x -> dec dec[ndigits - 1] = 0; @@ -1317,7 +1316,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike } // r = a - b*i where v = a + b*i - protected internal void fp2_conj(ulong[][] v, ulong[][] r) + internal void fp2_conj(ulong[][] v, ulong[][] r) { fpcopy(v[0], 0, r[0]); fpcopy(v[1], 0, r[1]); @@ -1368,28 +1367,28 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike } // Copy a GF(p^2) element, c = a. - protected internal void fp2copy(ulong[][] a, ulong[][] c) + internal void fp2copy(ulong[][] a, ulong[][] c) { fpcopy(a[0], 0, c[0]); fpcopy(a[1], 0, c[1]); } // Copy a GF(p^2) element, c = a. - protected internal void fp2copy(ulong[][] a, uint aOffset, ulong[][] c) + internal void fp2copy(ulong[][] a, uint aOffset, ulong[][] c) { fpcopy(a[0 + aOffset], 0, c[0]); fpcopy(a[1 + aOffset], 0, c[1]); } // Copy a GF(p^2) element, c = a. - protected internal void fp2copy(ulong[] a, uint aOffset, ulong[][] c) + internal void fp2copy(ulong[] a, uint aOffset, ulong[][] c) { fpcopy(a, aOffset, c[0]); fpcopy(a, aOffset + engine.param.NWORDS_FIELD, c[1]); } // Zero a field element, a = 0. - protected internal void fpzero(ulong[] a) + internal void fpzero(ulong[] a) { uint i; @@ -1400,7 +1399,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike } // GF(p^2) subtraction with correction with 2*p, c = a-b+2p in GF(p^2). - protected internal void mp2_sub_p2(ulong[][] a, ulong[][] b, ulong[][] c) + internal void mp2_sub_p2(ulong[][] a, ulong[][] b, ulong[][] c) { //todo/org : make fp class and change this to generic mp_sub_p2 mp_subPRIME_p2(a[0], b[0], c[0]); @@ -1408,7 +1407,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike } // Multiprecision comba multiply, c = a*b, where lng(a) = lng(b) = nwords. - protected internal void mp_mul(ulong[] a, ulong[] b, ulong[] c, uint nwords) + internal void mp_mul(ulong[] a, ulong[] b, ulong[] c, uint nwords) { ulong i, j; ulong t = 0, u = 0, v = 0; @@ -1461,7 +1460,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike } // Multiprecision comba multiply, c = a*b, where lng(a) = lng(b) = nwords. - protected internal void mp_mul(ulong[] a, uint aOffset, ulong[] b, ulong[] c, uint nwords) + internal void mp_mul(ulong[] a, uint aOffset, ulong[] b, ulong[] c, uint nwords) { ulong i, j; ulong t = 0, u = 0, v = 0; @@ -1516,7 +1515,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike // GF(p^2) multiplication using Montgomery arithmetic, c = a*b in GF(p^2). // Inputs: a = a0+a1*i and b = b0+b1*i, where a0, a1, b0, b1 are in [0, 2*p-1] // Output: c = c0+c1*i, where c0, c1 are in [0, 2*p-1] - protected internal void fp2mul_mont(ulong[][] a, ulong[][] b, ulong[][] c) + internal void fp2mul_mont(ulong[][] a, ulong[][] b, ulong[][] c) { ulong[] t1 = new ulong[engine.param.NWORDS_FIELD], t2 = new ulong[engine.param.NWORDS_FIELD]; @@ -1535,7 +1534,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike rdc_mont(tt1, c[0]); // c[0] = a0*b0 - a1*b1 } - protected internal void fp2mul_mont(ulong[][] a, ulong[][] b, uint bOffset, ulong[][] c) + internal void fp2mul_mont(ulong[][] a, ulong[][] b, uint bOffset, ulong[][] c) { // System.out.pruint("b: "); @@ -1559,7 +1558,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike rdc_mont(tt1, c[0]); // c[0] = a0*b0 - a1*b1 } - protected internal void fp2mul_mont(ulong[][] a, ulong[] b, uint bOffset, ulong[][] c) + internal void fp2mul_mont(ulong[][] a, ulong[] b, uint bOffset, ulong[][] c) { ulong[] t1 = new ulong[engine.param.NWORDS_FIELD], t2 = new ulong[engine.param.NWORDS_FIELD]; @@ -1587,7 +1586,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike } // Multiprecision subtraction, c = a-b, where lng(a) = lng(b) = nwords. Returns the borrow bit. - protected internal ulong mp_sub(ulong[] a, ulong[] b, ulong[] c, uint nwords) + internal ulong mp_sub(ulong[] a, ulong[] b, ulong[] c, uint nwords) { ulong i, borrow = 0; @@ -1606,7 +1605,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike // Is x < y? return 1 (TRUE) if condition is true, 0 (FALSE) otherwise. // SECURITY NOTE: This function does not run in constant-time. - protected internal bool is_orderelm_lt(ulong[] x, ulong[] y) + internal bool is_orderelm_lt(ulong[] x, ulong[] y) { for (int i = (int)engine.param.NWORDS_ORDER-1; i >= 0; i--) { @@ -1637,7 +1636,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike } // Multiprecision squaring, c = a^2 mod p. - protected internal void fpsqr_mont(ulong[] ma, ulong[] mc) + internal void fpsqr_mont(ulong[] ma, ulong[] mc) { ulong[] temp = new ulong[2*engine.param.NWORDS_FIELD]; @@ -1658,7 +1657,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike } // GF(p^2) inversion using Montgomery arithmetic, a = (a0-i*a1)/(a0^2+a1^2). - protected internal void fp2inv_mont(ulong[][] a) + internal void fp2inv_mont(ulong[][] a) { ulong[][] t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD); @@ -1673,7 +1672,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike // Computes a = 3*a // The input is assumed to be OBOB_BITS-2 bits ulong and stored in SECRETKEY_B_BYTES - protected internal void mul3(byte[] a) + internal void mul3(byte[] a) { ulong[] temp1 = new ulong[engine.param.NWORDS_ORDER], temp2 = new ulong[engine.param.NWORDS_ORDER]; @@ -1686,7 +1685,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike // Compare two byte arrays in constant time. // Returns 0 if the byte arrays are equal, -1 otherwise. - protected internal byte ct_compare(byte[] a, byte[] b, uint len) + internal byte ct_compare(byte[] a, byte[] b, uint len) { byte r = 0; @@ -1699,7 +1698,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike // Conditional move in constant time. // If selector = -1 then load r with a, else if selector = 0 then keep r. - protected internal void ct_cmov(byte[] r, byte[] a, uint len, byte selector) + internal void ct_cmov(byte[] r, byte[] a, uint len, byte selector) { for (uint i = 0; i < len; i++) { @@ -1708,7 +1707,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike } // Copy wordsize digits, c = a, where lng(a) = nwords. - protected internal void copy_words(ulong[] a, ulong[] c, uint nwords) + internal void copy_words(ulong[] a, ulong[] c, uint nwords) { uint i; for (i = 0; i < nwords; i++) @@ -1718,7 +1717,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike } // c = (2^k)*a - protected internal void fp2shl(ulong[][] a, uint k, ulong[][] c) + internal void fp2shl(ulong[][] a, uint k, ulong[][] c) { fp2copy(a, c); for (uint j = 0; j < k; j++) @@ -1728,7 +1727,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike } // Copy wordsize digits, c = a, where lng(a) = nwords. - protected internal void copy_words(PointProj a, PointProj c) + internal void copy_words(PointProj a, PointProj c) { uint i; for (i = 0; i < engine.param.NWORDS_FIELD; i++) @@ -1759,7 +1758,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike // GF(p^2) addition, c = a+b in GF(p^2). - protected internal void fp2add(ulong[][] a, ulong[][] b, ulong[][] c) + internal void fp2add(ulong[][] a, ulong[][] b, ulong[][] c) { //todo/org : make fp class and change this to generic function fpaddPRIME(a[0], b[0], c[0]); @@ -1767,7 +1766,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike } // GF(p^2) subtraction, c = a-b in GF(p^2). - protected internal void fp2sub(ulong[][] a, ulong[][] b, ulong[][] c) + internal void fp2sub(ulong[][] a, ulong[][] b, ulong[][] c) { //todo/org : make fp class and change this to generic function fpsubPRIME(a[0], b[0], c[0]); @@ -1783,7 +1782,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike } // Multiprecision multiplication, c = a*b mod p. - protected internal void fpmul_mont(ulong[] ma, ulong[] mb, ulong[] mc) + internal void fpmul_mont(ulong[] ma, ulong[] mb, ulong[] mc) { ulong[] temp = new ulong[2*engine.param.NWORDS_FIELD]; @@ -1792,7 +1791,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike } // Multiprecision multiplication, c = a*b mod p. - protected internal void fpmul_mont(ulong[] ma, uint maOffset, ulong[] mb, ulong[] mc) + internal void fpmul_mont(ulong[] ma, uint maOffset, ulong[] mb, ulong[] mc) { ulong[] temp = new ulong[2*engine.param.NWORDS_FIELD]; @@ -2233,5 +2232,4 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike } } } - - } \ No newline at end of file +} diff --git a/crypto/src/pqc/crypto/sike/Isogeny.cs b/crypto/src/pqc/crypto/sike/Isogeny.cs index 2d0ef1473..be9e3ba4d 100644 --- a/crypto/src/pqc/crypto/sike/Isogeny.cs +++ b/crypto/src/pqc/crypto/sike/Isogeny.cs @@ -12,7 +12,7 @@ internal sealed class Isogeny // Doubling of a Montgomery point in projective coordinates (X:Z) over affine curve coefficient A. // Input: projective Montgomery x-coordinates P = (X1:Z1), where x1=X1/Z1 and Montgomery curve constants (A+2)/4. // Output: projective Montgomery x-coordinates Q = 2*P = (X2:Z2). - protected internal void Double(PointProj P, PointProj Q, ulong[][] A24, uint k) + internal void Double(PointProj P, PointProj Q, ulong[][] A24, uint k) { ulong[][] temp = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), a = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), @@ -37,7 +37,7 @@ internal sealed class Isogeny } } - protected internal void CompleteMPoint(ulong[][] A, PointProj P, PointProjFull R) + internal void CompleteMPoint(ulong[][] A, PointProj P, PointProjFull R) { // Given an xz-only representation on a montgomery curve, compute its affine representation ulong[][] zero = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), one = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), @@ -81,10 +81,9 @@ internal sealed class Isogeny internal void Ladder(PointProj P, ulong[] m, ulong[][] A, uint order_bits, PointProj R) { - PointProj R0 = new PointProj(engine.param.NWORDS_FIELD), - R1 = new PointProj(engine.param.NWORDS_FIELD); + var R0 = new PointProj(engine.param.NWORDS_FIELD); + var R1 = new PointProj(engine.param.NWORDS_FIELD); ulong[][] A24 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD); - uint bit = 0; ulong mask; int j, swap, prevbit = 0; @@ -96,7 +95,7 @@ internal sealed class Isogeny engine.fpx.fp2div2(A24, A24); // A24 = (A+2)/4 j = (int)order_bits - 1; - bit = (uint) ((m[j >> (int)Internal.LOG2RADIX] >> (int)(j & (Internal.RADIX-1))) & 1); + uint bit = (uint) ((m[j >> (int)Internal.LOG2RADIX] >> (int)(j & (Internal.RADIX-1))) & 1); while (bit == 0) { j--; @@ -106,7 +105,7 @@ internal sealed class Isogeny // R0 <- P, R1 <- 2P engine.fpx.fp2copy(P.X, R0.X); engine.fpx.fp2copy(P.Z, R0.Z); - xDBL_e(P, R1, A24, 1); + XDblE(P, R1, A24, 1); // Main loop for (int i = (int)j - 1; i >= 0; i--) @@ -116,12 +115,12 @@ internal sealed class Isogeny prevbit = (int) bit; mask = (ulong) (0 - swap); - swap_points(R0, R1, mask); - xDBLADD_proj(R0, R1, P.X, P.Z, A24); + SwapPoints(R0, R1, mask); + XDblAddProj(R0, R1, P.X, P.Z, A24); } swap = 0 ^ prevbit; mask = (ulong) (0 - swap); - swap_points(R0, R1, mask); + SwapPoints(R0, R1, mask); engine.fpx.fp2copy(R0.X, R.X); engine.fpx.fp2copy(R0.Z, R.Z); @@ -130,7 +129,7 @@ internal sealed class Isogeny // Simultaneous doubling and differential addition. // Input: projective Montgomery points P=(XP:ZP) and Q=(XQ:ZQ) such that xP=XP/ZP and xQ=XQ/ZQ, affine difference xPQ=x(P-Q) and Montgomery curve constant A24=(A+2)/4. // Output: projective Montgomery points P <- 2*P = (X2P:Z2P) such that x(2P)=X2P/Z2P, and Q <- P+Q = (XQP:ZQP) such that = x(Q+P)=XQP/ZQP. - private void xDBLADD_proj(PointProj P, PointProj Q, ulong[][] XPQ, ulong[][] ZPQ, ulong[][] A24) + private void XDblAddProj(PointProj P, PointProj Q, ulong[][] XPQ, ulong[][] ZPQ, ulong[][] A24) { ulong[][] t0 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), @@ -162,7 +161,7 @@ internal sealed class Isogeny // Doubling of a Montgomery point in projective coordinates (X:Z) over affine curve coefficient A. // Input: projective Montgomery x-coordinates P = (X1:Z1), where x1=X1/Z1 and Montgomery curve constants (A+2)/4. // Output: projective Montgomery x-coordinates Q = 2*P = (X2:Z2). - private void xDBL_e(PointProj P, PointProj Q, ulong[][] A24, int e) + private void XDblE(PointProj P, PointProj Q, ulong[][] A24, int e) { ulong[][] temp = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), a = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), @@ -192,14 +191,14 @@ internal sealed class Isogeny // Computes [3^e](X:Z) on Montgomery curve with projective constant via e repeated triplings. e triplings in E costs k*(5M + 6S + 9A) // Input: projective Montgomery x-coordinates P = (X:Z), where x=X/Z, Montgomery curve constant A2 = A/2 and the number of triplings e. // Output: projective Montgomery x-coordinates Q <- [3^e]P. - internal void xTPLe_fast(PointProj P, PointProj Q, ulong[][] A2, uint e) + internal void XTplEFast(PointProj P, PointProj Q, ulong[][] A2, uint e) { - PointProj T = new PointProj(engine.param.NWORDS_FIELD); + var T = new PointProj(engine.param.NWORDS_FIELD); engine.fpx.copy_words(P, T); for (int j = 0; j < e; j++) { - xTPL_fast(T, T, A2); + XTplFast(T, T, A2); } engine.fpx.copy_words(T, Q); } @@ -207,7 +206,7 @@ internal sealed class Isogeny // Montgomery curve (E: y^2 = x^3 + A*x^2 + x) x-only tripling at a cost 5M + 6S + 9A = 27p + 61a. // Input : projective Montgomery x-coordinates P = (X:Z), where x=X/Z and Montgomery curve constant A/2. // Output: projective Montgomery x-coordinates Q = 3*P = (X3:Z3). - private void xTPL_fast(PointProj P, PointProj Q, ulong[][] A2) + private void XTplFast(PointProj P, PointProj Q, ulong[][] A2) { ulong[][] t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), t2 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), @@ -238,10 +237,10 @@ internal sealed class Isogeny } - protected internal void LADDER3PT(ulong[][] xP, ulong[][] xQ, ulong[][] xPQ, ulong[] m, uint AliceOrBob, PointProj R, ulong[][] A) + internal void LADDER3PT(ulong[][] xP, ulong[][] xQ, ulong[][] xPQ, ulong[] m, uint AliceOrBob, PointProj R, ulong[][] A) { - PointProj R0 = new PointProj(engine.param.NWORDS_FIELD), - R2 = new PointProj(engine.param.NWORDS_FIELD); + var R0 = new PointProj(engine.param.NWORDS_FIELD); + var R2 = new PointProj(engine.param.NWORDS_FIELD); ulong[][] A24 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD); ulong mask; uint i, nbits, bit, swap, prevbit = 0; @@ -277,17 +276,17 @@ internal sealed class Isogeny swap = bit ^ prevbit; prevbit = bit; mask = 0 - (ulong) swap; - swap_points(R, R2, mask); - xDBLADD(R0, R2, R.X, A24); + SwapPoints(R, R2, mask); + XDblAdd(R0, R2, R.X, A24); engine.fpx.fp2mul_mont(R2.X, R.Z, R2.X); } swap = 0 ^ prevbit; mask = 0 - (ulong)swap; - swap_points(R, R2, mask); + SwapPoints(R, R2, mask); } // Complete point on A = 0 curve - protected internal void CompletePoint(PointProj P, PointProjFull R) + internal void CompletePoint(PointProj P, PointProjFull R) { ulong[][] xz = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), s2 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), @@ -318,13 +317,11 @@ internal sealed class Isogeny // Swap points. // If option = 0 then P <- P and Q <- Q, else if option = 0xFF...FF then P <- Q and Q <- P - protected internal void swap_points(PointProj P, PointProj Q, ulong option) + internal void SwapPoints(PointProj P, PointProj Q, ulong option) { //todo/org : put this in the PointProj class ulong temp; - int i; - - for (i = 0; i < engine.param.NWORDS_FIELD; i++) + for (int i = 0; i < engine.param.NWORDS_FIELD; i++) { temp = option & (P.X[0][i] ^ Q.X[0][i]); P.X[0][i] = temp ^ P.X[0][i]; @@ -344,7 +341,7 @@ internal sealed class Isogeny // Simultaneous doubling and differential addition. // Input: projective Montgomery points P=(XP:ZP) and Q=(XQ:ZQ) such that xP=XP/ZP and xQ=XQ/ZQ, affine difference xPQ=x(P-Q) and Montgomery curve constant A24=(A+2)/4. // Output: projective Montgomery points P <- 2*P = (X2P:Z2P) such that x(2P)=X2P/Z2P, and Q <- P+Q = (XQP:ZQP) such that = x(Q+P)=XQP/ZQP. - protected internal void xDBLADD(PointProj P, PointProj Q, ulong[][] xPQ, ulong[][] A24) + internal void XDblAdd(PointProj P, PointProj Q, ulong[][] xPQ, ulong[][] A24) { ulong[][] t0 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), @@ -373,21 +370,21 @@ internal sealed class Isogeny // Computes [2^e](X:Z) on Montgomery curve with projective constant via e repeated doublings. // Input: projective Montgomery x-coordinates P = (XP:ZP), such that xP=XP/ZP and Montgomery curve constants A+2C and 4C. // Output: projective Montgomery x-coordinates Q <- (2^e)*P. - protected internal void xDBLe(PointProj P, PointProj Q, ulong[][] A24plus, ulong[][] C24, uint e) + internal void XDblE(PointProj P, PointProj Q, ulong[][] A24plus, ulong[][] C24, uint e) { int i; engine.fpx.copy_words(P, Q); for (i = 0; i < e; i++) { - xDBL(Q, Q, A24plus, C24); + XDbl(Q, Q, A24plus, C24); } } // Doubling of a Montgomery point in projective coordinates (X:Z). // Input: projective Montgomery x-coordinates P = (X1:Z1), where x1=X1/Z1 and Montgomery curve constants A+2C and 4C. // Output: projective Montgomery x-coordinates Q = 2*P = (X2:Z2). - protected void xDBL(PointProj P, PointProj Q, ulong[][] A24plus, ulong[][] C24) + internal void XDbl(PointProj P, PointProj Q, ulong[][] A24plus, ulong[][] C24) { ulong[][] t0 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD); @@ -407,7 +404,7 @@ internal sealed class Isogeny // Tripling of a Montgomery point in projective coordinates (X:Z). // Input: projective Montgomery x-coordinates P = (X:Z), where x=X/Z and Montgomery curve constants A24plus = A+2C and A24minus = A-2C. // Output: projective Montgomery x-coordinates Q = 3*P = (X3:Z3). - private void xTPL(PointProj P, PointProj Q, ulong[][] A24minus, ulong[][] A24plus) + private void XTpl(PointProj P, PointProj Q, ulong[][] A24minus, ulong[][] A24plus) { ulong[][] t0 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), @@ -444,20 +441,20 @@ internal sealed class Isogeny // Computes [3^e](X:Z) on Montgomery curve with projective constant via e repeated triplings. // Input: projective Montgomery x-coordinates P = (XP:ZP), such that xP=XP/ZP and Montgomery curve constants A24plus = A+2C and A24minus = A-2C. // Output: projective Montgomery x-coordinates Q <- (3^e)*P. - protected internal void xTPLe(PointProj P, PointProj Q, ulong[][] A24minus, ulong[][] A24plus, uint e) + internal void XTplE(PointProj P, PointProj Q, ulong[][] A24minus, ulong[][] A24plus, uint e) { int i; engine.fpx.copy_words(P, Q); for (i = 0; i < e; i++) { - xTPL(Q, Q, A24minus, A24plus); + XTpl(Q, Q, A24minus, A24plus); } } // Given the x-coordinates of P, Q, and R, returns the value A corresponding to the Montgomery curve E_A: y^2=x^3+A*x^2+x such that R=Q-P on E_A. // Input: the x-coordinates xP, xQ, and xR of the points P, Q and R. // Output: the coefficient A corresponding to the curve E_A: y^2=x^3+A*x^2+x. - protected internal void get_A(ulong[][] xP, ulong[][] xQ, ulong[][] xR, ulong[][] A) + internal void GetA(ulong[][] xP, ulong[][] xQ, ulong[][] xR, ulong[][] A) { ulong[][] t0 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), @@ -482,7 +479,7 @@ internal sealed class Isogeny // Computes the j-invariant of a Montgomery curve with projective constant. // Input: A,C in GF(p^2). // Output: j=256*(A^2-3*C^2)^3/(C^4*(A^2-4*C^2)), which is the j-invariant of the Montgomery curve B*y^2=x^3+(A/C)*x^2+x or (equivalently) j-invariant of B'*y^2=C*x^3+A*x^2+C*x. - protected internal void j_inv(ulong[][] A, ulong[][] C, ulong[][] jinv) + internal void JInv(ulong[][] A, ulong[][] C, ulong[][] jinv) { ulong[][] t0 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD); @@ -510,7 +507,7 @@ internal sealed class Isogeny // Computes the corresponding 3-isogeny of a projective Montgomery point (X3:Z3) of order 3. // Input: projective point of order three P = (X3:Z3). // Output: the 3-isogenous Montgomery curve with projective coefficient A/C. - protected internal void get_3_isog(PointProj P, ulong[][] A24minus, ulong[][] A24plus, ulong[][][] coeff) + internal void Get3Isog(PointProj P, ulong[][] A24minus, ulong[][] A24plus, ulong[][][] coeff) { ulong[][] t0 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), @@ -540,7 +537,7 @@ internal sealed class Isogeny // a point P with 2 coefficients in coeff (computed in the function get_3_Isog()). // Inputs: projective points P = (X3:Z3) and Q = (X:Z). // Output: the projective point Q <- phi(Q) = (X3:Z3). - protected internal void eval_3_isog(PointProj Q, ulong[][][] coeff) + internal void Eval3Isog(PointProj Q, ulong[][][] coeff) { ulong[][] t0 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), @@ -561,7 +558,7 @@ internal sealed class Isogeny // 3-way simultaneous inversion // Input: z1,z2,z3 // Output: 1/z1,1/z2,1/z3 (override inputs). - protected internal void inv_3_way(ulong[][] z1, ulong[][] z2, ulong[][] z3) + internal void Inv3Way(ulong[][] z1, ulong[][] z2, ulong[][] z3) { ulong[][] t0 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), @@ -581,7 +578,7 @@ internal sealed class Isogeny // Computes the corresponding 2-isogeny of a projective Montgomery point (X2:Z2) of order 2. // Input: projective point of order two P = (X2:Z2). // Output: the 2-isogenous Montgomery curve with projective coefficients A/C. - protected internal void get_2_isog(PointProj P, ulong[][] A, ulong[][] C) + internal void Get2Isog(PointProj P, ulong[][] A, ulong[][] C) { engine.fpx.fp2sqr_mont(P.X, A); // A = X2^2 engine.fpx.fp2sqr_mont(P.Z, C); // C = Z2^2 @@ -591,7 +588,7 @@ internal sealed class Isogeny // Evaluates the isogeny at the point (X:Z) in the domain of the isogeny, given a 2-isogeny phi. // Inputs: the projective point P = (X:Z) and the 2-isogeny kernel projetive point Q = (X2:Z2). // Output: the projective point P = phi(P) = (X:Z) in the codomain. - protected internal void eval_2_isog(PointProj P, PointProj Q) + internal void Eval2Isog(PointProj P, PointProj Q) { ulong[][] t0 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), @@ -614,7 +611,7 @@ internal sealed class Isogeny // Input: projective point of order four P = (X4:Z4). // Output: the 4-isogenous Montgomery curve with projective coefficients A+2C/4C and the 3 coefficients // that are used to evaluate the isogeny at a point in eval_4_Isog(). - protected internal void get_4_isog(PointProj P, ulong[][] A24plus, ulong[][] C24, ulong[][][] coeff) + internal void Get4Isog(PointProj P, ulong[][] A24plus, ulong[][] C24, ulong[][][] coeff) { engine.fpx.mp2_sub_p2(P.X, P.Z, coeff[1]); // coeff[1] = X4-Z4 engine.fpx.mp2_add(P.X, P.Z, coeff[2]); // coeff[2] = X4+Z4 @@ -631,7 +628,7 @@ internal sealed class Isogeny // by the 3 coefficients in coeff (computed in the function get_4_Isog()). // Inputs: the coefficients defining the isogeny, and the projective point P = (X:Z). // Output: the projective point P = phi(P) = (X:Z) in the codomain. - protected internal void eval_4_isog(PointProj P, ulong[][][] coeff) + internal void Eval4Isog(PointProj P, ulong[][][] coeff) { ulong[][] t0 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD); @@ -651,9 +648,5 @@ internal sealed class Isogeny engine.fpx.fp2mul_mont(P.X, t1, P.X); // Xfinal engine.fpx.fp2mul_mont(P.Z, t0, P.Z); // Zfinal } - - - } - -} \ No newline at end of file +} diff --git a/crypto/src/pqc/crypto/sike/SIDH.cs b/crypto/src/pqc/crypto/sike/SIDH.cs index ab01a729f..8246291c6 100644 --- a/crypto/src/pqc/crypto/sike/SIDH.cs +++ b/crypto/src/pqc/crypto/sike/SIDH.cs @@ -10,7 +10,7 @@ internal sealed class Sidh } // Initialization of basis points - protected void init_basis(ulong[] gen, ulong[][] XP, ulong[][] XQ, ulong[][] XR) + internal void init_basis(ulong[] gen, ulong[][] XP, ulong[][] XQ, ulong[][] XR) { engine.fpx.fpcopy(gen, 0, XP[0]); engine.fpx.fpcopy(gen, engine.param.NWORDS_FIELD, XP[1]); @@ -23,7 +23,7 @@ internal sealed class Sidh // Bob's ephemeral public key generation // Input: a private key PrivateKeyB in the range [0, 2^Floor(Log(2,oB)) - 1]. // Output: the public key PublicKeyB consisting of 3 elements in GF(p^2) which are encoded by removing leading 0 bytes. - protected internal void EphemeralKeyGeneration_B(byte[] sk, byte[] pk) + internal void EphemeralKeyGeneration_B(byte[] sk, byte[] pk) { PointProj R = new PointProj(engine.param.NWORDS_FIELD), phiP = new PointProj(engine.param.NWORDS_FIELD), @@ -71,29 +71,29 @@ internal sealed class Sidh engine.fpx.fp2copy(R.Z, pts[npts].Z); pts_index[npts++] = index; m = engine.param.strat_Bob[ii++]; - engine.isogeny.xTPLe(R, R, A24minus, A24plus, m); + engine.isogeny.XTplE(R, R, A24minus, A24plus, m); index += m; } - engine.isogeny.get_3_isog(R, A24minus, A24plus, coeff); + engine.isogeny.Get3Isog(R, A24minus, A24plus, coeff); for (i = 0; i < npts; i++) { - engine.isogeny.eval_3_isog(pts[i], coeff); + engine.isogeny.Eval3Isog(pts[i], coeff); } - engine.isogeny.eval_3_isog(phiP, coeff); - engine.isogeny.eval_3_isog(phiQ, coeff); - engine.isogeny.eval_3_isog(phiR, coeff); + engine.isogeny.Eval3Isog(phiP, coeff); + engine.isogeny.Eval3Isog(phiQ, coeff); + engine.isogeny.Eval3Isog(phiR, coeff); engine.fpx.fp2copy(pts[npts - 1].X, R.X); engine.fpx.fp2copy(pts[npts - 1].Z, R.Z); index = pts_index[npts - 1]; npts -= 1; } - engine.isogeny.get_3_isog(R, A24minus, A24plus, coeff); - engine.isogeny.eval_3_isog(phiP, coeff); - engine.isogeny.eval_3_isog(phiQ, coeff); - engine.isogeny.eval_3_isog(phiR, coeff); - engine.isogeny.inv_3_way(phiP.Z, phiQ.Z, phiR.Z); + engine.isogeny.Get3Isog(R, A24minus, A24plus, coeff); + engine.isogeny.Eval3Isog(phiP, coeff); + engine.isogeny.Eval3Isog(phiQ, coeff); + engine.isogeny.Eval3Isog(phiR, coeff); + engine.isogeny.Inv3Way(phiP.Z, phiQ.Z, phiR.Z); engine.fpx.fp2mul_mont(phiP.X, phiP.Z, phiP.X); engine.fpx.fp2mul_mont(phiQ.X, phiQ.Z, phiQ.X); @@ -108,7 +108,7 @@ internal sealed class Sidh // Alice's ephemeral public key generation // Input: a private key PrivateKeyA in the range [0, 2^eA - 1]. // Output: the public key PublicKeyA consisting of 3 elements in GF(p^2) which are encoded by removing leading 0 bytes. - protected internal void EphemeralKeyGeneration_A(byte[] ephemeralsk, byte[] ct) + internal void EphemeralKeyGeneration_A(byte[] ephemeralsk, byte[] ct) { PointProj R = new PointProj(engine.param.NWORDS_FIELD), phiP = new PointProj(engine.param.NWORDS_FIELD), @@ -149,12 +149,12 @@ internal sealed class Sidh if (engine.param.OALICE_BITS % 2 == 1) { PointProj S = new PointProj(engine.param.NWORDS_FIELD); - engine.isogeny.xDBLe(R, S, A24plus, C24, (engine.param.OALICE_BITS - 1)); - engine.isogeny.get_2_isog(S, A24plus, C24); - engine.isogeny.eval_2_isog(phiP, S); - engine.isogeny.eval_2_isog(phiQ, S); - engine.isogeny.eval_2_isog(phiR, S); - engine.isogeny.eval_2_isog(R, S); + engine.isogeny.XDblE(R, S, A24plus, C24, (engine.param.OALICE_BITS - 1)); + engine.isogeny.Get2Isog(S, A24plus, C24); + engine.isogeny.Eval2Isog(phiP, S); + engine.isogeny.Eval2Isog(phiQ, S); + engine.isogeny.Eval2Isog(phiR, S); + engine.isogeny.Eval2Isog(R, S); } // Traverse tree @@ -168,18 +168,18 @@ internal sealed class Sidh engine.fpx.fp2copy(R.Z, pts[npts].Z); pts_index[npts++] = index; m = engine.param.strat_Alice[ii++]; - engine.isogeny.xDBLe(R, R, A24plus, C24, 2*m); + engine.isogeny.XDblE(R, R, A24plus, C24, 2*m); index += m; } - engine.isogeny.get_4_isog(R, A24plus, C24, coeff); + engine.isogeny.Get4Isog(R, A24plus, C24, coeff); for (i = 0; i < npts; i++) { - engine.isogeny.eval_4_isog(pts[i], coeff); + engine.isogeny.Eval4Isog(pts[i], coeff); } - engine.isogeny.eval_4_isog(phiP, coeff); - engine.isogeny.eval_4_isog(phiQ, coeff); - engine.isogeny.eval_4_isog(phiR, coeff); + engine.isogeny.Eval4Isog(phiP, coeff); + engine.isogeny.Eval4Isog(phiQ, coeff); + engine.isogeny.Eval4Isog(phiR, coeff); engine.fpx.fp2copy(pts[npts-1].X, R.X); engine.fpx.fp2copy(pts[npts-1].Z, R.Z); @@ -187,12 +187,12 @@ internal sealed class Sidh npts -= 1; } - engine.isogeny.get_4_isog(R, A24plus, C24, coeff); - engine.isogeny.eval_4_isog(phiP, coeff); - engine.isogeny.eval_4_isog(phiQ, coeff); - engine.isogeny.eval_4_isog(phiR, coeff); + engine.isogeny.Get4Isog(R, A24plus, C24, coeff); + engine.isogeny.Eval4Isog(phiP, coeff); + engine.isogeny.Eval4Isog(phiQ, coeff); + engine.isogeny.Eval4Isog(phiR, coeff); - engine.isogeny.inv_3_way(phiP.Z, phiQ.Z, phiR.Z); + engine.isogeny.Inv3Way(phiP.Z, phiQ.Z, phiR.Z); engine.fpx.fp2mul_mont(phiP.X, phiP.Z, phiP.X); engine.fpx.fp2mul_mont(phiQ.X, phiQ.Z, phiQ.X); engine.fpx.fp2mul_mont(phiR.X, phiR.Z, phiR.X); @@ -209,7 +209,7 @@ internal sealed class Sidh // Inputs: Alice's PrivateKeyA is an integer in the range [0, oA-1]. // Bob's PublicKeyB consists of 3 elements in GF(p^2) encoded by removing leading 0 bytes. // Output: a shared secret SharedSecretA that consists of one element in GF(p^2) encoded by removing leading 0 bytes. - protected internal void EphemeralSecretAgreement_A(byte[] ephemeralsk, byte[] pk, byte[] jinvariant) + internal void EphemeralSecretAgreement_A(byte[] ephemeralsk, byte[] pk, byte[] jinvariant) { PointProj R = new PointProj(engine.param.NWORDS_FIELD); PointProj[] pts = new PointProj[engine.param.MAX_INT_POINTS_ALICE]; @@ -230,7 +230,7 @@ internal sealed class Sidh engine.fpx.fp2_decode(pk, PKB[2], 2*engine.param.FP2_ENCODED_BYTES); // Initialize constants: A24plus = A+2C, C24 = 4C, where C=1 - engine.isogeny.get_A(PKB[0], PKB[1], PKB[2], A); + engine.isogeny.GetA(PKB[0], PKB[1], PKB[2], A); engine.fpx.mp_add(engine.param.Montgomery_one, engine.param.Montgomery_one, C24[0], engine.param.NWORDS_FIELD); engine.fpx.mp2_add(A, C24, A24plus); engine.fpx.mp_add(C24[0], C24[0], C24[0], engine.param.NWORDS_FIELD); @@ -243,9 +243,9 @@ internal sealed class Sidh { PointProj S = new PointProj(engine.param.NWORDS_FIELD); - engine.isogeny.xDBLe(R, S, A24plus, C24, engine.param.OALICE_BITS - 1); - engine.isogeny.get_2_isog(S, A24plus, C24); - engine.isogeny.eval_2_isog(R, S); + engine.isogeny.XDblE(R, S, A24plus, C24, engine.param.OALICE_BITS - 1); + engine.isogeny.Get2Isog(S, A24plus, C24); + engine.isogeny.Eval2Isog(R, S); } // Traverse tree @@ -259,14 +259,14 @@ internal sealed class Sidh engine.fpx.fp2copy(R.Z, pts[npts].Z); pts_index[npts++] = index; m = engine.param.strat_Alice[ii++]; - engine.isogeny.xDBLe(R, R, A24plus, C24, 2*m); + engine.isogeny.XDblE(R, R, A24plus, C24, 2*m); index += m; } - engine.isogeny.get_4_isog(R, A24plus, C24, coeff); + engine.isogeny.Get4Isog(R, A24plus, C24, coeff); for (i = 0; i < npts; i++) { - engine.isogeny.eval_4_isog(pts[i], coeff); + engine.isogeny.Eval4Isog(pts[i], coeff); } engine.fpx.fp2copy(pts[npts-1].X, R.X); @@ -275,11 +275,11 @@ internal sealed class Sidh npts -= 1; } - engine.isogeny.get_4_isog(R, A24plus, C24, coeff); + engine.isogeny.Get4Isog(R, A24plus, C24, coeff); engine.fpx.mp2_add(A24plus, A24plus, A24plus); engine.fpx.fp2sub(A24plus, C24, A24plus); engine.fpx.fp2add(A24plus, A24plus, A24plus); - engine.isogeny.j_inv(A24plus, C24, jinv); + engine.isogeny.JInv(A24plus, C24, jinv); engine.fpx.fp2_encode(jinv, jinvariant, 0); // Format shared secret } @@ -288,7 +288,7 @@ internal sealed class Sidh // Inputs: Bob's PrivateKeyB is an integer in the range [0, 2^Floor(Log(2,oB)) - 1]. // Alice's PublicKeyA consists of 3 elements in GF(p^2) encoded by removing leading 0 bytes. // Output: a shared secret SharedSecretB that consists of one element in GF(p^2) encoded by removing leading 0 bytes. - protected internal void EphemeralSecretAgreement_B(byte[] sk, byte[] ct, byte[] jinvariant_) + internal void EphemeralSecretAgreement_B(byte[] sk, byte[] ct, byte[] jinvariant_) { PointProj R = new PointProj(engine.param.NWORDS_FIELD); PointProj[] pts = new PointProj[engine.param.MAX_INT_POINTS_BOB]; @@ -309,7 +309,7 @@ internal sealed class Sidh engine.fpx.fp2_decode(ct, PKB[2], 2*engine.param.FP2_ENCODED_BYTES); // Initialize constants: A24plus = A+2C, A24minus = A-2C, where C=1 - engine.isogeny.get_A(PKB[0], PKB[1], PKB[2], A); + engine.isogeny.GetA(PKB[0], PKB[1], PKB[2], A); engine.fpx.mp_add(engine.param.Montgomery_one, engine.param.Montgomery_one, A24minus[0], engine.param.NWORDS_FIELD); engine.fpx.mp2_add(A, A24minus, A24plus); engine.fpx.mp2_sub_p2(A, A24minus, A24minus); @@ -329,13 +329,13 @@ internal sealed class Sidh engine.fpx.fp2copy(R.Z, pts[npts].Z); pts_index[npts++] = index; m = engine.param.strat_Bob[ii++]; - engine.isogeny.xTPLe(R, R, A24minus, A24plus, m); + engine.isogeny.XTplE(R, R, A24minus, A24plus, m); index += m; } - engine.isogeny.get_3_isog(R, A24minus, A24plus, coeff); + engine.isogeny.Get3Isog(R, A24minus, A24plus, coeff); for (i = 0; i < npts; i++) { - engine.isogeny.eval_3_isog(pts[i], coeff); + engine.isogeny.Eval3Isog(pts[i], coeff); } engine.fpx.fp2copy(pts[npts-1].X, R.X); @@ -344,14 +344,12 @@ internal sealed class Sidh npts -= 1; } - engine.isogeny.get_3_isog(R, A24minus, A24plus, coeff); + engine.isogeny.Get3Isog(R, A24minus, A24plus, coeff); engine.fpx.fp2add(A24plus, A24minus, A); engine.fpx.fp2add(A, A, A); engine.fpx.fp2sub(A24plus, A24minus, A24plus); - engine.isogeny.j_inv(A, A24plus, jinv); + engine.isogeny.JInv(A, A24plus, jinv); engine.fpx.fp2_encode(jinv, jinvariant_, 0); // Format shared secret } - } - -} \ No newline at end of file +} diff --git a/crypto/src/pqc/crypto/sike/SIDH_Compressed.cs b/crypto/src/pqc/crypto/sike/SIDH_Compressed.cs index b849a8aad..cf69d0f82 100644 --- a/crypto/src/pqc/crypto/sike/SIDH_Compressed.cs +++ b/crypto/src/pqc/crypto/sike/SIDH_Compressed.cs @@ -14,7 +14,7 @@ internal sealed class SidhCompressed this.engine = engine; } - protected void init_basis(ulong[] gen, ulong[][] XP, ulong[][] XQ, ulong[][] XR) + internal void init_basis(ulong[] gen, ulong[][] XP, ulong[][] XQ, ulong[][] XR) { // Initialization of basis points engine.fpx.fpcopy(gen, 0, XP[0]); @@ -25,8 +25,7 @@ internal sealed class SidhCompressed engine.fpx.fpcopy(gen, 5*engine.param.NWORDS_FIELD, XR[1]); } - - protected internal void FormatPrivKey_B(byte[] skB) + internal void FormatPrivKey_B(byte[] skB) { skB[engine.param.SECRETKEY_B_BYTES-2] &= (byte)engine.param.MASK3_BOB; skB[engine.param.SECRETKEY_B_BYTES-1] &= (byte)engine.param.MASK2_BOB; // Clear necessary bits so that 3*ephemeralsk is still less than Bob_order @@ -35,7 +34,7 @@ internal sealed class SidhCompressed // Generation of Alice's secret key // Outputs random value in [0, 2^eA - 1] - protected void random_mod_order_A(byte[] random_digits, SecureRandom random) + internal void random_mod_order_A(byte[] random_digits, SecureRandom random) { byte[] temp = new byte[engine.param.SECRETKEY_A_BYTES]; random.NextBytes(temp); @@ -46,7 +45,7 @@ internal sealed class SidhCompressed // Generation of Bob's secret key // Outputs random value in [0, 2^Floor(Log(2, oB)) - 1] - protected void random_mod_order_B(byte[] random_digits, SecureRandom random) + internal void random_mod_order_B(byte[] random_digits, SecureRandom random) { byte[] temp = new byte[engine.param.SECRETKEY_B_BYTES]; random.NextBytes(temp); @@ -55,7 +54,7 @@ internal sealed class SidhCompressed } // Project 3-pouint ladder - protected void Ladder3pt_dual(PointProj[] Rs, ulong[] m, uint AliceOrBob, PointProj R, ulong[][] A24) + internal void Ladder3pt_dual(PointProj[] Rs, ulong[] m, uint AliceOrBob, PointProj R, ulong[][] A24) { PointProj R0 = new PointProj(engine.param.NWORDS_FIELD), R2 = new PointProj(engine.param.NWORDS_FIELD); @@ -85,18 +84,16 @@ internal sealed class SidhCompressed prevbit = bit; mask = 0 - (ulong)swap; - engine.isogeny.swap_points(R, R2, mask); - engine.isogeny.xDBLADD(R0, R2, R.X, A24); + engine.isogeny.SwapPoints(R, R2, mask); + engine.isogeny.XDblAdd(R0, R2, R.X, A24); engine.fpx.fp2mul_mont(R2.X, R.Z, R2.X); } swap = 0 ^ prevbit; mask = 0 - (ulong)swap; - engine.isogeny.swap_points(R, R2, mask); + engine.isogeny.SwapPoints(R, R2, mask); } - - - protected void Elligator2(ulong[][] a24, uint[] r, uint rIndex, ulong[][] x, byte[] bit, uint bitOffset, uint COMPorDEC) + internal void Elligator2(ulong[][] a24, uint[] r, uint rIndex, ulong[][] x, byte[] bit, uint bitOffset, uint COMPorDEC) { // Generate an x-coordinate of a pouint on curve with (affine) coefficient a24 // Use the counter r uint i; @@ -189,8 +186,7 @@ internal sealed class SidhCompressed // {System.out.printf("%016x ", x[di][dj] );}System.out.Println();} } - - protected void make_positive(ulong[][] x) + internal void make_positive(ulong[][] x) { uint nbytes = engine.param.NWORDS_FIELD; ulong[] zero = new ulong[engine.param.NWORDS_FIELD]; @@ -213,8 +209,7 @@ internal sealed class SidhCompressed engine.fpx.to_fp2mont(x, x); } - - protected void BiQuad_affine(ulong[][] a24, ulong[][] x0, ulong[][] x1, PointProj R) + internal void BiQuad_affine(ulong[][] a24, ulong[][] x0, ulong[][] x1, PointProj R) { ulong[][] Ap2 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), aa = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), @@ -259,8 +254,7 @@ internal sealed class SidhCompressed engine.fpx.fp2add(aa, aa, R.Z); } - - protected void get_4_isog_dual(PointProj P, ulong[][] A24, ulong[][] C24, ulong[][][] coeff) + internal void get_4_isog_dual(PointProj P, ulong[][] A24, ulong[][] C24, ulong[][][] coeff) { engine.fpx.fp2sub(P.X, P.Z, coeff[1]); engine.fpx.fp2add(P.X, P.Z, coeff[2]); @@ -275,7 +269,7 @@ internal sealed class SidhCompressed // if (engine.param.OALICE_BITS % 2 == 1) - protected void eval_dual_2_isog(ulong[][] X2, ulong[][] Z2, PointProj P) + internal void eval_dual_2_isog(ulong[][] X2, ulong[][] Z2, PointProj P) { ulong[][] t0 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD); @@ -288,7 +282,7 @@ internal sealed class SidhCompressed engine.fpx.fp2mul_mont(Z2, t0, P.X); } - protected void eval_final_dual_2_isog(PointProj P) + internal void eval_final_dual_2_isog(PointProj P) { ulong[][] t0 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD); @@ -306,7 +300,7 @@ internal sealed class SidhCompressed } - protected void eval_dual_4_isog_shared(ulong[][] X4pZ4, ulong[][] X42, ulong[][] Z42, ulong[][][] coeff, uint coeffOffset) + internal void eval_dual_4_isog_shared(ulong[][] X4pZ4, ulong[][] X42, ulong[][] Z42, ulong[][][] coeff, uint coeffOffset) { // System.out.print("coeff0: "); // for (uint di = 0; di < 2; di++){ @@ -340,8 +334,7 @@ internal sealed class SidhCompressed // System.out.printf("%016x ", coeff[2 + coeffOffset][di][dj]);}System.out.Println();} } - - protected void eval_dual_4_isog(ulong[][] A24, ulong[][] C24, ulong[][][] coeff, uint coeffOffset, PointProj P) + internal void eval_dual_4_isog(ulong[][] A24, ulong[][] C24, ulong[][][] coeff, uint coeffOffset, PointProj P) { ulong[][] t0 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), @@ -365,8 +358,7 @@ internal sealed class SidhCompressed engine.fpx.fp2mul_mont(coeff[2 + coeffOffset], P.Z, P.Z); } - - protected void eval_full_dual_4_isog(ulong[][][][] As, PointProj P) + internal void eval_full_dual_4_isog(ulong[][][][] As, PointProj P) { //todo : check // First all 4-isogenies @@ -384,8 +376,7 @@ internal sealed class SidhCompressed eval_final_dual_2_isog(P); // to A = 0 } - - protected void TripleAndParabola_proj(PointProjFull R, ulong[][] l1x, ulong[][] l1z) + internal void TripleAndParabola_proj(PointProjFull R, ulong[][] l1x, ulong[][] l1z) { engine.fpx.fp2sqr_mont(R.X, l1z); engine.fpx.fp2add(l1z, l1z, l1x); @@ -394,8 +385,7 @@ internal sealed class SidhCompressed engine.fpx.fp2add(R.Y, R.Y, l1z); } - - protected void Tate3_proj(PointProjFull P, PointProjFull Q, ulong[][] gX, ulong[][] gZ) + internal void Tate3_proj(PointProjFull P, PointProjFull Q, ulong[][] gX, ulong[][] gZ) { ulong[][] t0 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), l1x = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD); @@ -408,8 +398,7 @@ internal sealed class SidhCompressed engine.fpx.fp2add(gX, t0, gX); } - - protected void FinalExpo3(ulong[][] gX, ulong[][] gZ) + internal void FinalExpo3(ulong[][] gX, ulong[][] gZ) { uint i; @@ -432,8 +421,7 @@ internal sealed class SidhCompressed } } - - protected void FinalExpo3_2way(ulong[][][] gX, ulong[][][] gZ) + internal void FinalExpo3_2way(ulong[][][] gX, ulong[][][] gZ) { uint i, j; @@ -463,7 +451,6 @@ internal sealed class SidhCompressed } } - private bool FirstPoint_dual(PointProj P, PointProjFull R, byte[] ind) { PointProjFull R3 = new PointProjFull(engine.param.NWORDS_FIELD), @@ -580,7 +567,6 @@ internal sealed class SidhCompressed return true; } - private bool SecondPoint_dual(PointProj P, PointProjFull R, byte[] ind) { PointProjFull RS3 = new PointProjFull(engine.param.NWORDS_FIELD); @@ -612,8 +598,7 @@ internal sealed class SidhCompressed } } - - protected void FirstPoint3n(ulong[][] a24, ulong[][][][] As, ulong[][] x, PointProjFull R, uint[] r, byte[] ind, byte[] bitEll) + internal void FirstPoint3n(ulong[][] a24, ulong[][][][] As, ulong[][] x, PointProjFull R, uint[] r, byte[] ind, byte[] bitEll) { bool b = false; PointProj P = new PointProj(engine.param.NWORDS_FIELD); @@ -668,8 +653,7 @@ internal sealed class SidhCompressed } } - - protected void SecondPoint3n(ulong[][] a24, ulong[][][][] As, ulong[][] x, PointProjFull R, uint[] r, byte[] ind, byte[] bitEll) + internal void SecondPoint3n(ulong[][] a24, ulong[][][][] As, ulong[][] x, PointProjFull R, uint[] r, byte[] ind, byte[] bitEll) { bool b = false; PointProj P = new PointProj(engine.param.NWORDS_FIELD); @@ -724,8 +708,7 @@ internal sealed class SidhCompressed } } - - protected void makeDiff(PointProjFull R, PointProjFull S, PointProj D) + internal void makeDiff(PointProjFull R, PointProjFull S, PointProj D) { ulong[][] t0 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), @@ -749,8 +732,7 @@ internal sealed class SidhCompressed } } - - protected void BuildOrdinary3nBasis_dual(ulong[][] a24, ulong[][][][] As, PointProjFull[] R, uint[] r, uint[] bitsEll, uint bitsEllOffset) + internal void BuildOrdinary3nBasis_dual(ulong[][] a24, ulong[][][][] As, PointProjFull[] R, uint[] r, uint[] bitsEll, uint bitsEllOffset) { PointProj D = new PointProj(engine.param.NWORDS_FIELD); @@ -809,8 +791,7 @@ internal sealed class SidhCompressed makeDiff(R[0], R[1], D); } - - protected void FullIsogeny_A_dual(byte[] PrivateKeyA, ulong[][][][] As, ulong[][] a24, uint sike) + internal void FullIsogeny_A_dual(byte[] PrivateKeyA, ulong[][][][] As, ulong[][] a24, uint sike) { // Input: a private key PrivateKeyA in the range [0, 2^eA - 1]. // Output: the public key PublicKeyA consisting of 3 elements in GF(p^2) which are encoded by removing leading 0 bytes. @@ -925,9 +906,9 @@ internal sealed class SidhCompressed { PointProj S = new PointProj(engine.param.NWORDS_FIELD); - engine.isogeny.xDBLe(R, S, A24, C24, engine.param.OALICE_BITS - 1); - engine.isogeny.get_2_isog(S, A24, C24); - engine.isogeny.eval_2_isog(R, S); + engine.isogeny.XDblE(R, S, A24, C24, engine.param.OALICE_BITS - 1); + engine.isogeny.Get2Isog(S, A24, C24); + engine.isogeny.Eval2Isog(R, S); engine.fpx.fp2copy(S.X, As[engine.param.MAX_Alice][2]); engine.fpx.fp2copy(S.Z, As[engine.param.MAX_Alice][3]); } @@ -945,7 +926,7 @@ internal sealed class SidhCompressed engine.fpx.fp2copy(R.Z, pts[npts].Z); pts_index[npts++] = index; m = engine.param.strat_Alice[ii++]; - engine.isogeny.xDBLe(R, R, A24, C24, 2*m); + engine.isogeny.XDblE(R, R, A24, C24, 2*m); index += m; } @@ -976,7 +957,7 @@ internal sealed class SidhCompressed get_4_isog_dual(R, A24, C24, coeff); for (i = 0; i < npts; i++) { - engine.isogeny.eval_4_isog(pts[i], coeff); + engine.isogeny.Eval4Isog(pts[i], coeff); // System.out.print(i + "ptsX: "); // for (uint di = 0; di < 2; di++){ @@ -1043,8 +1024,7 @@ internal sealed class SidhCompressed // System.out.printf("%016x ", a24[di][dj]);}System.out.Println();} } - - protected void Dlogs3_dual(ulong[][][] f, int[] D, ulong[] d0, ulong[] c0, ulong[] d1, ulong[] c1) + internal void Dlogs3_dual(ulong[][][] f, int[] D, ulong[] d0, ulong[] c0, ulong[] d1, ulong[] c1) { solve_dlog(f[0], D, d0, 3); solve_dlog(f[2], D, c0, 3); @@ -1054,8 +1034,7 @@ internal sealed class SidhCompressed engine.fpx.mp_sub(engine.param.Bob_order, c1, c1, engine.param.NWORDS_ORDER); } - - protected void BuildOrdinary3nBasis_Decomp_dual(ulong[][] A24, PointProj[] Rs, uint[] r, uint[] bitsEll, uint bitsEllIndex) + internal void BuildOrdinary3nBasis_Decomp_dual(ulong[][] A24, PointProj[] Rs, uint[] r, uint[] bitsEll, uint bitsEllIndex) { byte[] bitEll = new byte[2]; @@ -1071,8 +1050,7 @@ internal sealed class SidhCompressed BiQuad_affine(A24, Rs[0].X, Rs[1].X, Rs[2]); } - - protected void PKADecompression_dual(byte[] SecretKeyB, byte[] CompressedPKA, PointProj R, ulong[][] A) + internal void PKADecompression_dual(byte[] SecretKeyB, byte[] CompressedPKA, PointProj R, ulong[][] A) { byte bit; uint[] rs = new uint[3]; @@ -1120,7 +1098,7 @@ internal sealed class SidhCompressed engine.fpx.fpcopy(engine.param.Montgomery_one, 0, Rs[0].Z[0]); engine.fpx.fpcopy(engine.param.Montgomery_one, 0, Rs[1].Z[0]); - engine.isogeny.swap_points(Rs[0], Rs[1], ((ulong) -bit));//todo check + engine.isogeny.SwapPoints(Rs[0], Rs[1], ((ulong) -bit));//todo check engine.fpx.decode_to_digits(SecretKeyB, 0, SKin, engine.param.SECRETKEY_B_BYTES, engine.param.NWORDS_ORDER); engine.fpx.to_Montgomery_mod_order(SKin, t1, engine.param.Bob_order, engine.param.Montgomery_RB2, engine.param.Montgomery_RB1); // Converting to Montgomery representation engine.fpx.decode_to_digits(CompressedPKA, 0, temp, engine.param.ORDER_B_ENCODED_BYTES, engine.param.NWORDS_ORDER); @@ -1155,8 +1133,7 @@ internal sealed class SidhCompressed engine.isogeny.Double(R, R, A24, engine.param.OALICE_BITS); // x, z := Double(A24, x, 1, eA); } - - protected void Compress_PKA_dual(ulong[] d0, ulong[] c0, ulong[] d1, ulong[] c1, ulong[][] a24, uint[] rs, byte[] CompressedPKA) + internal void Compress_PKA_dual(ulong[] d0, ulong[] c0, ulong[] d1, ulong[] c1, ulong[][] a24, uint[] rs, byte[] CompressedPKA) { uint bit; ulong[] temp = new ulong[engine.param.NWORDS_ORDER], @@ -1231,7 +1208,7 @@ internal sealed class SidhCompressed // Alice's ephemeral public key generation using compression -- SIKE protocol // Output: PrivateKeyA[MSG_BYTES + engine.param.SECRETKEY_A_BYTES] <- x(K_A) where K_A = PA + sk_A*Q_A - protected internal uint EphemeralKeyGeneration_A_extended(byte[] PrivateKeyA, byte[] CompressedPKA) + internal uint EphemeralKeyGeneration_A_extended(byte[] PrivateKeyA, byte[] CompressedPKA) { uint[] rs = new uint[3]; int[] D = new int[engine.param.DLEN_3]; @@ -1363,14 +1340,14 @@ internal sealed class SidhCompressed engine.fpx.fp2copy(R.Z, pts[npts].Z); pts_index[npts++] = index; m = engine.param.strat_Bob[ii++]; - engine.isogeny.xTPLe(R, R, A24minus, A24plus, m); + engine.isogeny.XTplE(R, R, A24minus, A24plus, m); index += m; } - engine.isogeny.get_3_isog(R, A24minus, A24plus, coeff); + engine.isogeny.Get3Isog(R, A24minus, A24plus, coeff); for (i = 0; i < npts; i++) { - engine.isogeny.eval_3_isog(pts[i], coeff); + engine.isogeny.Eval3Isog(pts[i], coeff); } engine.fpx.fp2copy(pts[npts-1].X, R.X); @@ -1379,18 +1356,17 @@ internal sealed class SidhCompressed npts -= 1; } - engine.isogeny.get_3_isog(R, A24minus, A24plus, coeff); + engine.isogeny.Get3Isog(R, A24minus, A24plus, coeff); engine.fpx.fp2add(A24plus, A24minus, A); engine.fpx.fp2add(A, A, A); engine.fpx.fp2sub(A24plus, A24minus, A24plus); - engine.isogeny.j_inv(A, A24plus, jinv); + engine.isogeny.JInv(A, A24plus, jinv); engine.fpx.fp2_encode(jinv, SharedSecretB, 0); // Format shared secret return 0; } - - protected void BuildEntangledXonly(ulong[][] A, PointProj[] R, byte[] qnr, byte[] ind) + internal void BuildEntangledXonly(ulong[][] A, PointProj[] R, byte[] qnr, byte[] ind) { ulong[] s = new ulong[engine.param.NWORDS_FIELD]; ulong[][] t_ptr, @@ -1456,8 +1432,7 @@ internal sealed class SidhCompressed engine.fpx.fp2mul_mont(t, r, R[2].X); } - - protected void RecoverY(ulong[][] A, PointProj[] xs, PointProjFull[] Rs) + internal void RecoverY(ulong[][] A, PointProj[] xs, PointProjFull[] Rs) { ulong[][] t0 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), @@ -1497,8 +1472,7 @@ internal sealed class SidhCompressed engine.fpx.fp2mul_mont(Rs[1].Y, Rs[1].Z, Rs[1].Y); } - - protected void BuildOrdinary2nBasis_dual(ulong[][] A, ulong[][][][] Ds, PointProjFull[] Rs, byte[] qnr, byte[] ind) + internal void BuildOrdinary2nBasis_dual(ulong[][] A, ulong[][][][] Ds, PointProjFull[] Rs, byte[] qnr, byte[] ind) { uint i; ulong[] t0 = new ulong[engine.param.NWORDS_FIELD]; @@ -1545,9 +1519,9 @@ internal sealed class SidhCompressed // Move them back to A = 6 for(i = 0; i < engine.param.MAX_Bob; i++) { - engine.isogeny.eval_3_isog(xs[0], Ds[engine.param.MAX_Bob-1-i]); - engine.isogeny.eval_3_isog(xs[1], Ds[engine.param.MAX_Bob-1-i]); - engine.isogeny.eval_3_isog(xs[2], Ds[engine.param.MAX_Bob-1-i]); + engine.isogeny.Eval3Isog(xs[0], Ds[engine.param.MAX_Bob-1-i]); + engine.isogeny.Eval3Isog(xs[1], Ds[engine.param.MAX_Bob-1-i]); + engine.isogeny.Eval3Isog(xs[2], Ds[engine.param.MAX_Bob-1-i]); } // Recover y-coordinates with a single sqrt on A = 6 @@ -1563,7 +1537,7 @@ internal sealed class SidhCompressed // Bob's ephemeral public key generation // Input: a private key PrivateKeyB in the range [0, 2^Floor(Log(2,oB)) - 1]. // Output: the public key PublicKeyB consisting of 3 elements in GF(p^2) which are encoded by removing leading 0 bytes. - protected void FullIsogeny_B_dual(byte[] PrivateKeyB, ulong[][][][] Ds, ulong[][] A) + internal void FullIsogeny_B_dual(byte[] PrivateKeyB, ulong[][][][] Ds, ulong[][] A) { PointProj R = new PointProj(engine.param.NWORDS_FIELD), Q3 = new PointProj(engine.param.NWORDS_FIELD); @@ -1621,15 +1595,15 @@ internal sealed class SidhCompressed engine.fpx.fp2copy(R.Z, pts[npts].Z); pts_index[npts++] = index; m = engine.param.strat_Bob[ii++]; - engine.isogeny.xTPLe(R, R, A24minus, A24plus, m); + engine.isogeny.XTplE(R, R, A24minus, A24plus, m); index += m; } - engine.isogeny.get_3_isog(R, A24minus, A24plus, coeff); + engine.isogeny.Get3Isog(R, A24minus, A24plus, coeff); for (i = 0; i < npts; i++) { - engine.isogeny.eval_3_isog(pts[i], coeff); + engine.isogeny.Eval3Isog(pts[i], coeff); } - engine.isogeny.eval_3_isog(Q3, coeff); // Kernel of dual + engine.isogeny.Eval3Isog(Q3, coeff); // Kernel of dual engine.fpx.fp2sub(Q3.X,Q3.Z,Ds[row-1][0]); engine.fpx.fp2add(Q3.X,Q3.Z,Ds[row-1][1]); @@ -1638,8 +1612,8 @@ internal sealed class SidhCompressed index = pts_index[npts-1]; npts -= 1; } - engine.isogeny.get_3_isog(R, A24minus, A24plus, coeff); - engine.isogeny.eval_3_isog(Q3, coeff); // Kernel of dual + engine.isogeny.Get3Isog(R, A24minus, A24plus, coeff); + engine.isogeny.Eval3Isog(Q3, coeff); // Kernel of dual engine.fpx.fp2sub(Q3.X, Q3.Z, Ds[engine.param.MAX_Bob-1][0]); engine.fpx.fp2add(Q3.X, Q3.Z, Ds[engine.param.MAX_Bob-1][1]); @@ -1650,8 +1624,7 @@ internal sealed class SidhCompressed engine.fpx.fp2add(A, A, A); // A = 2*(A24plus+A24mins)/(A24plus-A24minus) } - - protected void Dlogs2_dual(ulong[][][] f, int[] D, ulong[] d0, ulong[] c0, ulong[] d1, ulong[] c1) + internal void Dlogs2_dual(ulong[][][] f, int[] D, ulong[] d0, ulong[] c0, ulong[] d1, ulong[] c1) { solve_dlog(f[0], D, d0, 2); solve_dlog(f[2], D, c0, 2); @@ -1661,8 +1634,7 @@ internal sealed class SidhCompressed engine.fpx.mp_sub(engine.param.Alice_order, c1, c1, engine.param.NWORDS_ORDER); } - - protected void BuildEntangledXonly_Decomp(ulong[][] A, PointProj[] R, uint qnr, uint ind) + internal void BuildEntangledXonly_Decomp(ulong[][] A, PointProj[] R, uint qnr, uint ind) { ulong[][] t_ptr, r = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), @@ -1714,7 +1686,7 @@ internal sealed class SidhCompressed } // Bob's PK decompression -- SIKE protocol - protected void PKBDecompression_extended(byte[] SecretKeyA, uint SecretKeyAOffset, byte[] CompressedPKB, PointProj R, ulong[][] A, byte[] tphiBKA_t, uint tphiBKA_tOffset) + internal void PKBDecompression_extended(byte[] SecretKeyA, uint SecretKeyAOffset, byte[] CompressedPKB, PointProj R, ulong[][] A, byte[] tphiBKA_t, uint tphiBKA_tOffset) { ulong mask = unchecked((ulong) -1L); uint qnr, ind; @@ -1807,12 +1779,12 @@ internal sealed class SidhCompressed engine.fpx.inv_mod_orderA(tmp2, inv); engine.fpx.multiply(inv, tmp1, scal, engine.param.NWORDS_ORDER); scal[engine.param.NWORDS_ORDER-1] &= (ulong)mask; - engine.isogeny.swap_points(Rs[0], Rs[1], unchecked((ulong)-1L));//check + engine.isogeny.SwapPoints(Rs[0], Rs[1], unchecked((ulong)-1L));//check Ladder3pt_dual(Rs, scal, engine.param.ALICE, R, A24); } engine.fpx.fp2div2(A,Adiv2); - engine.isogeny.xTPLe_fast(R, R, Adiv2, engine.param.OBOB_EXPON); + engine.isogeny.XTplEFast(R, R, Adiv2, engine.param.OBOB_EXPON); engine.fpx.fp2_encode(R.X, tphiBKA_t, tphiBKA_tOffset); engine.fpx.fp2_encode(R.Z, tphiBKA_t, tphiBKA_tOffset + engine.param.FP2_ENCODED_BYTES); @@ -1820,7 +1792,7 @@ internal sealed class SidhCompressed } // Bob's PK compression -- SIKE protocol - protected void Compress_PKB_dual_extended(ulong[] d0, ulong[] c0, ulong[] d1, ulong[] c1, ulong[][] A, byte[] qnr, byte[] ind, byte[] CompressedPKB) + internal void Compress_PKB_dual_extended(ulong[] d0, ulong[] c0, ulong[] d1, ulong[] c1, ulong[][] A, byte[] qnr, byte[] ind, byte[] CompressedPKB) { ulong mask = unchecked((ulong) -1L); ulong[] tmp = new ulong[2*engine.param.NWORDS_ORDER], @@ -1876,7 +1848,7 @@ internal sealed class SidhCompressed } // Bob's PK decompression -- SIDH protocol - protected void PKBDecompression(byte[] SecretKeyA, uint SecretKeyAOffset, byte[] CompressedPKB, PointProj R, ulong[][] A) + internal void PKBDecompression(byte[] SecretKeyA, uint SecretKeyAOffset, byte[] CompressedPKB, PointProj R, ulong[][] A) { ulong mask = unchecked((ulong) -1L); uint bit,qnr,ind; @@ -1909,7 +1881,7 @@ internal sealed class SidhCompressed engine.fpx.fp2div2(A24, A24); engine.fpx.decode_to_digits(SecretKeyA, SecretKeyAOffset, SKin, engine.param.SECRETKEY_A_BYTES, engine.param.NWORDS_ORDER); - engine.isogeny.swap_points(Rs[0], Rs[1], 0-(ulong)bit); + engine.isogeny.SwapPoints(Rs[0], Rs[1], 0-(ulong)bit); if (bit == 0) { engine.fpx.decode_to_digits(CompressedPKB, engine.param.ORDER_A_ENCODED_BYTES, comp_temp, engine.param.ORDER_A_ENCODED_BYTES, engine.param.NWORDS_ORDER); @@ -1941,11 +1913,11 @@ internal sealed class SidhCompressed Ladder3pt_dual(Rs, vone, engine.param.ALICE, R, A24); } engine.fpx.fp2div2(A, A24); - engine.isogeny.xTPLe_fast(R, R, A24, engine.param.OBOB_EXPON); + engine.isogeny.XTplEFast(R, R, A24, engine.param.OBOB_EXPON); } // Bob's PK compression -- SIDH protocol - protected void Compress_PKB_dual(ulong[] d0, ulong[] c0, ulong[] d1, ulong[] c1, ulong[][] A, byte[] qnr, byte[] ind, byte[] CompressedPKB) + internal void Compress_PKB_dual(ulong[] d0, ulong[] c0, ulong[] d1, ulong[] c1, ulong[][] A, byte[] qnr, byte[] ind, byte[] CompressedPKB) { ulong[] tmp = new ulong[2*engine.param.NWORDS_ORDER], @@ -1990,7 +1962,7 @@ internal sealed class SidhCompressed } // Bob's ephemeral public key generation using compression -- SIKE protocol - protected internal uint EphemeralKeyGeneration_B_extended(byte[] PrivateKeyB, byte[] CompressedPKB, uint sike) + internal uint EphemeralKeyGeneration_B_extended(byte[] PrivateKeyB, byte[] CompressedPKB, uint sike) { byte[] qnr = new byte[1], ind = new byte[1]; int[] D = new int[engine.param.DLEN_2]; @@ -2114,13 +2086,13 @@ internal sealed class SidhCompressed } // Bob's ephemeral public key generation using compression -- SIDH protocol - protected uint EphemeralKeyGeneration_B(byte[] PrivateKeyB, byte[] CompressedPKB) + internal uint EphemeralKeyGeneration_B(byte[] PrivateKeyB, byte[] CompressedPKB) { return EphemeralKeyGeneration_B_extended(PrivateKeyB, CompressedPKB, 0); } // Alice's ephemeral shared secret computation using compression -- SIKE protocol - protected internal uint EphemeralSecretAgreement_A_extended(byte[] PrivateKeyA, uint PrivateKeyAOffset, byte[] PKB, byte[] SharedSecretA, uint sike) + internal uint EphemeralSecretAgreement_A_extended(byte[] PrivateKeyA, uint PrivateKeyAOffset, byte[] PKB, byte[] SharedSecretA, uint sike) { uint i, ii = 0, row, m, index = 0, npts = 0; uint[] pts_index = new uint[engine.param.MAX_INT_POINTS_ALICE]; @@ -2153,9 +2125,9 @@ internal sealed class SidhCompressed { PointProj S = new PointProj(engine.param.NWORDS_FIELD); - engine.isogeny.xDBLe(R, S, A24plus, C24, (engine.param.OALICE_BITS - 1)); - engine.isogeny.get_2_isog(S, A24plus, C24); - engine.isogeny.eval_2_isog(R, S); + engine.isogeny.XDblE(R, S, A24plus, C24, (engine.param.OALICE_BITS - 1)); + engine.isogeny.Get2Isog(S, A24plus, C24); + engine.isogeny.Eval2Isog(R, S); } // Traverse tree @@ -2169,14 +2141,14 @@ internal sealed class SidhCompressed engine.fpx.fp2copy(R.Z, pts[npts].Z); pts_index[npts++] = index; m = engine.param.strat_Alice[ii++]; - engine.isogeny.xDBLe(R, R, A24plus, C24, 2*m); + engine.isogeny.XDblE(R, R, A24plus, C24, 2*m); index += m; } - engine.isogeny.get_4_isog(R, A24plus, C24, coeff); + engine.isogeny.Get4Isog(R, A24plus, C24, coeff); for (i = 0; i < npts; i++) { - engine.isogeny.eval_4_isog(pts[i], coeff); + engine.isogeny.Eval4Isog(pts[i], coeff); } engine.fpx.fp2copy(pts[npts-1].X, R.X); @@ -2185,11 +2157,11 @@ internal sealed class SidhCompressed npts -= 1; } - engine.isogeny.get_4_isog(R, A24plus, C24, coeff); + engine.isogeny.Get4Isog(R, A24plus, C24, coeff); engine.fpx.fp2add(A24plus, A24plus, A24plus); engine.fpx.fp2sub(A24plus, C24, A24plus); engine.fpx.fp2add(A24plus, A24plus, A24plus); - engine.isogeny.j_inv(A24plus, C24, jinv); + engine.isogeny.JInv(A24plus, C24, jinv); engine.fpx.fp2_encode(jinv, SharedSecretA, 0); // Format shared secret return 0; @@ -2200,13 +2172,12 @@ internal sealed class SidhCompressed // Inputs: Alice's PrivateKeyA is an even integer in the range [2, oA-2], where oA = 2^engine.param.OALICE_BITS. // Bob's decompressed data consists of point_R in (X:Z) coordinates and the curve parameter param_A in GF(p^2). // Output: a shared secret SharedSecretA that consists of one element in GF(p^2). - uint EphemeralSecretAgreement_A(byte[] PrivateKeyA, uint PrivateKeyAOffset, byte[] PKB, byte[] SharedSecretA) + private uint EphemeralSecretAgreement_A(byte[] PrivateKeyA, uint PrivateKeyAOffset, byte[] PKB, byte[] SharedSecretA) { return EphemeralSecretAgreement_A_extended(PrivateKeyA, PrivateKeyAOffset, PKB, SharedSecretA, 0); } - - protected internal byte validate_ciphertext(byte[] ephemeralsk_, byte[] CompressedPKB, byte[] xKA, uint xKAOffset, byte[] tphiBKA_t, uint tphiBKA_tOffset) + internal byte validate_ciphertext(byte[] ephemeralsk_, byte[] CompressedPKB, byte[] xKA, uint xKAOffset, byte[] tphiBKA_t, uint tphiBKA_tOffset) { // If ct validation passes returns 0, otherwise returns -1. PointProj[] phis = new PointProj[3], pts = new PointProj[engine.param.MAX_INT_POINTS_BOB]; @@ -2264,23 +2235,23 @@ internal sealed class SidhCompressed engine.fpx.fp2copy(R.Z, pts[npts].Z); pts_index[npts++] = index; m = engine.param.strat_Bob[ii++]; - engine.isogeny.xTPLe(R, R, A24minus, A24plus, m); + engine.isogeny.XTplE(R, R, A24minus, A24plus, m); index += m; } - engine.isogeny.get_3_isog(R, A24minus, A24plus, coeff); + engine.isogeny.Get3Isog(R, A24minus, A24plus, coeff); for (i = 0; i < npts; i++) { - engine.isogeny.eval_3_isog(pts[i], coeff); + engine.isogeny.Eval3Isog(pts[i], coeff); } - engine.isogeny.eval_3_isog(phis[0], coeff); + engine.isogeny.Eval3Isog(phis[0], coeff); engine.fpx.fp2copy(pts[npts-1].X, R.X); engine.fpx.fp2copy(pts[npts-1].Z, R.Z); index = pts_index[npts-1]; npts -= 1; } - engine.isogeny.get_3_isog(R, A24minus, A24plus, coeff); - engine.isogeny.eval_3_isog(phis[0], coeff); // phis[0] <- phiB(PA + skA*QA) + engine.isogeny.Get3Isog(R, A24minus, A24plus, coeff); + engine.isogeny.Eval3Isog(phis[0], coeff); // phis[0] <- phiB(PA + skA*QA) engine.fpx.fp2_decode(CompressedPKB, A, 4*engine.param.ORDER_A_ENCODED_BYTES); @@ -2296,13 +2267,11 @@ internal sealed class SidhCompressed return (engine.fpx.cmp_f2elm(comp1, comp2)); } - - /// DLOG // Computes the discrete log of input r = g^d where g = e(P,Q)^ell^e, and P,Q are torsion generators in the initial curve // Return the integer d - void solve_dlog(ulong[][] r, int[] D, ulong[] d, uint ell) + internal void solve_dlog(ulong[][] r, int[] D, ulong[] d, uint ell) { if (ell == 2) { @@ -2449,12 +2418,10 @@ internal sealed class SidhCompressed } } - - // Traverse a Pohlig-Hellman optimal strategy to solve a discrete log in a group of order ell^e // Leaves are used to recover the digits which are numbers from 0 to ell^w-1 except by the last leaf that gives a digit between 0 and ell^(e mod w) // Assume w does not divide the exponent e - void Traverse_w_notdiv_e_fullsigned(ulong[][] r, uint j, uint k, uint z, uint[] P, ulong[] CT1, ulong[] CT2, + internal void Traverse_w_notdiv_e_fullsigned(ulong[][] r, uint j, uint k, uint z, uint[] P, ulong[] CT1, ulong[] CT2, int[] D, uint Dlen, uint ell, uint ellw, uint ell_emodw, uint w, uint e) { ulong[][] rp = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), @@ -2628,12 +2595,10 @@ internal sealed class SidhCompressed } } - - // Traverse a Pohlig-Hellman optimal strategy to solve a discrete log in a group of order ell^e // The leaves of the tree will be used to recover the signed digits which are numbers from +/-{0,1... Ceil((ell^w-1)/2)} // Assume the integer w divides the exponent e - void Traverse_w_div_e_fullsigned(ulong[][] r, uint j, uint k, uint z, uint[] P, ulong[] CT, int[] D, uint Dlen, uint ellw, uint w) + internal void Traverse_w_div_e_fullsigned(ulong[][] r, uint j, uint k, uint z, uint[] P, ulong[] CT, int[] D, uint Dlen, uint ellw, uint w) { ulong[][] rp = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD), alpha = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD); @@ -3158,9 +3123,5 @@ internal sealed class SidhCompressed } engine.fpx.fp2copy(temp, fout); } - - - } - -} \ No newline at end of file +} diff --git a/crypto/src/pqc/crypto/sike/SIKEEngine.cs b/crypto/src/pqc/crypto/sike/SIKEEngine.cs index 6a825fe44..12f468340 100644 --- a/crypto/src/pqc/crypto/sike/SIKEEngine.cs +++ b/crypto/src/pqc/crypto/sike/SIKEEngine.cs @@ -4,43 +4,42 @@ using Org.BouncyCastle.Security; namespace Org.BouncyCastle.Pqc.Crypto.Sike { -internal sealed class SikeEngine -{ - //private readonly SecureRandom random; - - protected internal Internal param; - protected internal Isogeny isogeny; - protected internal Fpx fpx; - private Sidh sidh; - private SidhCompressed sidhCompressed; - private bool isCompressed; - - public uint GetDefaultSessionKeySize() + internal sealed class SikeEngine { - return param.MSG_BYTES * 8; - } + internal Internal param; + internal Isogeny isogeny; + internal Fpx fpx; + private Sidh sidh; + private SidhCompressed sidhCompressed; + private bool isCompressed; + + internal uint GetDefaultSessionKeySize() + { + return param.MSG_BYTES * 8; + } - public int GetCipherTextSize() - { - return param.CRYPTO_CIPHERTEXTBYTES; - } + internal int GetCipherTextSize() + { + return param.CRYPTO_CIPHERTEXTBYTES; + } - public uint GetPrivateKeySize() - { - return param.CRYPTO_SECRETKEYBYTES; - } + internal uint GetPrivateKeySize() + { + return param.CRYPTO_SECRETKEYBYTES; + } - public uint GetPublicKeySize() - { - return param.CRYPTO_PUBLICKEYBYTES; - } - public SikeEngine(int ver, bool isCompressed, SecureRandom random) - { - //this.random = random; - this.isCompressed = isCompressed; - //todo switch for different parameters - switch(ver) + internal uint GetPublicKeySize() { + return param.CRYPTO_PUBLICKEYBYTES; + } + + internal SikeEngine(int ver, bool isCompressed, SecureRandom random) + { + //this.random = random; + this.isCompressed = isCompressed; + //todo switch for different parameters + switch(ver) + { case 434: param = new P434(isCompressed); break; @@ -55,239 +54,236 @@ internal sealed class SikeEngine break; default: break; - + } + fpx = new Fpx(this); + isogeny = new Isogeny(this); + if(isCompressed) + { + sidhCompressed = new SidhCompressed(this); + } + sidh = new Sidh(this); } - fpx = new Fpx(this); - isogeny = new Isogeny(this); - if(isCompressed) + + // SIKE's key generation + // Outputs: secret key sk (CRYPTO_SECRETKEYBYTES = MSG_BYTES + SECRETKEY_B_BYTES + CRYPTO_PUBLICKEYBYTES bytes) + // public key pk (CRYPTO_PUBLICKEYBYTES bytes) + internal int crypto_kem_keypair(byte[] pk, byte[] sk, SecureRandom random) { - sidhCompressed = new SidhCompressed(this); - } - sidh = new Sidh(this); - } + random.NextBytes(sk, 0, (int)param.MSG_BYTES); - // SIKE's key generation - // Outputs: secret key sk (CRYPTO_SECRETKEYBYTES = MSG_BYTES + SECRETKEY_B_BYTES + CRYPTO_PUBLICKEYBYTES bytes) - // public key pk (CRYPTO_PUBLICKEYBYTES bytes) - public int crypto_kem_keypair(byte[] pk, byte[] sk, SecureRandom random) - { - random.NextBytes(sk, 0, (int)param.MSG_BYTES); + if (isCompressed) + { + // Generation of Alice's secret key + // Outputs random value in [0, 2^eA - 1] - if (isCompressed) - { - // Generation of Alice's secret key - // Outputs random value in [0, 2^eA - 1] + random.NextBytes(sk, (int)param.MSG_BYTES, (int)param.SECRETKEY_A_BYTES); + sk[param.MSG_BYTES] &= 0xFE; // Make private scalar even + sk[param.MSG_BYTES + param.SECRETKEY_A_BYTES - 1] &= (byte)param.MASK_ALICE; // Masking last - random.NextBytes(sk, (int)param.MSG_BYTES, (int)param.SECRETKEY_A_BYTES); - sk[param.MSG_BYTES] &= 0xFE; // Make private scalar even - sk[param.MSG_BYTES + param.SECRETKEY_A_BYTES - 1] &= (byte)param.MASK_ALICE; // Masking last + sidhCompressed.EphemeralKeyGeneration_A_extended(sk, pk); - sidhCompressed.EphemeralKeyGeneration_A_extended(sk, pk); + // Append public key pk to secret key sk + System.Array.Copy(pk, 0, sk, param.MSG_BYTES + param.SECRETKEY_A_BYTES, param.CRYPTO_PUBLICKEYBYTES); + } + else + { + // Generation of Bob's secret key + // Outputs random value in [0, 2^Floor(Log(2, oB)) - 1] + // todo/org: SIDH.random_mod_order_B(sk, random); - // Append public key pk to secret key sk - System.Array.Copy(pk, 0, sk, param.MSG_BYTES + param.SECRETKEY_A_BYTES, param.CRYPTO_PUBLICKEYBYTES); - } - else - { - // Generation of Bob's secret key - // Outputs random value in [0, 2^Floor(Log(2, oB)) - 1] - // todo/org: SIDH.random_mod_order_B(sk, random); + random.NextBytes(sk, (int)param.MSG_BYTES, (int)param.SECRETKEY_B_BYTES); + sk[param.MSG_BYTES + param.SECRETKEY_B_BYTES - 1] &= (byte)param.MASK_BOB; - random.NextBytes(sk, (int)param.MSG_BYTES, (int)param.SECRETKEY_B_BYTES); - sk[param.MSG_BYTES + param.SECRETKEY_B_BYTES - 1] &= (byte)param.MASK_BOB; + sidh.EphemeralKeyGeneration_B(sk, pk); - sidh.EphemeralKeyGeneration_B(sk, pk); + // Append public key pk to secret key sk + System.Array.Copy(pk, 0, sk, param.MSG_BYTES + param.SECRETKEY_B_BYTES, param.CRYPTO_PUBLICKEYBYTES); - // Append public key pk to secret key sk - System.Array.Copy(pk, 0, sk, param.MSG_BYTES + param.SECRETKEY_B_BYTES, param.CRYPTO_PUBLICKEYBYTES); + } + return 0; } - return 0; - } - - // SIKE's encapsulation - // Input: public key pk (CRYPTO_PUBLICKEYBYTES bytes) - // Outputs: shared secret ss (CRYPTO_BYTES bytes) - // ciphertext message ct (CRYPTO_CIPHERTEXTBYTES = CRYPTO_PUBLICKEYBYTES + MSG_BYTES bytes) - public int crypto_kem_enc(byte[] ct, byte[] ss, byte[] pk, SecureRandom random) - { - if(isCompressed) + // SIKE's encapsulation + // Input: public key pk (CRYPTO_PUBLICKEYBYTES bytes) + // Outputs: shared secret ss (CRYPTO_BYTES bytes) + // ciphertext message ct (CRYPTO_CIPHERTEXTBYTES = CRYPTO_PUBLICKEYBYTES + MSG_BYTES bytes) + internal int crypto_kem_enc(byte[] ct, byte[] ss, byte[] pk, SecureRandom random) { - byte[] ephemeralsk = new byte[param.SECRETKEY_B_BYTES]; - byte[] jinvariant = new byte[param.FP2_ENCODED_BYTES]; - byte[] h = new byte[param.MSG_BYTES]; - byte[] temp = new byte[param.CRYPTO_CIPHERTEXTBYTES + param.MSG_BYTES]; + if(isCompressed) + { + byte[] ephemeralsk = new byte[param.SECRETKEY_B_BYTES]; + byte[] jinvariant = new byte[param.FP2_ENCODED_BYTES]; + byte[] h = new byte[param.MSG_BYTES]; + byte[] temp = new byte[param.CRYPTO_CIPHERTEXTBYTES + param.MSG_BYTES]; - // Generate ephemeralsk <- G(m||pk) mod oB - random.NextBytes(temp, 0, (int)param.MSG_BYTES); - System.Array.Copy(pk, 0, temp, param.MSG_BYTES, param.CRYPTO_PUBLICKEYBYTES); + // Generate ephemeralsk <- G(m||pk) mod oB + random.NextBytes(temp, 0, (int)param.MSG_BYTES); + System.Array.Copy(pk, 0, temp, param.MSG_BYTES, param.CRYPTO_PUBLICKEYBYTES); - IXof digest = new ShakeDigest(256); - digest.BlockUpdate(temp, 0, (int) (param.CRYPTO_PUBLICKEYBYTES + param.MSG_BYTES)); - digest.OutputFinal(ephemeralsk, 0, (int) param.SECRETKEY_B_BYTES); + IXof digest = new ShakeDigest(256); + digest.BlockUpdate(temp, 0, (int) (param.CRYPTO_PUBLICKEYBYTES + param.MSG_BYTES)); + digest.OutputFinal(ephemeralsk, 0, (int) param.SECRETKEY_B_BYTES); - sidhCompressed.FormatPrivKey_B(ephemeralsk); + sidhCompressed.FormatPrivKey_B(ephemeralsk); -// System.out.println("ephemeralsk: " + Hex.toHexstring(ephemeralsk)); + // System.out.println("ephemeralsk: " + Hex.toHexstring(ephemeralsk)); - // Encrypt - sidhCompressed.EphemeralKeyGeneration_B_extended(ephemeralsk, ct, 1); + // Encrypt + sidhCompressed.EphemeralKeyGeneration_B_extended(ephemeralsk, ct, 1); -// System.out.println("ct: " + Hex.toHexstring(ct)); -// System.out.println("pk: " + Hex.toHexstring(pk)); + // System.out.println("ct: " + Hex.toHexstring(ct)); + // System.out.println("pk: " + Hex.toHexstring(pk)); - sidhCompressed.EphemeralSecretAgreement_B(ephemeralsk, pk, jinvariant); + sidhCompressed.EphemeralSecretAgreement_B(ephemeralsk, pk, jinvariant); -// System.out.println("jinv: " + Hex.toHexstring(jinvariant)); + // System.out.println("jinv: " + Hex.toHexstring(jinvariant)); - digest.BlockUpdate(jinvariant, 0, (int) param.FP2_ENCODED_BYTES); - digest.OutputFinal(h, 0, (int) param.MSG_BYTES); + digest.BlockUpdate(jinvariant, 0, (int) param.FP2_ENCODED_BYTES); + digest.OutputFinal(h, 0, (int) param.MSG_BYTES); -// System.out.println("h: " + Hex.toHexstring(h)); -// System.out.println("temp: " + Hex.toHexstring(temp)); + // System.out.println("h: " + Hex.toHexstring(h)); + // System.out.println("temp: " + Hex.toHexstring(temp)); - for (int i = 0; i < param.MSG_BYTES; i++) - { - ct[i + param.PARTIALLY_COMPRESSED_CHUNK_CT] = (byte) (temp[i] ^ h[i]); - } + for (int i = 0; i < param.MSG_BYTES; i++) + { + ct[i + param.PARTIALLY_COMPRESSED_CHUNK_CT] = (byte) (temp[i] ^ h[i]); + } - // Generate shared secret ss <- H(m||ct) - System.Array.Copy(ct, 0, temp, param.MSG_BYTES, param.CRYPTO_CIPHERTEXTBYTES); + // Generate shared secret ss <- H(m||ct) + System.Array.Copy(ct, 0, temp, param.MSG_BYTES, param.CRYPTO_CIPHERTEXTBYTES); - digest.BlockUpdate(temp, 0, (int) (param.CRYPTO_CIPHERTEXTBYTES + param.MSG_BYTES)); - digest.OutputFinal(ss, 0, (int) param.CRYPTO_BYTES); - return 0; - } - else - { - byte[] ephemeralsk = new byte[param.SECRETKEY_A_BYTES]; - byte[] jinvariant = new byte[param.FP2_ENCODED_BYTES]; - byte[] h = new byte[param.MSG_BYTES]; - byte[] temp = new byte[param.CRYPTO_CIPHERTEXTBYTES + param.MSG_BYTES]; + digest.BlockUpdate(temp, 0, (int) (param.CRYPTO_CIPHERTEXTBYTES + param.MSG_BYTES)); + digest.OutputFinal(ss, 0, (int) param.CRYPTO_BYTES); + return 0; + } + else + { + byte[] ephemeralsk = new byte[param.SECRETKEY_A_BYTES]; + byte[] jinvariant = new byte[param.FP2_ENCODED_BYTES]; + byte[] h = new byte[param.MSG_BYTES]; + byte[] temp = new byte[param.CRYPTO_CIPHERTEXTBYTES + param.MSG_BYTES]; - // Generate ephemeralsk <- G(m||pk) mod oA - random.NextBytes(temp, 0, (int)param.MSG_BYTES); - System.Array.Copy(pk, 0, temp, param.MSG_BYTES, param.CRYPTO_PUBLICKEYBYTES); + // Generate ephemeralsk <- G(m||pk) mod oA + random.NextBytes(temp, 0, (int)param.MSG_BYTES); + System.Array.Copy(pk, 0, temp, param.MSG_BYTES, param.CRYPTO_PUBLICKEYBYTES); - IXof digest = new ShakeDigest(256); - digest.BlockUpdate(temp, 0, (int) (param.CRYPTO_PUBLICKEYBYTES + param.MSG_BYTES)); - digest.OutputFinal(ephemeralsk, 0, (int) param.SECRETKEY_A_BYTES); - ephemeralsk[param.SECRETKEY_A_BYTES - 1] &= (byte) param.MASK_ALICE; + IXof digest = new ShakeDigest(256); + digest.BlockUpdate(temp, 0, (int) (param.CRYPTO_PUBLICKEYBYTES + param.MSG_BYTES)); + digest.OutputFinal(ephemeralsk, 0, (int) param.SECRETKEY_A_BYTES); + ephemeralsk[param.SECRETKEY_A_BYTES - 1] &= (byte) param.MASK_ALICE; - // Encrypt - sidh.EphemeralKeyGeneration_A(ephemeralsk, ct); - sidh.EphemeralSecretAgreement_A(ephemeralsk, pk, jinvariant); + // Encrypt + sidh.EphemeralKeyGeneration_A(ephemeralsk, ct); + sidh.EphemeralSecretAgreement_A(ephemeralsk, pk, jinvariant); - digest.BlockUpdate(jinvariant, 0, (int) param.FP2_ENCODED_BYTES); - digest.OutputFinal(h, 0, (int) param.MSG_BYTES); + digest.BlockUpdate(jinvariant, 0, (int) param.FP2_ENCODED_BYTES); + digest.OutputFinal(h, 0, (int) param.MSG_BYTES); - for (int i = 0; i < param.MSG_BYTES; i++) - { - ct[i + param.CRYPTO_PUBLICKEYBYTES] = (byte) (temp[i] ^ h[i]); - } + for (int i = 0; i < param.MSG_BYTES; i++) + { + ct[i + param.CRYPTO_PUBLICKEYBYTES] = (byte) (temp[i] ^ h[i]); + } - // Generate shared secret ss <- H(m||ct) - System.Array.Copy(ct, 0, temp, param.MSG_BYTES, param.CRYPTO_CIPHERTEXTBYTES); + // Generate shared secret ss <- H(m||ct) + System.Array.Copy(ct, 0, temp, param.MSG_BYTES, param.CRYPTO_CIPHERTEXTBYTES); - digest.BlockUpdate(temp, 0, (int) (param.CRYPTO_CIPHERTEXTBYTES + param.MSG_BYTES)); - digest.OutputFinal(ss, 0, (int) param.CRYPTO_BYTES); + digest.BlockUpdate(temp, 0, (int) (param.CRYPTO_CIPHERTEXTBYTES + param.MSG_BYTES)); + digest.OutputFinal(ss, 0, (int) param.CRYPTO_BYTES); - return 0; + return 0; + } } - } - // SIKE's decapsulation - // Input: secret key sk (CRYPTO_SECRETKEYBYTES = MSG_BYTES + SECRETKEY_B_BYTES + CRYPTO_PUBLICKEYBYTES bytes) - // ciphertext message ct (CRYPTO_CIPHERTEXTBYTES = CRYPTO_PUBLICKEYBYTES + MSG_BYTES bytes) - // Outputs: shared secret ss (CRYPTO_BYTES bytes) - public int crypto_kem_dec(byte[] ss, byte[] ct, byte[] sk) - { - if (isCompressed) + // SIKE's decapsulation + // Input: secret key sk (CRYPTO_SECRETKEYBYTES = MSG_BYTES + SECRETKEY_B_BYTES + CRYPTO_PUBLICKEYBYTES bytes) + // ciphertext message ct (CRYPTO_CIPHERTEXTBYTES = CRYPTO_PUBLICKEYBYTES + MSG_BYTES bytes) + // Outputs: shared secret ss (CRYPTO_BYTES bytes) + internal int crypto_kem_dec(byte[] ss, byte[] ct, byte[] sk) { - byte[] ephemeralsk_ = new byte[param.SECRETKEY_B_BYTES]; - byte[] jinvariant_ = new byte[param.FP2_ENCODED_BYTES + 2*param.FP2_ENCODED_BYTES + param.SECRETKEY_A_BYTES], - h_ = new byte[param.MSG_BYTES]; - byte[] temp = new byte[param.CRYPTO_CIPHERTEXTBYTES + param.MSG_BYTES]; - byte[] tphiBKA_t = jinvariant_;//jinvariant_[param.FP2_ENCODED_BYTES]; + if (isCompressed) + { + byte[] ephemeralsk_ = new byte[param.SECRETKEY_B_BYTES]; + byte[] jinvariant_ = new byte[param.FP2_ENCODED_BYTES + 2*param.FP2_ENCODED_BYTES + param.SECRETKEY_A_BYTES], + h_ = new byte[param.MSG_BYTES]; + byte[] temp = new byte[param.CRYPTO_CIPHERTEXTBYTES + param.MSG_BYTES]; + byte[] tphiBKA_t = jinvariant_;//jinvariant_[param.FP2_ENCODED_BYTES]; - // Decrypt - sidhCompressed.EphemeralSecretAgreement_A_extended(sk, param.MSG_BYTES, ct, jinvariant_, 1); + // Decrypt + sidhCompressed.EphemeralSecretAgreement_A_extended(sk, param.MSG_BYTES, ct, jinvariant_, 1); - IXof digest = new ShakeDigest(256); - digest.BlockUpdate(jinvariant_, 0, (int) param.FP2_ENCODED_BYTES); - digest.OutputFinal(h_, 0, (int) param.MSG_BYTES); + IXof digest = new ShakeDigest(256); + digest.BlockUpdate(jinvariant_, 0, (int) param.FP2_ENCODED_BYTES); + digest.OutputFinal(h_, 0, (int) param.MSG_BYTES); -// System.out.println("h_: " + Hex.toHexstring(h_)); + // System.out.println("h_: " + Hex.toHexstring(h_)); - for (int i = 0; i < param.MSG_BYTES; i++) - { - temp[i] = (byte) (ct[i + param.PARTIALLY_COMPRESSED_CHUNK_CT] ^ h_[i]); - } + for (int i = 0; i < param.MSG_BYTES; i++) + { + temp[i] = (byte) (ct[i + param.PARTIALLY_COMPRESSED_CHUNK_CT] ^ h_[i]); + } - // Generate ephemeralsk_ <- G(m||pk) mod oB - System.Array.Copy(sk, param.MSG_BYTES + param.SECRETKEY_A_BYTES, temp, param.MSG_BYTES, param.CRYPTO_PUBLICKEYBYTES); + // Generate ephemeralsk_ <- G(m||pk) mod oB + System.Array.Copy(sk, param.MSG_BYTES + param.SECRETKEY_A_BYTES, temp, param.MSG_BYTES, param.CRYPTO_PUBLICKEYBYTES); - digest.BlockUpdate(temp, 0, (int) (param.CRYPTO_PUBLICKEYBYTES + param.MSG_BYTES)); - digest.OutputFinal(ephemeralsk_, 0, (int) param.SECRETKEY_B_BYTES); - sidhCompressed.FormatPrivKey_B(ephemeralsk_); + digest.BlockUpdate(temp, 0, (int) (param.CRYPTO_PUBLICKEYBYTES + param.MSG_BYTES)); + digest.OutputFinal(ephemeralsk_, 0, (int) param.SECRETKEY_B_BYTES); + sidhCompressed.FormatPrivKey_B(ephemeralsk_); - // Generate shared secret ss <- H(m||ct), or output ss <- H(s||ct) in case of ct verification failure - // No need to recompress, just check if x(phi(P) + t*phi(Q)) == x((a0 + t*a1)*R1 + (b0 + t*b1)*R2) - byte selector = sidhCompressed.validate_ciphertext(ephemeralsk_, ct, sk, param.MSG_BYTES + param.SECRETKEY_A_BYTES + param.CRYPTO_PUBLICKEYBYTES, tphiBKA_t, param.FP2_ENCODED_BYTES); - // If ct validation passes (selector = 0) then do ss = H(m||ct), otherwise (selector = -1) load s to do ss = H(s||ct) - fpx.ct_cmov(temp, sk, param.MSG_BYTES, selector); + // Generate shared secret ss <- H(m||ct), or output ss <- H(s||ct) in case of ct verification failure + // No need to recompress, just check if x(phi(P) + t*phi(Q)) == x((a0 + t*a1)*R1 + (b0 + t*b1)*R2) + byte selector = sidhCompressed.validate_ciphertext(ephemeralsk_, ct, sk, param.MSG_BYTES + param.SECRETKEY_A_BYTES + param.CRYPTO_PUBLICKEYBYTES, tphiBKA_t, param.FP2_ENCODED_BYTES); + // If ct validation passes (selector = 0) then do ss = H(m||ct), otherwise (selector = -1) load s to do ss = H(s||ct) + fpx.ct_cmov(temp, sk, param.MSG_BYTES, selector); - System.Array.Copy(ct, 0, temp, param.MSG_BYTES, param.CRYPTO_CIPHERTEXTBYTES); - digest.BlockUpdate(temp, 0, (int) (param.CRYPTO_CIPHERTEXTBYTES + param.MSG_BYTES)); - digest.OutputFinal(ss, 0, (int) param.CRYPTO_BYTES); + System.Array.Copy(ct, 0, temp, param.MSG_BYTES, param.CRYPTO_CIPHERTEXTBYTES); + digest.BlockUpdate(temp, 0, (int) (param.CRYPTO_CIPHERTEXTBYTES + param.MSG_BYTES)); + digest.OutputFinal(ss, 0, (int) param.CRYPTO_BYTES); - return 0; - } - else - { - byte[] ephemeralsk_ = new byte[param.SECRETKEY_A_BYTES]; - byte[] jinvariant_ = new byte[param.FP2_ENCODED_BYTES]; - byte[] h_ = new byte[param.MSG_BYTES]; - byte[] c0_ = new byte[param.CRYPTO_PUBLICKEYBYTES]; - byte[] temp = new byte[param.CRYPTO_CIPHERTEXTBYTES + param.MSG_BYTES]; - - // Decrypt - // int EphemeralSecretAgreement_B(PrivateKeyB, PublicKeyA, SharedSecretB) - sidh.EphemeralSecretAgreement_B(sk, ct, jinvariant_); - - IXof digest = new ShakeDigest(256); - digest.BlockUpdate(jinvariant_, 0, (int) param.FP2_ENCODED_BYTES); - digest.OutputFinal(h_, 0, (int) param.MSG_BYTES); - for (int i = 0; i < param.MSG_BYTES; i++) - { - temp[i] = (byte) (ct[i + param.CRYPTO_PUBLICKEYBYTES] ^ h_[i]); + return 0; } + else + { + byte[] ephemeralsk_ = new byte[param.SECRETKEY_A_BYTES]; + byte[] jinvariant_ = new byte[param.FP2_ENCODED_BYTES]; + byte[] h_ = new byte[param.MSG_BYTES]; + byte[] c0_ = new byte[param.CRYPTO_PUBLICKEYBYTES]; + byte[] temp = new byte[param.CRYPTO_CIPHERTEXTBYTES + param.MSG_BYTES]; - // Generate ephemeralsk_ <- G(m||pk) mod oA - System.Array.Copy(sk, param.MSG_BYTES + param.SECRETKEY_B_BYTES, temp, param.MSG_BYTES, param.CRYPTO_PUBLICKEYBYTES); + // Decrypt + // int EphemeralSecretAgreement_B(PrivateKeyB, PublicKeyA, SharedSecretB) + sidh.EphemeralSecretAgreement_B(sk, ct, jinvariant_); - digest.BlockUpdate(temp, 0, (int) (param.CRYPTO_PUBLICKEYBYTES + param.MSG_BYTES)); - digest.OutputFinal(ephemeralsk_, 0, (int) param.SECRETKEY_A_BYTES); - ephemeralsk_[param.SECRETKEY_A_BYTES - 1] &= (byte) param.MASK_ALICE; + IXof digest = new ShakeDigest(256); + digest.BlockUpdate(jinvariant_, 0, (int) param.FP2_ENCODED_BYTES); + digest.OutputFinal(h_, 0, (int) param.MSG_BYTES); + for (int i = 0; i < param.MSG_BYTES; i++) + { + temp[i] = (byte) (ct[i + param.CRYPTO_PUBLICKEYBYTES] ^ h_[i]); + } + // Generate ephemeralsk_ <- G(m||pk) mod oA + System.Array.Copy(sk, param.MSG_BYTES + param.SECRETKEY_B_BYTES, temp, param.MSG_BYTES, param.CRYPTO_PUBLICKEYBYTES); - // Generate shared secret ss <- H(m||ct), or output ss <- H(s||ct) in case of ct verification failure - sidh.EphemeralKeyGeneration_A(ephemeralsk_, c0_); + digest.BlockUpdate(temp, 0, (int) (param.CRYPTO_PUBLICKEYBYTES + param.MSG_BYTES)); + digest.OutputFinal(ephemeralsk_, 0, (int) param.SECRETKEY_A_BYTES); + ephemeralsk_[param.SECRETKEY_A_BYTES - 1] &= (byte) param.MASK_ALICE; - // If selector = 0 then do ss = H(m||ct), else if selector = -1 load s to do ss = H(s||ct) - byte selector = fpx.ct_compare(c0_, ct, param.CRYPTO_PUBLICKEYBYTES); - fpx.ct_cmov(temp, sk, param.MSG_BYTES, selector); - System.Array.Copy(ct, 0, temp, param.MSG_BYTES, param.CRYPTO_CIPHERTEXTBYTES); - digest.BlockUpdate(temp, 0, (int) (param.CRYPTO_CIPHERTEXTBYTES + param.MSG_BYTES)); - digest.OutputFinal(ss, 0, (int) param.CRYPTO_BYTES); + // Generate shared secret ss <- H(m||ct), or output ss <- H(s||ct) in case of ct verification failure + sidh.EphemeralKeyGeneration_A(ephemeralsk_, c0_); - return 0; + // If selector = 0 then do ss = H(m||ct), else if selector = -1 load s to do ss = H(s||ct) + byte selector = fpx.ct_compare(c0_, ct, param.CRYPTO_PUBLICKEYBYTES); + fpx.ct_cmov(temp, sk, param.MSG_BYTES, selector); + + System.Array.Copy(ct, 0, temp, param.MSG_BYTES, param.CRYPTO_CIPHERTEXTBYTES); + digest.BlockUpdate(temp, 0, (int) (param.CRYPTO_CIPHERTEXTBYTES + param.MSG_BYTES)); + digest.OutputFinal(ss, 0, (int) param.CRYPTO_BYTES); + + return 0; + } } } - } - -} \ No newline at end of file diff --git a/crypto/src/pqc/crypto/sike/SIKEKEMExtractor.cs b/crypto/src/pqc/crypto/sike/SIKEKEMExtractor.cs index 5a0aa4a9e..879f1d8ef 100644 --- a/crypto/src/pqc/crypto/sike/SIKEKEMExtractor.cs +++ b/crypto/src/pqc/crypto/sike/SIKEKEMExtractor.cs @@ -27,10 +27,10 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike public byte[] ExtractSecret(byte[] encapsulation) { - return ExtractSecret(encapsulation, engine.GetDefaultSessionKeySize()); + return ExtractSecret(encapsulation, (int)engine.GetDefaultSessionKeySize()); } - public byte[] ExtractSecret(byte[] encapsulation, uint sessionKeySizeInBits) + public byte[] ExtractSecret(byte[] encapsulation, int sessionKeySizeInBits) { Console.Error.WriteLine("WARNING: the SIKE algorithm is only for research purposes, insecure"); byte[] session_key = new byte[sessionKeySizeInBits / 8]; diff --git a/crypto/src/pqc/crypto/sike/SIKEKEMGenerator.cs b/crypto/src/pqc/crypto/sike/SIKEKEMGenerator.cs index 94bdb606b..5e4bd41eb 100644 --- a/crypto/src/pqc/crypto/sike/SIKEKEMGenerator.cs +++ b/crypto/src/pqc/crypto/sike/SIKEKEMGenerator.cs @@ -23,10 +23,11 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike SikePublicKeyParameters key = (SikePublicKeyParameters)recipientKey; SikeEngine engine = key.Parameters.Engine; - return GenerateEncapsulated(recipientKey, engine.GetDefaultSessionKeySize()); + return GenerateEncapsulated(recipientKey, (int)engine.GetDefaultSessionKeySize()); } - public ISecretWithEncapsulation GenerateEncapsulated(AsymmetricKeyParameter recipientKey, uint sessionKeySizeInBits) + public ISecretWithEncapsulation GenerateEncapsulated(AsymmetricKeyParameter recipientKey, + int sessionKeySizeInBits) { Console.Error.WriteLine("WARNING: the SIKE algorithm is only for research purposes, insecure"); SikePublicKeyParameters key = (SikePublicKeyParameters)recipientKey; diff --git a/crypto/src/pqc/crypto/sphincsplus/SPHINCSPlusParameters.cs b/crypto/src/pqc/crypto/sphincsplus/SPHINCSPlusParameters.cs index e8a95fd2f..8cde7cf7f 100644 --- a/crypto/src/pqc/crypto/sphincsplus/SPHINCSPlusParameters.cs +++ b/crypto/src/pqc/crypto/sphincsplus/SPHINCSPlusParameters.cs @@ -1,3 +1,4 @@ +using System; using System.Collections.Generic; using Org.BouncyCastle.Crypto.Utilities; @@ -265,9 +266,9 @@ namespace Org.BouncyCastle.Pqc.Crypto.SphincsPlus * @param id the oid of interest. * @return the parameter set. */ - public static SphincsPlusParameters GetParams(uint id) + public static SphincsPlusParameters GetParams(int id) { - return oidToParams[id]; + return oidToParams[Convert.ToUInt32(id)]; } /** @@ -276,14 +277,14 @@ namespace Org.BouncyCastle.Pqc.Crypto.SphincsPlus * @param params the parameters of interest. * @return the OID for the parameter set. */ - public static uint GetID(SphincsPlusParameters parameters) + public static int GetID(SphincsPlusParameters parameters) { - return paramsToOid[parameters]; + return Convert.ToInt32(paramsToOid[parameters]); } public byte[] GetEncoded() { - return Pack.UInt32_To_BE(GetID(this)); + return Pack.UInt32_To_BE((uint)GetID(this)); } } diff --git a/crypto/src/pqc/crypto/sphincsplus/SPHINCSPlusPrivateKeyParameters.cs b/crypto/src/pqc/crypto/sphincsplus/SPHINCSPlusPrivateKeyParameters.cs index ed5195da2..55757b927 100644 --- a/crypto/src/pqc/crypto/sphincsplus/SPHINCSPlusPrivateKeyParameters.cs +++ b/crypto/src/pqc/crypto/sphincsplus/SPHINCSPlusPrivateKeyParameters.cs @@ -53,13 +53,13 @@ namespace Org.BouncyCastle.Pqc.Crypto.SphincsPlus public byte[] GetEncoded() { - var id = Pack.UInt32_To_BE(SphincsPlusParameters.GetID(Parameters)); + var id = Pack.UInt32_To_BE((uint)SphincsPlusParameters.GetID(Parameters)); return Arrays.ConcatenateAll(id, m_sk.seed, m_sk.prf, m_pk.seed, m_pk.root); } public byte[] GetEncodedPublicKey() { - var id = Pack.UInt32_To_BE(SphincsPlusParameters.GetID(Parameters)); + var id = Pack.UInt32_To_BE((uint)SphincsPlusParameters.GetID(Parameters)); return Arrays.ConcatenateAll(id, m_pk.seed, m_pk.root); } } diff --git a/crypto/src/pqc/crypto/sphincsplus/SPHINCSPlusPublicKeyParameters.cs b/crypto/src/pqc/crypto/sphincsplus/SPHINCSPlusPublicKeyParameters.cs index 96e9324cc..b34843998 100644 --- a/crypto/src/pqc/crypto/sphincsplus/SPHINCSPlusPublicKeyParameters.cs +++ b/crypto/src/pqc/crypto/sphincsplus/SPHINCSPlusPublicKeyParameters.cs @@ -38,7 +38,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.SphincsPlus public byte[] GetEncoded() { - var id = Pack.UInt32_To_BE(SphincsPlusParameters.GetID(Parameters)); + var id = Pack.UInt32_To_BE((uint)SphincsPlusParameters.GetID(Parameters)); return Arrays.ConcatenateAll(id, m_pk.seed, m_pk.root); } } diff --git a/crypto/src/pqc/crypto/utils/PqcUtilities.cs b/crypto/src/pqc/crypto/utils/PqcUtilities.cs index adb82b6a3..67e58fd28 100644 --- a/crypto/src/pqc/crypto/utils/PqcUtilities.cs +++ b/crypto/src/pqc/crypto/utils/PqcUtilities.cs @@ -25,10 +25,12 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities private readonly static Dictionary<PicnicParameters, DerObjectIdentifier> picnicOids = new Dictionary<PicnicParameters, DerObjectIdentifier>(); private readonly static Dictionary<DerObjectIdentifier, PicnicParameters> picnicParams = new Dictionary<DerObjectIdentifier, PicnicParameters>(); - + +#pragma warning disable CS0618 // Type or member is obsolete private readonly static Dictionary<SikeParameters, DerObjectIdentifier> sikeOids = new Dictionary<SikeParameters, DerObjectIdentifier>(); private readonly static Dictionary<DerObjectIdentifier, SikeParameters> sikeParams = new Dictionary<DerObjectIdentifier, SikeParameters>(); - +#pragma warning restore CS0618 // Type or member is obsolete + private readonly static Dictionary<KyberParameters, DerObjectIdentifier> kyberOids = new Dictionary<KyberParameters, DerObjectIdentifier>(); private readonly static Dictionary<DerObjectIdentifier, KyberParameters> kyberParams = new Dictionary<DerObjectIdentifier, KyberParameters>(); @@ -132,7 +134,8 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities picnicParams[BCObjectIdentifiers.picnicl1full] = PicnicParameters.picnicl1full; picnicParams[BCObjectIdentifiers.picnicl3full] = PicnicParameters.picnicl3full; picnicParams[BCObjectIdentifiers.picnicl5full] = PicnicParameters.picnicl5full; - + +#pragma warning disable CS0618 // Type or member is obsolete sikeParams[BCObjectIdentifiers.sikep434] = SikeParameters.sikep434; sikeParams[BCObjectIdentifiers.sikep503] = SikeParameters.sikep503; sikeParams[BCObjectIdentifiers.sikep610] = SikeParameters.sikep610; @@ -141,7 +144,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities sikeParams[BCObjectIdentifiers.sikep503_compressed] = SikeParameters.sikep503_compressed; sikeParams[BCObjectIdentifiers.sikep610_compressed] = SikeParameters.sikep610_compressed; sikeParams[BCObjectIdentifiers.sikep751_compressed] = SikeParameters.sikep751_compressed; - + sikeOids[SikeParameters.sikep434] = BCObjectIdentifiers.sikep434; sikeOids[SikeParameters.sikep503] = BCObjectIdentifiers.sikep503; sikeOids[SikeParameters.sikep610] = BCObjectIdentifiers.sikep610; @@ -150,7 +153,8 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities sikeOids[SikeParameters.sikep503_compressed] = BCObjectIdentifiers.sikep503_compressed; sikeOids[SikeParameters.sikep610_compressed] = BCObjectIdentifiers.sikep610_compressed; sikeOids[SikeParameters.sikep751_compressed] = BCObjectIdentifiers.sikep751_compressed; - +#pragma warning restore CS0618 // Type or member is obsolete + kyberOids[KyberParameters.kyber512] = BCObjectIdentifiers.kyber512; kyberOids[KyberParameters.kyber768] = BCObjectIdentifiers.kyber768; kyberOids[KyberParameters.kyber1024] = BCObjectIdentifiers.kyber1024; @@ -248,17 +252,13 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities internal static DerObjectIdentifier SphincsPlusOidLookup(SphincsPlusParameters parameters) { - uint pId = SphincsPlusParameters.GetID(parameters); + int pId = SphincsPlusParameters.GetID(parameters); if ((pId & 0x020000) == 0x020000) - { return BCObjectIdentifiers.sphincsPlus_shake_256; - } if ((pId & 0x05) == 0x05 || (pId & 0x06) == 0x06) - { return BCObjectIdentifiers.sphincsPlus_sha_512; - } return BCObjectIdentifiers.sphincsPlus_sha_256; } @@ -272,6 +272,8 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities { return picnicParams[oid]; } + +#pragma warning disable CS0618 // Type or member is obsolete internal static DerObjectIdentifier SikeOidLookup(SikeParameters parameters) { return sikeOids[parameters]; @@ -281,6 +283,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities { return sikeParams[oid]; } +#pragma warning restore CS0618 // Type or member is obsolete internal static DerObjectIdentifier BikeOidLookup(BikeParameters parameters) { diff --git a/crypto/src/pqc/crypto/utils/PrivateKeyFactory.cs b/crypto/src/pqc/crypto/utils/PrivateKeyFactory.cs index 7db65dbfb..6ad9bdb0c 100644 --- a/crypto/src/pqc/crypto/utils/PrivateKeyFactory.cs +++ b/crypto/src/pqc/crypto/utils/PrivateKeyFactory.cs @@ -81,7 +81,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities if (algOID.On(BCObjectIdentifiers.sphincsPlus)) { byte[] keyEnc = Asn1OctetString.GetInstance(keyInfo.ParsePrivateKey()).GetOctets(); - SphincsPlusParameters spParams = SphincsPlusParameters.GetParams((uint)BigInteger.ValueOf(Pack.BE_To_UInt32(keyEnc, 0)).IntValue); + SphincsPlusParameters spParams = SphincsPlusParameters.GetParams(BigInteger.ValueOf(Pack.BE_To_UInt32(keyEnc, 0)).IntValue); return new SphincsPlusPrivateKeyParameters(spParams, Arrays.CopyOfRange(keyEnc, 4, keyEnc.Length)); } @@ -99,6 +99,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities return new PicnicPrivateKeyParameters(picnicParams, keyEnc); } +#pragma warning disable CS0618 // Type or member is obsolete if (algOID.On(BCObjectIdentifiers.pqc_kem_sike)) { byte[] keyEnc = Asn1OctetString.GetInstance(keyInfo.ParsePrivateKey()).GetOctets(); @@ -106,6 +107,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities return new SikePrivateKeyParameters(sikeParams, keyEnc); } +#pragma warning restore CS0618 // Type or member is obsolete if (algOID.On(BCObjectIdentifiers.pqc_kem_bike)) { byte[] keyEnc = Asn1OctetString.GetInstance(keyInfo.ParsePrivateKey()).GetOctets(); diff --git a/crypto/src/pqc/crypto/utils/PrivateKeyInfoFactory.cs b/crypto/src/pqc/crypto/utils/PrivateKeyInfoFactory.cs index 806eae8b7..53b34b3f4 100644 --- a/crypto/src/pqc/crypto/utils/PrivateKeyInfoFactory.cs +++ b/crypto/src/pqc/crypto/utils/PrivateKeyInfoFactory.cs @@ -93,6 +93,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities PqcUtilities.PicnicOidLookup(picnicPrivateKeyParameters.Parameters)); return new PrivateKeyInfo(algorithmIdentifier, new DerOctetString(encoding), attributes); } +#pragma warning disable CS0618 // Type or member is obsolete if (privateKey is SikePrivateKeyParameters sikePrivateKeyParameters) { byte[] encoding = sikePrivateKeyParameters.GetEncoded(); @@ -101,14 +102,15 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities PqcUtilities.SikeOidLookup(sikePrivateKeyParameters.Parameters)); return new PrivateKeyInfo(algorithmIdentifier, new DerOctetString(encoding), attributes); } +#pragma warning restore CS0618 // Type or member is obsolete if (privateKey is FalconPrivateKeyParameters falconPrivateKeyParameters) { Asn1EncodableVector v = new Asn1EncodableVector(); v.Add(new DerInteger(1)); - v.Add(new DerOctetString(falconPrivateKeyParameters.GetSpolyf())); + v.Add(new DerOctetString(falconPrivateKeyParameters.GetSpolyLittleF())); v.Add(new DerOctetString(falconPrivateKeyParameters.GetG())); - v.Add(new DerOctetString(falconPrivateKeyParameters.GetSpolyF())); + v.Add(new DerOctetString(falconPrivateKeyParameters.GetSpolyBigF())); AlgorithmIdentifier algorithmIdentifier = new AlgorithmIdentifier( PqcUtilities.FalconOidLookup(falconPrivateKeyParameters.Parameters)); diff --git a/crypto/src/pqc/crypto/utils/PublicKeyFactory.cs b/crypto/src/pqc/crypto/utils/PublicKeyFactory.cs index 5d55a73aa..9eea279b1 100644 --- a/crypto/src/pqc/crypto/utils/PublicKeyFactory.cs +++ b/crypto/src/pqc/crypto/utils/PublicKeyFactory.cs @@ -82,7 +82,8 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities Converters[BCObjectIdentifiers.picnicl1full] = new PicnicConverter(); Converters[BCObjectIdentifiers.picnicl3full] = new PicnicConverter(); Converters[BCObjectIdentifiers.picnicl5full] = new PicnicConverter(); - + +#pragma warning disable CS0618 // Type or member is obsolete Converters[BCObjectIdentifiers.sikep434] = new SikeConverter(); Converters[BCObjectIdentifiers.sikep503] = new SikeConverter(); Converters[BCObjectIdentifiers.sikep610] = new SikeConverter(); @@ -91,7 +92,8 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities Converters[BCObjectIdentifiers.sikep503_compressed] = new SikeConverter(); Converters[BCObjectIdentifiers.sikep610_compressed] = new SikeConverter(); Converters[BCObjectIdentifiers.sikep751_compressed] = new SikeConverter(); - +#pragma warning restore CS0618 // Type or member is obsolete + Converters[BCObjectIdentifiers.dilithium2] = new DilithiumConverter(); Converters[BCObjectIdentifiers.dilithium3] = new DilithiumConverter(); Converters[BCObjectIdentifiers.dilithium5] = new DilithiumConverter(); @@ -197,11 +199,11 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities { internal override AsymmetricKeyParameter GetPublicKeyParameters(SubjectPublicKeyInfo keyInfo, object defaultParams) { - byte[] keyEnc = DerOctetString.GetInstance(keyInfo.ParsePublicKey()).GetOctets(); + byte[] keyEnc = Asn1OctetString.GetInstance(keyInfo.ParsePublicKey()).GetOctets(); - SphincsPlusParameters spParams = SphincsPlusParameters.GetParams((uint)BigInteger.ValueOf(Pack.BE_To_UInt32(keyEnc, 0)).IntValue); + SphincsPlusParameters spParams = SphincsPlusParameters.GetParams((int)Pack.BE_To_UInt32(keyEnc, 0)); - return new SphincsPlusPublicKeyParameters(spParams, Arrays.CopyOfRange(keyEnc, 4, keyEnc.Length)); + return new SphincsPlusPublicKeyParameters(spParams, Arrays.CopyOfRange(keyEnc, 4, keyEnc.Length)); } } @@ -223,7 +225,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities { internal override AsymmetricKeyParameter GetPublicKeyParameters(SubjectPublicKeyInfo keyInfo, object defaultParams) { - byte[] keyEnc = DerOctetString.GetInstance( + byte[] keyEnc = Asn1OctetString.GetInstance( DerSequence.GetInstance(keyInfo.ParsePublicKey())[0]).GetOctets(); SaberParameters saberParams = PqcUtilities.SaberParamsLookup(keyInfo.AlgorithmID.Algorithm); @@ -237,19 +239,20 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities { internal override AsymmetricKeyParameter GetPublicKeyParameters(SubjectPublicKeyInfo keyInfo, object defaultParams) { - byte[] keyEnc = DerOctetString.GetInstance(keyInfo.ParsePublicKey()).GetOctets(); + byte[] keyEnc = Asn1OctetString.GetInstance(keyInfo.ParsePublicKey()).GetOctets(); PicnicParameters picnicParams = PqcUtilities.PicnicParamsLookup(keyInfo.AlgorithmID.Algorithm); return new PicnicPublicKeyParameters(picnicParams, keyEnc); } } + [Obsolete("Will be removed")] private class SikeConverter : SubjectPublicKeyInfoConverter { internal override AsymmetricKeyParameter GetPublicKeyParameters(SubjectPublicKeyInfo keyInfo, object defaultParams) { - byte[] keyEnc = DerOctetString.GetInstance(keyInfo.ParsePublicKey()).GetOctets(); + byte[] keyEnc = Asn1OctetString.GetInstance(keyInfo.ParsePublicKey()).GetOctets(); SikeParameters sikeParams = PqcUtilities.SikeParamsLookup(keyInfo.AlgorithmID.Algorithm); diff --git a/crypto/src/pqc/crypto/utils/SubjectPublicKeyInfoFactory.cs b/crypto/src/pqc/crypto/utils/SubjectPublicKeyInfoFactory.cs index 39d437320..b88834e50 100644 --- a/crypto/src/pqc/crypto/utils/SubjectPublicKeyInfoFactory.cs +++ b/crypto/src/pqc/crypto/utils/SubjectPublicKeyInfoFactory.cs @@ -89,6 +89,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities PqcUtilities.PicnicOidLookup(picnicPublicKeyParameters.Parameters)); return new SubjectPublicKeyInfo(algorithmIdentifier, new DerOctetString(encoding)); } +#pragma warning disable CS0618 // Type or member is obsolete if (publicKey is SikePublicKeyParameters sikePublicKeyParameters) { byte[] encoding = sikePublicKeyParameters.GetEncoded(); @@ -97,6 +98,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities PqcUtilities.SikeOidLookup(sikePublicKeyParameters.Parameters)); return new SubjectPublicKeyInfo(algorithmIdentifier, new DerOctetString(encoding)); } +#pragma warning restore CS0618 // Type or member is obsolete if (publicKey is FalconPublicKeyParameters falconPublicKeyParameters) { byte[] encoding = falconPublicKeyParameters.GetEncoded(); diff --git a/crypto/test/BouncyCastle.Crypto.Tests.csproj b/crypto/test/BouncyCastle.Crypto.Tests.csproj index 9e9282f05..77a873a2a 100644 --- a/crypto/test/BouncyCastle.Crypto.Tests.csproj +++ b/crypto/test/BouncyCastle.Crypto.Tests.csproj @@ -5,7 +5,7 @@ <IsPackable>false</IsPackable> <SignAssembly>false</SignAssembly> <EnableDefaultItems>false</EnableDefaultItems> - <NoWarn>1591</NoWarn> + <NoWarn>618;1591</NoWarn> <RootNamespace>Org.BouncyCastle</RootNamespace> </PropertyGroup> diff --git a/crypto/test/src/math/test/BigIntegerTest.cs b/crypto/test/src/math/test/BigIntegerTest.cs index f5973c197..8f477d684 100644 --- a/crypto/test/src/math/test/BigIntegerTest.cs +++ b/crypto/test/src/math/test/BigIntegerTest.cs @@ -773,11 +773,13 @@ namespace Org.BouncyCastle.Math.Tests BigInteger x = new BigInteger(128, random); object y; +#pragma warning disable SYSLIB0011 // Type or member is obsolete var formatter = new BinaryFormatter(); formatter.Serialize(buf, x); buf.Position = 0; y = formatter.Deserialize(buf); +#pragma warning restore SYSLIB0011 // Type or member is obsolete Assert.AreEqual(buf.Length, buf.Position); Assert.AreEqual(x, y); |