diff --git a/crypto/src/asn1/Asn1GeneralizedTime.cs b/crypto/src/asn1/Asn1GeneralizedTime.cs
index e844c8ca2..139384c1a 100644
--- a/crypto/src/asn1/Asn1GeneralizedTime.cs
+++ b/crypto/src/asn1/Asn1GeneralizedTime.cs
@@ -11,8 +11,7 @@ namespace Org.BouncyCastle.Asn1
* Base class representing the ASN.1 GeneralizedTime type.
* <p>
* The main difference between these and UTC time is a 4 digit year.
- * </p>
- * <p>
+ * </p><p>
* One second resolution date+time on UTC timezone (Z)
* with 4 digit year (valid from 0001 to 9999).
* </p><p>
@@ -24,18 +23,18 @@ namespace Org.BouncyCastle.Asn1
*
* <h3>11: Restrictions on BER employed by both CER and DER</h3>
* <h4>11.7 GeneralizedTime </h4>
- * <p>
+ * </p><p>
* <b>11.7.1</b> The encoding shall terminate with a "Z",
* as described in the ITU-T Rec. X.680 | ISO/IEC 8824-1 clause on
* GeneralizedTime.
* </p><p>
* <b>11.7.2</b> The seconds element shall always be present.
- * </p>
- * <p>
+ * </p><p>
* <b>11.7.3</b> The fractional-seconds elements, if present,
* shall omit all trailing zeros; if the elements correspond to 0,
* they shall be wholly omitted, and the decimal point element also
* shall be omitted.
+ * </p>
*/
public class Asn1GeneralizedTime
: Asn1Object
diff --git a/crypto/src/asn1/cmp/CertReqTemplateContent.cs b/crypto/src/asn1/cmp/CertReqTemplateContent.cs
index b229cd28b..c25c71ad1 100644
--- a/crypto/src/asn1/cmp/CertReqTemplateContent.cs
+++ b/crypto/src/asn1/cmp/CertReqTemplateContent.cs
@@ -9,12 +9,13 @@ namespace Org.BouncyCastle.Asn1.Cmp
* GenRep: {id-it 19}, CertReqTemplateContent | < absent >
* <p>
* CertReqTemplateValue ::= CertReqTemplateContent
- * <p>
+ * </p><p>
* CertReqTemplateContent ::= SEQUENCE {
* certTemplate CertTemplate,
* keySpec Controls OPTIONAL }
- * <p>
+ * </p><p>
* Controls ::= SEQUENCE SIZE (1..MAX) OF AttributeTypeAndValue
+ * </p>
*/
public class CertReqTemplateContent
: Asn1Encodable
diff --git a/crypto/src/asn1/cmp/CmpObjectIdentifiers.cs b/crypto/src/asn1/cmp/CmpObjectIdentifiers.cs
index fa83841a4..1b3227c47 100644
--- a/crypto/src/asn1/cmp/CmpObjectIdentifiers.cs
+++ b/crypto/src/asn1/cmp/CmpObjectIdentifiers.cs
@@ -234,8 +234,9 @@ namespace Org.BouncyCastle.Asn1.Cmp
* 1.2.840.113549.1.9.16.1.21
* <p>
* id-ct OBJECT IDENTIFIER ::= { id-smime 1 } -- content types
- * <p>
+ * </p><p>
* id-ct-encKeyWithID OBJECT IDENTIFIER ::= {id-ct 21}
+ * </p>
*/
public static readonly DerObjectIdentifier ct_encKeyWithID = new DerObjectIdentifier("1.2.840.113549.1.9.16.1.21");
diff --git a/crypto/src/asn1/cmp/CrlSource.cs b/crypto/src/asn1/cmp/CrlSource.cs
index 13aaa526a..9e2526ec2 100644
--- a/crypto/src/asn1/cmp/CrlSource.cs
+++ b/crypto/src/asn1/cmp/CrlSource.cs
@@ -12,7 +12,7 @@ namespace Org.BouncyCastle.Asn1.Cmp
* CRLSource ::= CHOICE {
* dpn [0] DistributionPointName,
* issuer [1] GeneralNames }
- * <p>
+ * </p>
*/
public class CrlSource
: Asn1Encodable, IAsn1Choice
diff --git a/crypto/src/asn1/cmp/RootCaKeyUpdateContent.cs b/crypto/src/asn1/cmp/RootCaKeyUpdateContent.cs
index b1eaf616d..696b08b94 100644
--- a/crypto/src/asn1/cmp/RootCaKeyUpdateContent.cs
+++ b/crypto/src/asn1/cmp/RootCaKeyUpdateContent.cs
@@ -7,14 +7,15 @@ namespace Org.BouncyCastle.Asn1.Cmp
* GenRep: {id-it 18}, RootCaKeyUpdateContent | < absent >
* <p>
* RootCaCertValue ::= CMPCertificate
- * <p>
+ * </p><p>
* RootCaKeyUpdateValue ::= RootCaKeyUpdateContent
- * <p>
+ * </p><p>
* RootCaKeyUpdateContent ::= SEQUENCE {
* newWithNew CMPCertificate,
* newWithOld [0] CMPCertificate OPTIONAL,
* oldWithNew [1] CMPCertificate OPTIONAL
* }
+ * </p>
*/
public class RootCaKeyUpdateContent
: Asn1Encodable
diff --git a/crypto/src/cms/CMSAuthenticatedDataGenerator.cs b/crypto/src/cms/CMSAuthenticatedDataGenerator.cs
index 6c68bccd1..f6827157c 100644
--- a/crypto/src/cms/CMSAuthenticatedDataGenerator.cs
+++ b/crypto/src/cms/CMSAuthenticatedDataGenerator.cs
@@ -62,9 +62,7 @@ namespace Org.BouncyCastle.Cms
Asn1Encodable asn1Params = GenerateAsn1Parameters(macOid, encKeyBytes);
- ICipherParameters cipherParameters;
- macAlgId = GetAlgorithmIdentifier(
- macOid, encKey, asn1Params, out cipherParameters);
+ macAlgId = GetAlgorithmIdentifier(macOid, encKey, asn1Params, out var cipherParameters);
IMac mac = MacUtilities.GetMac(macOid);
// TODO Confirm no ParametersWithRandom needed
@@ -72,7 +70,7 @@ namespace Org.BouncyCastle.Cms
// mac.Init(cipherParameters);
mac.Init(encKey);
- MemoryStream bOut = new MemoryStream();
+ var bOut = new MemoryStream();
Stream mOut = new TeeOutputStream(bOut, new MacSink(mac));
content.Write(mOut);
@@ -97,7 +95,7 @@ namespace Org.BouncyCastle.Cms
throw new CmsException("exception decoding algorithm parameters.", e);
}
- Asn1EncodableVector recipientInfos = new Asn1EncodableVector();
+ var recipientInfos = new Asn1EncodableVector();
foreach (RecipientInfoGenerator rig in recipientInfoGenerators)
{
@@ -115,11 +113,11 @@ namespace Org.BouncyCastle.Cms
}
}
- ContentInfo eci = new ContentInfo(CmsObjectIdentifiers.Data, encContent);
-
- ContentInfo contentInfo = new ContentInfo(
- CmsObjectIdentifiers.AuthenticatedData,
- new AuthenticatedData(null, new DerSet(recipientInfos), macAlgId, null, eci, null, macResult, null));
+ var eci = new ContentInfo(CmsObjectIdentifiers.Data, encContent);
+
+ var contentInfo = new ContentInfo(
+ CmsObjectIdentifiers.AuthenticatedData,
+ new AuthenticatedData(null, new DerSet(recipientInfos), macAlgId, null, eci, null, macResult, null));
return new CmsAuthenticatedData(contentInfo);
}
diff --git a/crypto/src/crypto/engines/Grain128AEADEngine.cs b/crypto/src/crypto/engines/Grain128AEADEngine.cs
index 174d010f3..c05cb0115 100644
--- a/crypto/src/crypto/engines/Grain128AEADEngine.cs
+++ b/crypto/src/crypto/engines/Grain128AEADEngine.cs
@@ -43,7 +43,7 @@ namespace Org.BouncyCastle.Crypto.Engines
*/
public void Init(bool forEncryption, ICipherParameters param)
{
- /**
+ /*
* Grain encryption and decryption is completely symmetrical, so the
* 'forEncryption' is irrelevant.
*/
@@ -62,7 +62,7 @@ namespace Org.BouncyCastle.Crypto.Engines
if (keyBytes.Length != 16)
throw new ArgumentException("Grain-128AEAD key must be 128 bits long");
- /**
+ /*
* Initialize variables.
*/
workingIV = new byte[keyBytes.Length];
@@ -238,7 +238,7 @@ namespace Org.BouncyCastle.Crypto.Engines
workingKey = keyBytes;
workingIV = ivBytes;
- /**
+ /*
* Load NFSR and LFSR
*/
Pack.LE_To_UInt32(workingKey, 0, nfsr);
diff --git a/crypto/src/crypto/modes/OCBBlockCipher.cs b/crypto/src/crypto/modes/OCBBlockCipher.cs
index 8cc701cca..e67b4e9af 100644
--- a/crypto/src/crypto/modes/OCBBlockCipher.cs
+++ b/crypto/src/crypto/modes/OCBBlockCipher.cs
@@ -13,7 +13,7 @@ namespace Org.BouncyCastle.Crypto.Modes
/// <para>https://mailarchive.ietf.org/arch/msg/cfrg/qLTveWOdTJcLn4HP3ev-vrj05Vg/</para>
/// Text reproduced below:
/// <para>
- /// Phillip Rogaway<rogaway@cs.ucdavis.edu&rt; Sat, 27 February 2021 02:46 UTC
+ /// Phillip Rogaway<rogaway@cs.ucdavis.edu> Sat, 27 February 2021 02:46 UTC
///
/// I can confirm that I have abandoned all OCB patents and placed into the public domain all OCB-related IP of
/// mine. While I have been telling people this for quite some time, I don't think I ever made a proper announcement
diff --git a/crypto/src/pqc/crypto/cmce/CmceEngine.cs b/crypto/src/pqc/crypto/cmce/CmceEngine.cs
index 10b08e708..96595ecc0 100644
--- a/crypto/src/pqc/crypto/cmce/CmceEngine.cs
+++ b/crypto/src/pqc/crypto/cmce/CmceEngine.cs
@@ -173,7 +173,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Cmce
{
buf[i] = perm[i];
buf[i] <<= 31;
- buf[i] |= i;
+ buf[i] |= (uint)i;
buf[i] &= 0x7fffffffffffffffL; // getting rid of signed longs
}
Sort64(buf, 0, buf.Length);
@@ -1162,7 +1162,9 @@ namespace Org.BouncyCastle.Pqc.Crypto.Cmce
{
for (x = 0; x < n; ++x)
{
- temp[(int)x] = ((GetQShort(temp, (int)(qIndex + x)) ^ 1) << 16) | GetQShort(temp, (int)((qIndex) + (x ^ 1)));
+ ushort t0 = (ushort)GetQShort(temp, (int)(qIndex + x));
+ ushort t1 = (ushort)GetQShort(temp, (int)(qIndex + (x ^ 1)));
+ temp[(int)x] = ((t0 ^ 1) << 16) | t1;
}
}
Sort32(temp, 0, (int)n); /* A = (id<<16)+pibar */
@@ -1181,7 +1183,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Cmce
for (x = 0; x < n; ++x)
{
- temp[(int)x] = (int)((temp[(int)x] << 16) | x); /* A = (pibar<<16)+id */
+ temp[(int)x] = (int)((uint)(temp[(int)x] << 16) | x); /* A = (pibar<<16)+id */
}
Sort32(temp, 0, (int)n); /* A = (id<<16)+pibar^-1 */
@@ -1204,7 +1206,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Cmce
for (x = 0; x < n; ++x)
{
- temp[(int)x] = (int)(((temp[(int)(n + x)] & ~0x3ff) << 6) | x); /* A = (p<<16)+id */
+ temp[(int)x] = (int)(((uint)(temp[(int)(n + x)] & ~0x3ff) << 6) | x); /* A = (p<<16)+id */
}
Sort32(temp, 0, (int)n); /* A = (id<<16)+p^{-1} */
@@ -1241,7 +1243,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Cmce
/* B = (p<<16)+c */
for (x = 0; x < n; ++x)
{
- temp[(int)x] = (int)((temp[(int)(n + x)] & ~0xffff) | x);
+ temp[(int)x] = (int)((uint)(temp[(int)(n + x)] & ~0xffff) | x);
}
Sort32(temp, 0, (int)n); /* A = (id<<16)+p^(-1) */
for (x = 0; x < n; ++x)
@@ -1375,7 +1377,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Cmce
{
buf[i] = perm[i];
buf[i] <<= 31;
- buf[i] |= i;
+ buf[i] |= (uint)i;
// buf[i] &= 0x7fffffffffffffffL; // getting rid of signed longs
}
// Sort32 the buffer
diff --git a/crypto/src/pqc/crypto/crystals/dilithium/PolyVecK.cs b/crypto/src/pqc/crypto/crystals/dilithium/PolyVecK.cs
index facbc1f33..315ce6ab0 100644
--- a/crypto/src/pqc/crypto/crystals/dilithium/PolyVecK.cs
+++ b/crypto/src/pqc/crypto/crystals/dilithium/PolyVecK.cs
@@ -2,21 +2,20 @@
{
internal class PolyVecK
{
- public Poly[] Vec;
- private DilithiumEngine Engine;
- private int Mode;
- private int PolyVecBytes;
- private int K;
- private int L;
+ public readonly Poly[] Vec;
+ private readonly DilithiumEngine Engine;
+ //private readonly int Mode;
+ private readonly int K;
+ //private readonly int L;
public PolyVecK(DilithiumEngine Engine)
{
this.Engine = Engine;
- Mode = Engine.Mode;
+ //Mode = Engine.Mode;
K = Engine.K;
- L = Engine.L;
+ //L = Engine.L;
Vec = new Poly[K];
-
+
for (int i = 0; i < K; i++)
{
Vec[i] = new Poly(Engine);
@@ -25,9 +24,8 @@
public void UniformEta(byte[] seed, ushort nonce)
{
- int i;
ushort n = nonce;
- for (i = 0; i < K; i++)
+ for (int i = 0; i < K; i++)
{
Vec[i].UniformEta(seed, n++);
}
@@ -99,8 +97,7 @@
public void PackW1(byte[] r)
{
- int i;
- for (i = 0; i < K; i++)
+ for (int i = 0; i < K; i++)
{
Vec[i].PackW1(r, i * Engine.PolyW1PackedBytes);
}
@@ -119,21 +116,18 @@
for (int i = 0; i < K; ++i)
{
if (Vec[i].CheckNorm(bound))
- {
return true;
- }
}
return false;
}
public int MakeHint(PolyVecK v0, PolyVecK v1)
{
- int i, s = 0;
- for (i = 0; i < K; ++i)
+ int s = 0;
+ for (int i = 0; i < K; ++i)
{
s += Vec[i].PolyMakeHint(v0.Vec[i], v1.Vec[i]);
}
-
return s;
}
@@ -152,6 +146,5 @@
Vec[i].ShiftLeft();
}
}
-
}
}
diff --git a/crypto/src/pqc/crypto/crystals/dilithium/PolyVecL.cs b/crypto/src/pqc/crypto/crystals/dilithium/PolyVecL.cs
index 58c286768..0a87c2070 100644
--- a/crypto/src/pqc/crypto/crystals/dilithium/PolyVecL.cs
+++ b/crypto/src/pqc/crypto/crystals/dilithium/PolyVecL.cs
@@ -2,17 +2,16 @@
{
internal class PolyVecL
{
- public Poly[] Vec;
- private DilithiumEngine Engine;
- private int Mode;
- private int PolyVecBytes;
- private int L;
- private int K;
+ public readonly Poly[] Vec;
+ //private DilithiumEngine Engine;
+ //private int Mode;
+ private readonly int L;
+ private readonly int K;
public PolyVecL(DilithiumEngine Engine)
{
- this.Engine = Engine;
- Mode = Engine.Mode;
+ //this.Engine = Engine;
+ //Mode = Engine.Mode;
L = Engine.L;
K = Engine.K;
Vec = new Poly[L];
@@ -24,8 +23,7 @@
public void UniformEta(byte[] seed, ushort nonce)
{
- int i;
- for (i = 0; i < L; i++)
+ for (int i = 0; i < L; i++)
{
Vec[i].UniformEta(seed, nonce++);
}
diff --git a/crypto/src/pqc/crypto/crystals/kyber/KyberEngine.cs b/crypto/src/pqc/crypto/crystals/kyber/KyberEngine.cs
index bf9d5ee3c..e30115a95 100644
--- a/crypto/src/pqc/crypto/crystals/kyber/KyberEngine.cs
+++ b/crypto/src/pqc/crypto/crystals/kyber/KyberEngine.cs
@@ -138,7 +138,6 @@ namespace Org.BouncyCastle.Pqc.Crypto.Crystals.Kyber
internal void KemDecrypt(byte[] sharedSecret, byte[] cipherText, byte[] secretKey)
{
- int i;
byte[] buf = new byte[2 * SymBytes], kr = new byte[2 * SymBytes], cmp = new byte[CipherTextBytes];
byte[] pk = Arrays.CopyOfRange(secretKey, IndCpaSecretKeyBytes, secretKey.Length);
m_indCpa.Decrypt(buf, cipherText, secretKey);
@@ -161,7 +160,6 @@ namespace Org.BouncyCastle.Pqc.Crypto.Crystals.Kyber
private void CMov(byte[] r, byte[] x, int len, bool b)
{
- int i;
if (b)
{
Array.Copy(x, 0, r, 0, len);
diff --git a/crypto/src/pqc/crypto/crystals/kyber/KyberIndCpa.cs b/crypto/src/pqc/crypto/crystals/kyber/KyberIndCpa.cs
index b3be4770d..9400b776e 100644
--- a/crypto/src/pqc/crypto/crystals/kyber/KyberIndCpa.cs
+++ b/crypto/src/pqc/crypto/crystals/kyber/KyberIndCpa.cs
@@ -138,7 +138,6 @@ namespace Org.BouncyCastle.Pqc.Crypto.Crystals.Kyber
private void PackPublicKey(out byte[] pk, PolyVec pkpv, byte[] seed)
{
- int i;
pk = new byte[m_engine.IndCpaPublicKeyBytes];
pkpv.ToBytes(pk);
Array.Copy(seed, 0, pk, m_engine.PolyVecBytes, KyberEngine.SymBytes);
@@ -146,7 +145,6 @@ namespace Org.BouncyCastle.Pqc.Crypto.Crystals.Kyber
private void UnpackPublicKey(PolyVec pkpv, byte[] seed, byte[] pk)
{
- int i;
pkpv.FromBytes(pk);
Array.Copy(pk, m_engine.PolyVecBytes, seed, 0, KyberEngine.SymBytes);
}
diff --git a/crypto/src/pqc/crypto/falcon/FalconKeyPairGenerator.cs b/crypto/src/pqc/crypto/falcon/FalconKeyPairGenerator.cs
index eafd1a9eb..68f90c97f 100644
--- a/crypto/src/pqc/crypto/falcon/FalconKeyPairGenerator.cs
+++ b/crypto/src/pqc/crypto/falcon/FalconKeyPairGenerator.cs
@@ -8,7 +8,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Falcon
{
private FalconKeyGenerationParameters parameters;
private SecureRandom random;
- private FalconNIST nist;
+ private FalconNist nist;
private uint logn;
private uint noncelen;
@@ -18,32 +18,31 @@ namespace Org.BouncyCastle.Pqc.Crypto.Falcon
{
this.parameters = (FalconKeyGenerationParameters)param;
this.random = param.Random;
- this.logn = ((FalconKeyGenerationParameters)param).Parameters.LogN;
- this.noncelen = ((FalconKeyGenerationParameters)param).Parameters.NonceLength;
- this.nist = new FalconNIST(random, logn, noncelen);
+ this.logn = (uint)((FalconKeyGenerationParameters)param).Parameters.LogN;
+ this.noncelen = (uint)((FalconKeyGenerationParameters)param).Parameters.NonceLength;
+ this.nist = new FalconNist(random, logn, noncelen);
int n = 1 << (int)this.logn;
- int sk_coeff_size = 8;
- if (n == 1024)
- {
- sk_coeff_size = 5;
- }
- else if (n == 256 || n == 512)
- {
- sk_coeff_size = 6;
- }
- else if (n == 64 || n == 128)
- {
- sk_coeff_size = 7;
- }
+ //int sk_coeff_size = 8;
+ //if (n == 1024)
+ //{
+ // sk_coeff_size = 5;
+ //}
+ //else if (n == 256 || n == 512)
+ //{
+ // sk_coeff_size = 6;
+ //}
+ //else if (n == 64 || n == 128)
+ //{
+ // sk_coeff_size = 7;
+ //}
this.pk_size = 1 + (14 * n / 8);
}
public AsymmetricCipherKeyPair GenerateKeyPair()
{
- byte[] pk, sk, f, g, F;
- nist.crypto_sign_keypair(out pk, out f, out g, out F);
- FalconParameters p = ((FalconKeyGenerationParameters)this.parameters).Parameters;
+ nist.crypto_sign_keypair(out byte[] pk, out byte[] f, out byte[] g, out byte[] F);
+ FalconParameters p = this.parameters.Parameters;
FalconPrivateKeyParameters privk = new FalconPrivateKeyParameters(p, f, g, F, pk);
FalconPublicKeyParameters pubk = new FalconPublicKeyParameters(p, pk);
return new AsymmetricCipherKeyPair(pubk, privk);
diff --git a/crypto/src/pqc/crypto/falcon/FalconKeyParameters.cs b/crypto/src/pqc/crypto/falcon/FalconKeyParameters.cs
index 95a546994..bb1252706 100644
--- a/crypto/src/pqc/crypto/falcon/FalconKeyParameters.cs
+++ b/crypto/src/pqc/crypto/falcon/FalconKeyParameters.cs
@@ -3,7 +3,7 @@ using Org.BouncyCastle.Crypto;
namespace Org.BouncyCastle.Pqc.Crypto.Falcon
{
- public class FalconKeyParameters
+ public abstract class FalconKeyParameters
: AsymmetricKeyParameter
{
private FalconParameters parameters;
diff --git a/crypto/src/pqc/crypto/falcon/FalconNIST.cs b/crypto/src/pqc/crypto/falcon/FalconNIST.cs
index cce790734..0d2ba46e0 100644
--- a/crypto/src/pqc/crypto/falcon/FalconNIST.cs
+++ b/crypto/src/pqc/crypto/falcon/FalconNIST.cs
@@ -1,10 +1,11 @@
using System;
+
using Org.BouncyCastle.Security;
using Org.BouncyCastle.Utilities;
namespace Org.BouncyCastle.Pqc.Crypto.Falcon
{
- class FalconNIST
+ internal class FalconNist
{
private FalconCodec codec;
private FalconVrfy vrfy;
@@ -26,7 +27,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Falcon
return this.CRYPTO_BYTES;
}
- internal FalconNIST(SecureRandom random, uint logn, uint noncelen) {
+ internal FalconNist(SecureRandom random, uint logn, uint noncelen) {
this.logn = logn;
this.codec = new FalconCodec();
this.common = new FalconCommon();
diff --git a/crypto/src/pqc/crypto/falcon/FalconParameters.cs b/crypto/src/pqc/crypto/falcon/FalconParameters.cs
index 4a9bc598f..10d22a241 100644
--- a/crypto/src/pqc/crypto/falcon/FalconParameters.cs
+++ b/crypto/src/pqc/crypto/falcon/FalconParameters.cs
@@ -1,16 +1,17 @@
using Org.BouncyCastle.Crypto;
+using System;
namespace Org.BouncyCastle.Pqc.Crypto.Falcon
{
public sealed class FalconParameters
: ICipherParameters
{
- public static FalconParameters falcon_512 = new FalconParameters("falcon512", 9, 40);
- public static FalconParameters falcon_1024 = new FalconParameters("falcon1024", 10, 40);
+ public static readonly FalconParameters falcon_512 = new FalconParameters("falcon512", 9, 40);
+ public static readonly FalconParameters falcon_1024 = new FalconParameters("falcon1024", 10, 40);
- private string name;
- private uint logn;
- private uint nonce_length;
+ private readonly string name;
+ private readonly uint logn;
+ private readonly uint nonce_length;
private FalconParameters(string name, uint logn, uint nonce_length)
{
@@ -19,9 +20,9 @@ namespace Org.BouncyCastle.Pqc.Crypto.Falcon
this.nonce_length = nonce_length;
}
- public uint LogN => logn;
+ public int LogN => Convert.ToInt32(logn);
- public uint NonceLength => nonce_length;
+ public int NonceLength => Convert.ToInt32(nonce_length);
public string Name => name;
}
diff --git a/crypto/src/pqc/crypto/falcon/FalconPrivateKeyParameters.cs b/crypto/src/pqc/crypto/falcon/FalconPrivateKeyParameters.cs
index c912a222c..12b055add 100644
--- a/crypto/src/pqc/crypto/falcon/FalconPrivateKeyParameters.cs
+++ b/crypto/src/pqc/crypto/falcon/FalconPrivateKeyParameters.cs
@@ -3,13 +3,13 @@ using Org.BouncyCastle.Utilities;
namespace Org.BouncyCastle.Pqc.Crypto.Falcon
{
- public class FalconPrivateKeyParameters
+ public sealed class FalconPrivateKeyParameters
: FalconKeyParameters
{
- private byte[] pk;
- private byte[] f;
- private byte[] g;
- private byte[] F;
+ private readonly byte[] pk;
+ private readonly byte[] f;
+ private readonly byte[] g;
+ private readonly byte[] F;
public FalconPrivateKeyParameters(FalconParameters parameters, byte[] f, byte[] g, byte[] F, byte[] pk_encoded)
: base(true, parameters)
@@ -30,7 +30,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Falcon
return Arrays.Clone(pk);
}
- public byte[] GetSpolyf()
+ public byte[] GetSpolyLittleF()
{
return Arrays.Clone(f);
}
@@ -40,7 +40,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Falcon
return Arrays.Clone(g);
}
- public byte[] GetSpolyF()
+ public byte[] GetSpolyBigF()
{
return Arrays.Clone(F);
}
diff --git a/crypto/src/pqc/crypto/falcon/FalconPublicKeyParameters.cs b/crypto/src/pqc/crypto/falcon/FalconPublicKeyParameters.cs
index 72bb11948..fa6b627ab 100644
--- a/crypto/src/pqc/crypto/falcon/FalconPublicKeyParameters.cs
+++ b/crypto/src/pqc/crypto/falcon/FalconPublicKeyParameters.cs
@@ -2,10 +2,10 @@ using Org.BouncyCastle.Utilities;
namespace Org.BouncyCastle.Pqc.Crypto.Falcon
{
- public class FalconPublicKeyParameters
+ public sealed class FalconPublicKeyParameters
: FalconKeyParameters
{
- private byte[] publicKey;
+ private readonly byte[] publicKey;
public FalconPublicKeyParameters(FalconParameters parameters, byte[] h)
: base(false, parameters)
diff --git a/crypto/src/pqc/crypto/falcon/FalconSigner.cs b/crypto/src/pqc/crypto/falcon/FalconSigner.cs
index f581386ee..e77e84102 100644
--- a/crypto/src/pqc/crypto/falcon/FalconSigner.cs
+++ b/crypto/src/pqc/crypto/falcon/FalconSigner.cs
@@ -9,7 +9,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Falcon
: IMessageSigner
{
private byte[] encodedkey;
- private FalconNIST nist;
+ private FalconNist nist;
public void Init(bool forSigning, ICipherParameters param)
{
@@ -19,29 +19,29 @@ namespace Org.BouncyCastle.Pqc.Crypto.Falcon
{
FalconPrivateKeyParameters skparam = (FalconPrivateKeyParameters)withRandom.Parameters;
encodedkey = skparam.GetEncoded();
- nist = new FalconNIST(
+ nist = new FalconNist(
withRandom.Random,
- skparam.Parameters.LogN,
- skparam.Parameters.NonceLength);
+ (uint)skparam.Parameters.LogN,
+ (uint)skparam.Parameters.NonceLength);
}
else
{
FalconPrivateKeyParameters skparam = (FalconPrivateKeyParameters)param;
encodedkey = ((FalconPrivateKeyParameters)param).GetEncoded();
- nist = new FalconNIST(
+ nist = new FalconNist(
CryptoServicesRegistrar.GetSecureRandom(),
- skparam.Parameters.LogN,
- skparam.Parameters.NonceLength);
+ (uint)skparam.Parameters.LogN,
+ (uint)skparam.Parameters.NonceLength);
}
}
else
{
FalconPublicKeyParameters pkparam = (FalconPublicKeyParameters)param;
encodedkey = pkparam.GetEncoded();
- nist = new FalconNIST(
+ nist = new FalconNist(
CryptoServicesRegistrar.GetSecureRandom(),
- pkparam.Parameters.LogN,
- pkparam.Parameters.NonceLength);
+ (uint)pkparam.Parameters.LogN,
+ (uint)pkparam.Parameters.NonceLength);
}
}
diff --git a/crypto/src/pqc/crypto/hqc/ReedSolomon.cs b/crypto/src/pqc/crypto/hqc/ReedSolomon.cs
index 8e7fc664d..25a8c7997 100644
--- a/crypto/src/pqc/crypto/hqc/ReedSolomon.cs
+++ b/crypto/src/pqc/crypto/hqc/ReedSolomon.cs
@@ -28,7 +28,6 @@ namespace Org.BouncyCastle.Pqc.Crypto.Hqc
for (int j = 0; j < paramG; j++)
{
tmp[j] = GFCalculator.mult(gateValue, rsPoly[j]);
- int n = 1;
}
for (int j = n1 - paramK - 1; j > 0; j--)
diff --git a/crypto/src/pqc/crypto/lms/Composer.cs b/crypto/src/pqc/crypto/lms/Composer.cs
index b897f4b68..6ad044e34 100644
--- a/crypto/src/pqc/crypto/lms/Composer.cs
+++ b/crypto/src/pqc/crypto/lms/Composer.cs
@@ -1,4 +1,3 @@
-using System;
using System.IO;
using Org.BouncyCastle.Utilities;
@@ -38,7 +37,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Lms
return this;
}
- public Composer U16Str(uint n)
+ public Composer U16Str(int n)
{
n &= 0xFFFF;
bos.WriteByte((byte)(n >> 8));
@@ -72,7 +71,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Lms
return this;
}
- public Composer Bytes(byte[][] arrays)
+ public Composer Bytes2(byte[][] arrays)
{
foreach (byte[] array in arrays)
{
@@ -81,7 +80,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Lms
return this;
}
- public Composer Bytes(byte[][] arrays, int start, int end)
+ public Composer Bytes2(byte[][] arrays, int start, int end)
{
int j = start;
while (j != end)
diff --git a/crypto/src/pqc/crypto/lms/LMOtsParameters.cs b/crypto/src/pqc/crypto/lms/LMOtsParameters.cs
index e05b1650a..60bf28d50 100644
--- a/crypto/src/pqc/crypto/lms/LMOtsParameters.cs
+++ b/crypto/src/pqc/crypto/lms/LMOtsParameters.cs
@@ -1,3 +1,4 @@
+using System;
using System.Collections.Generic;
using Org.BouncyCastle.Asn1;
@@ -53,7 +54,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Lms
public int Ls => m_ls;
- public uint SigLen => m_sigLen;
+ public int SigLen => Convert.ToInt32(m_sigLen);
public DerObjectIdentifier DigestOid => m_digestOid;
diff --git a/crypto/src/pqc/crypto/lms/LMOtsPrivateKey.cs b/crypto/src/pqc/crypto/lms/LMOtsPrivateKey.cs
index e9df6fbfd..20b717af6 100644
--- a/crypto/src/pqc/crypto/lms/LMOtsPrivateKey.cs
+++ b/crypto/src/pqc/crypto/lms/LMOtsPrivateKey.cs
@@ -30,7 +30,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Lms
LmsUtilities.ByteArray(m_I, ctx);
LmsUtilities.U32Str(m_q, ctx);
- LmsUtilities.U16Str(LMOts.D_MESG, ctx);
+ LmsUtilities.U16Str((short)LMOts.D_MESG, ctx);
LmsUtilities.ByteArray(C, ctx);
return new LmsContext(this, sigParams, ctx, C, path);
diff --git a/crypto/src/pqc/crypto/lms/LMOtsPublicKey.cs b/crypto/src/pqc/crypto/lms/LMOtsPublicKey.cs
index 09e8b2951..ef3d4aced 100644
--- a/crypto/src/pqc/crypto/lms/LMOtsPublicKey.cs
+++ b/crypto/src/pqc/crypto/lms/LMOtsPublicKey.cs
@@ -109,7 +109,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Lms
LmsUtilities.ByteArray(m_I, ctx);
LmsUtilities.U32Str(m_q, ctx);
- LmsUtilities.U16Str(LMOts.D_MESG, ctx);
+ LmsUtilities.U16Str((short)LMOts.D_MESG, ctx);
LmsUtilities.ByteArray(signature.C, ctx);
return new LmsContext(this, signature, ctx);
@@ -121,7 +121,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Lms
LmsUtilities.ByteArray(m_I, ctx);
LmsUtilities.U32Str(m_q, ctx);
- LmsUtilities.U16Str(LMOts.D_MESG, ctx);
+ LmsUtilities.U16Str((short)LMOts.D_MESG, ctx);
LmsUtilities.ByteArray(signature.OtsSignature.C, ctx);
return new LmsContext(this, signature, ctx);
diff --git a/crypto/src/pqc/crypto/lms/LMS.cs b/crypto/src/pqc/crypto/lms/LMS.cs
index 3c17b0a1e..6174d3889 100644
--- a/crypto/src/pqc/crypto/lms/LMS.cs
+++ b/crypto/src/pqc/crypto/lms/LMS.cs
@@ -100,7 +100,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Lms
H.BlockUpdate(I, 0, I.Length);
LmsUtilities.U32Str(node_num, H);
- LmsUtilities.U16Str(D_LEAF, H);
+ LmsUtilities.U16Str((short)D_LEAF, H);
H.BlockUpdate(Kc, 0, Kc.Length);
H.DoFinal(tmp, 0);
@@ -113,7 +113,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Lms
// is odd
H.BlockUpdate(I, 0, I.Length);
LmsUtilities.U32Str(node_num / 2, H);
- LmsUtilities.U16Str(D_INTR, H);
+ LmsUtilities.U16Str((short)D_INTR, H);
H.BlockUpdate(path[i], 0, path[i].Length);
H.BlockUpdate(tmp, 0, tmp.Length);
H.DoFinal(tmp, 0);
@@ -122,7 +122,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Lms
{
H.BlockUpdate(I, 0, I.Length);
LmsUtilities.U32Str(node_num / 2, H);
- LmsUtilities.U16Str(D_INTR, H);
+ LmsUtilities.U16Str((short)D_INTR, H);
H.BlockUpdate(tmp, 0, tmp.Length);
H.BlockUpdate(path[i], 0, path[i].Length);
H.DoFinal(tmp, 0);
diff --git a/crypto/src/pqc/crypto/lms/LMSPrivateKeyParameters.cs b/crypto/src/pqc/crypto/lms/LMSPrivateKeyParameters.cs
index dcdeb7ab5..278cbb04b 100644
--- a/crypto/src/pqc/crypto/lms/LMSPrivateKeyParameters.cs
+++ b/crypto/src/pqc/crypto/lms/LMSPrivateKeyParameters.cs
@@ -324,7 +324,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Lms
{
LmsUtilities.ByteArray(this.GetI(), tDigest);
LmsUtilities.U32Str(r, tDigest);
- LmsUtilities.U16Str(Lms.D_LEAF, tDigest);
+ LmsUtilities.U16Str((short)Lms.D_LEAF, tDigest);
//
// These can be pre generated at the time of key generation and held within the private key.
// However it will cost memory to have them stick around.
@@ -343,7 +343,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Lms
LmsUtilities.ByteArray(this.GetI(), tDigest);
LmsUtilities.U32Str(r, tDigest);
- LmsUtilities.U16Str(Lms.D_INTR, tDigest);
+ LmsUtilities.U16Str((short)Lms.D_INTR, tDigest);
LmsUtilities.ByteArray(t2r, tDigest);
LmsUtilities.ByteArray(t2rPlus1, tDigest);
T = new byte[tDigest.GetDigestSize()];
diff --git a/crypto/src/pqc/crypto/lms/LMSSignature.cs b/crypto/src/pqc/crypto/lms/LMSSignature.cs
index f5d355297..a1ae475c1 100644
--- a/crypto/src/pqc/crypto/lms/LMSSignature.cs
+++ b/crypto/src/pqc/crypto/lms/LMSSignature.cs
@@ -123,7 +123,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Lms
.U32Str(q)
.Bytes(otsSignature.GetEncoded())
.U32Str(parameter.ID)
- .Bytes(y)
+ .Bytes2(y)
.Build();
}
diff --git a/crypto/src/pqc/crypto/lms/LM_OTS.cs b/crypto/src/pqc/crypto/lms/LM_OTS.cs
index c3cd3da90..0aa5c580e 100644
--- a/crypto/src/pqc/crypto/lms/LM_OTS.cs
+++ b/crypto/src/pqc/crypto/lms/LM_OTS.cs
@@ -220,7 +220,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Lms
IDigest finalContext = DigestUtilities.GetDigest(parameter.DigestOid);
LmsUtilities.ByteArray(I, finalContext);
LmsUtilities.U32Str(q, finalContext);
- LmsUtilities.U16Str(D_PBLC, finalContext);
+ LmsUtilities.U16Str((short)D_PBLC, finalContext);
byte[] tmp = Composer.Compose()
.Bytes(I)
diff --git a/crypto/src/pqc/crypto/lms/LmsUtils.cs b/crypto/src/pqc/crypto/lms/LmsUtils.cs
index da3f457d2..e99dfe585 100644
--- a/crypto/src/pqc/crypto/lms/LmsUtils.cs
+++ b/crypto/src/pqc/crypto/lms/LmsUtils.cs
@@ -14,7 +14,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Lms
d.Update((byte)(n));
}
- public static void U16Str(ushort n, IDigest d)
+ public static void U16Str(short n, IDigest d)
{
d.Update((byte)(n >> 8));
d.Update((byte)(n));
diff --git a/crypto/src/pqc/crypto/picnic/KMatrices.cs b/crypto/src/pqc/crypto/picnic/KMatrices.cs
index 64e6be00a..a6d280985 100644
--- a/crypto/src/pqc/crypto/picnic/KMatrices.cs
+++ b/crypto/src/pqc/crypto/picnic/KMatrices.cs
@@ -1,5 +1,3 @@
-using Org.BouncyCastle.Utilities;
-
namespace Org.BouncyCastle.Pqc.Crypto.Picnic
{
internal class KMatrices
@@ -9,36 +7,35 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
private int columns;
private uint[] data;
- public KMatrices(int nmatrices, int rows, int columns, uint[] data)
+ internal KMatrices(int nmatrices, int rows, int columns, uint[] data)
{
this.nmatrices = nmatrices;
this.rows = rows;
this.columns = columns;
this.data = data;
}
-
- public int GetNmatrices()
+ internal int GetNmatrices()
{
return nmatrices;
}
- public int GetSize()
+ internal int GetSize()
{
return rows * columns;
}
- public int GetRows()
+ internal int GetRows()
{
return rows;
}
- public int GetColumns()
+ internal int GetColumns()
{
return columns;
}
- public uint[] GetData()
+ internal uint[] GetData()
{
return data;
}
@@ -48,20 +45,21 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
: KMatrices
{
private int matrixPointer;
- public int GetMatrixPointer()
+
+ internal int GetMatrixPointer()
{
return matrixPointer;
}
- public void SetMatrixPointer(int matrixPointer)
+ internal void SetMatrixPointer(int matrixPointer)
{
this.matrixPointer = matrixPointer;
}
- public KMatricesWithPointer(KMatrices m)
+ internal KMatricesWithPointer(KMatrices m)
: base(m.GetNmatrices(), m.GetRows(), m.GetColumns(), m.GetData())
{
this.matrixPointer = 0;
}
}
-}
\ No newline at end of file
+}
diff --git a/crypto/src/pqc/crypto/picnic/Msg.cs b/crypto/src/pqc/crypto/picnic/Msg.cs
index 4a8c145e7..a9a13b383 100644
--- a/crypto/src/pqc/crypto/picnic/Msg.cs
+++ b/crypto/src/pqc/crypto/picnic/Msg.cs
@@ -1,12 +1,12 @@
namespace Org.BouncyCastle.Pqc.Crypto.Picnic
{
- public class Msg
+ internal class Msg
{
internal byte[][] msgs; // One for each player
internal int pos;
internal int unopened; // Index of the unopened party, or -1 if all parties opened (when signing)
- public Msg(PicnicEngine engine)
+ internal Msg(PicnicEngine engine)
{
msgs = new byte[engine.numMPCParties][]; // engine.andSizeBytes
for (int i = 0; i < engine.numMPCParties; i++)
@@ -17,4 +17,4 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
unopened = -1;
}
}
-}
\ No newline at end of file
+}
diff --git a/crypto/src/pqc/crypto/picnic/PicnicEngine.cs b/crypto/src/pqc/crypto/picnic/PicnicEngine.cs
index 0e2a4b54f..5557ddcff 100644
--- a/crypto/src/pqc/crypto/picnic/PicnicEngine.cs
+++ b/crypto/src/pqc/crypto/picnic/PicnicEngine.cs
@@ -8,17 +8,17 @@ using Org.BouncyCastle.Utilities;
namespace Org.BouncyCastle.Pqc.Crypto.Picnic
{
- public class PicnicEngine
+ internal sealed class PicnicEngine
{
// same for all parameter sets
- protected internal static readonly int saltSizeBytes = 32;
+ internal static readonly int saltSizeBytes = 32;
private static readonly uint MAX_DIGEST_SIZE = 64;
private static readonly int WORD_SIZE_BITS = 32; // the word size for the implementation. Not a LowMC parameter
private static readonly uint LOWMC_MAX_STATE_SIZE = 64;
- protected internal static readonly uint LOWMC_MAX_WORDS = (LOWMC_MAX_STATE_SIZE / 4);
- protected internal static readonly uint LOWMC_MAX_KEY_BITS = 256;
- protected internal static readonly uint LOWMC_MAX_AND_GATES = (3 * 38 * 10 + 4); /* Rounded to nearest byte */
+ internal static readonly uint LOWMC_MAX_WORDS = (LOWMC_MAX_STATE_SIZE / 4);
+ internal static readonly uint LOWMC_MAX_KEY_BITS = 256;
+ internal static readonly uint LOWMC_MAX_AND_GATES = (3 * 38 * 10 + 4); /* Rounded to nearest byte */
private static readonly uint MAX_AUX_BYTES = ((LOWMC_MAX_AND_GATES + LOWMC_MAX_KEY_BITS) / 8 + 1);
/* Maximum lengths in bytes */
@@ -28,8 +28,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
/** Largest serialized public key size, in bytes */
private static readonly uint PICNIC_MAX_PRIVATEKEY_SIZE = (3 * PICNIC_MAX_LOWMC_BLOCK_SIZE + 2);
- /** Largest serialized private key size, in bytes */
- private static readonly uint PICNIC_MAX_SIGNATURE_SIZE = 209522;
+ //private static readonly uint PICNIC_MAX_SIGNATURE_SIZE = 209522;
/** Largest signature size, in bytes */
@@ -47,45 +46,45 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
// varies between parameter sets
- protected internal int numRounds;
+ internal int numRounds;
private int numSboxes;
- protected internal int stateSizeBits;
- protected internal int stateSizeBytes;
- protected internal int stateSizeWords;
- protected internal int andSizeBytes;
+ internal int stateSizeBits;
+ internal int stateSizeBytes;
+ internal int stateSizeWords;
+ internal int andSizeBytes;
private int UnruhGWithoutInputBytes;
- protected internal int UnruhGWithInputBytes;
- protected internal int numMPCRounds; // T
- protected internal int numOpenedRounds; // u
- protected internal int numMPCParties; // N
- protected internal int seedSizeBytes;
- protected internal int digestSizeBytes;
- protected internal int pqSecurityLevel;
+ internal int UnruhGWithInputBytes;
+ internal int numMPCRounds; // T
+ internal int numOpenedRounds; // u
+ internal int numMPCParties; // N
+ internal int seedSizeBytes;
+ internal int digestSizeBytes;
+ internal int pqSecurityLevel;
///
private uint transform;
private int parameters;
- protected internal IXof digest;
+ internal IXof digest;
private int signatureLength;
- public int GetSecretKeySize()
+ internal int GetSecretKeySize()
{
return CRYPTO_SECRETKEYBYTES;
}
- public int GetPublicKeySize()
+ internal int GetPublicKeySize()
{
return CRYPTO_PUBLICKEYBYTES;
}
- public int GetSignatureSize(int messageLength)
+ internal int GetSignatureSize(int messageLength)
{
return CRYPTO_BYTES + messageLength;
}
//todo dont do this
- public int GetTrueSignatureSize()
+ internal int GetTrueSignatureSize()
{
return signatureLength + 4;
}
@@ -95,174 +94,174 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
parameters = picnicParams;
switch (parameters)
{
- case 1:
- case 2:
- /*Picnic_L1_FS
- Picnic_L1_UR*/
- pqSecurityLevel = 64;
- stateSizeBits = 128;
- numMPCRounds = 219;
- numMPCParties = 3;
- numSboxes = 10;
- numRounds = 20;
- digestSizeBytes = 32;
- break;
- case 3:
- case 4:
- /* Picnic_L3_FS
- Picnic_L3_UR*/
- pqSecurityLevel = 96;
- stateSizeBits = 192;
- numMPCRounds = 329;
- numMPCParties = 3;
- numSboxes = 10;
- numRounds = 30;
- digestSizeBytes = 48;
- break;
- case 5:
- case 6:
- /* Picnic_L5_FS
- Picnic_L5_UR*/
- pqSecurityLevel = 128;
- stateSizeBits = 256;
- numMPCRounds = 438;
- numMPCParties = 3;
- numSboxes = 10;
- numRounds = 38;
- digestSizeBytes = 64;
- break;
- case 7:
- /*Picnic3_L1*/
- pqSecurityLevel = 64;
- stateSizeBits = 129;
- numMPCRounds = 250;
- numOpenedRounds = 36;
- numMPCParties = 16;
- numSboxes = 43;
- numRounds = 4;
- digestSizeBytes = 32;
- break;
- case 8:
- /*Picnic3_L3*/
- pqSecurityLevel = 96;
- stateSizeBits = 192;
- numMPCRounds = 419;
- numOpenedRounds = 52;
- numMPCParties = 16;
- numSboxes = 64;
- numRounds = 4;
- digestSizeBytes = 48;
- break;
- case 9:
- /*Picnic3_L5*/
- pqSecurityLevel = 128;
- stateSizeBits = 255;
- numMPCRounds = 601;
- numOpenedRounds = 68;
- numMPCParties = 16;
- numSboxes = 85;
- numRounds = 4;
- digestSizeBytes = 64;
- break;
- case 10:
- /*Picnic_L1_full*/
- pqSecurityLevel = 64;
- stateSizeBits = 129;
- numMPCRounds = 219;
- numMPCParties = 3;
- numSboxes = 43;
- numRounds = 4;
- digestSizeBytes = 32;
- break;
- case 11:
- /*Picnic_L3_full*/
- pqSecurityLevel = 96;
- stateSizeBits = 192;
- numMPCRounds = 329;
- numMPCParties = 3;
- numSboxes = 64;
- numRounds = 4;
- digestSizeBytes = 48;
- break;
- case 12:
- /*Picnic_L5_full*/
- pqSecurityLevel = 128;
- stateSizeBits = 255;
- numMPCRounds = 438;
- numMPCParties = 3;
- numSboxes = 85;
- numRounds = 4;
- digestSizeBytes = 64;
- break;
+ case 1:
+ case 2:
+ /*Picnic_L1_FS
+ Picnic_L1_UR*/
+ pqSecurityLevel = 64;
+ stateSizeBits = 128;
+ numMPCRounds = 219;
+ numMPCParties = 3;
+ numSboxes = 10;
+ numRounds = 20;
+ digestSizeBytes = 32;
+ break;
+ case 3:
+ case 4:
+ /* Picnic_L3_FS
+ Picnic_L3_UR*/
+ pqSecurityLevel = 96;
+ stateSizeBits = 192;
+ numMPCRounds = 329;
+ numMPCParties = 3;
+ numSboxes = 10;
+ numRounds = 30;
+ digestSizeBytes = 48;
+ break;
+ case 5:
+ case 6:
+ /* Picnic_L5_FS
+ Picnic_L5_UR*/
+ pqSecurityLevel = 128;
+ stateSizeBits = 256;
+ numMPCRounds = 438;
+ numMPCParties = 3;
+ numSboxes = 10;
+ numRounds = 38;
+ digestSizeBytes = 64;
+ break;
+ case 7:
+ /*Picnic3_L1*/
+ pqSecurityLevel = 64;
+ stateSizeBits = 129;
+ numMPCRounds = 250;
+ numOpenedRounds = 36;
+ numMPCParties = 16;
+ numSboxes = 43;
+ numRounds = 4;
+ digestSizeBytes = 32;
+ break;
+ case 8:
+ /*Picnic3_L3*/
+ pqSecurityLevel = 96;
+ stateSizeBits = 192;
+ numMPCRounds = 419;
+ numOpenedRounds = 52;
+ numMPCParties = 16;
+ numSboxes = 64;
+ numRounds = 4;
+ digestSizeBytes = 48;
+ break;
+ case 9:
+ /*Picnic3_L5*/
+ pqSecurityLevel = 128;
+ stateSizeBits = 255;
+ numMPCRounds = 601;
+ numOpenedRounds = 68;
+ numMPCParties = 16;
+ numSboxes = 85;
+ numRounds = 4;
+ digestSizeBytes = 64;
+ break;
+ case 10:
+ /*Picnic_L1_full*/
+ pqSecurityLevel = 64;
+ stateSizeBits = 129;
+ numMPCRounds = 219;
+ numMPCParties = 3;
+ numSboxes = 43;
+ numRounds = 4;
+ digestSizeBytes = 32;
+ break;
+ case 11:
+ /*Picnic_L3_full*/
+ pqSecurityLevel = 96;
+ stateSizeBits = 192;
+ numMPCRounds = 329;
+ numMPCParties = 3;
+ numSboxes = 64;
+ numRounds = 4;
+ digestSizeBytes = 48;
+ break;
+ case 12:
+ /*Picnic_L5_full*/
+ pqSecurityLevel = 128;
+ stateSizeBits = 255;
+ numMPCRounds = 438;
+ numMPCParties = 3;
+ numSboxes = 85;
+ numRounds = 4;
+ digestSizeBytes = 64;
+ break;
}
switch (parameters)
{
- case 1: /*Picnic_L1_FS*/
- CRYPTO_SECRETKEYBYTES = 49;
- CRYPTO_PUBLICKEYBYTES = 33;
- CRYPTO_BYTES = 34036;
- break;
- case 2: /* Picnic_L1_UR*/
- CRYPTO_SECRETKEYBYTES = 49;
- CRYPTO_PUBLICKEYBYTES = 33;
- CRYPTO_BYTES = 53965;
- break;
- case 3: /*Picnic_L3_FS*/
- CRYPTO_SECRETKEYBYTES = 73;
- CRYPTO_PUBLICKEYBYTES = 49;
- CRYPTO_BYTES = 76784;
- break;
- case 4: /*Picnic_L3_UR*/
- CRYPTO_SECRETKEYBYTES = 73;
- CRYPTO_PUBLICKEYBYTES = 49;
- CRYPTO_BYTES = 121857;
- break;
- case 5: /*Picnic_L5_FS*/
- CRYPTO_SECRETKEYBYTES = 97;
- CRYPTO_PUBLICKEYBYTES = 65;
- CRYPTO_BYTES = 132876;
- break;
- case 6: /*Picnic_L5_UR*/
- CRYPTO_SECRETKEYBYTES = 97;
- CRYPTO_PUBLICKEYBYTES = 65;
- CRYPTO_BYTES = 209526;
- break;
- case 7: /*Picnic3_L1*/
- CRYPTO_SECRETKEYBYTES = 52;
- CRYPTO_PUBLICKEYBYTES = 35;
- CRYPTO_BYTES = 14612;
- break;
- case 8: /*Picnic3_L3*/
- CRYPTO_SECRETKEYBYTES = 73;
- CRYPTO_PUBLICKEYBYTES = 49;
- CRYPTO_BYTES = 35028;
- break;
- case 9: /*Picnic3_L5*/
- CRYPTO_SECRETKEYBYTES = 97;
- CRYPTO_PUBLICKEYBYTES = 65;
- CRYPTO_BYTES = 61028;
- break;
- case 10: /*Picnic_L1_full*/
- CRYPTO_SECRETKEYBYTES = 52;
- CRYPTO_PUBLICKEYBYTES = 35;
- CRYPTO_BYTES = 32061;
- break;
- case 11: /*Picnic_L3_full*/
- CRYPTO_SECRETKEYBYTES = 73;
- CRYPTO_PUBLICKEYBYTES = 49;
- CRYPTO_BYTES = 71179;
- break;
- case 12: /*Picnic_L5_full*/
- CRYPTO_SECRETKEYBYTES = 97;
- CRYPTO_PUBLICKEYBYTES = 65;
- CRYPTO_BYTES = 126286;
- break;
- default:
- CRYPTO_SECRETKEYBYTES = -1;
- CRYPTO_PUBLICKEYBYTES = -1;
- CRYPTO_BYTES = -1;
- break;
+ case 1: /*Picnic_L1_FS*/
+ CRYPTO_SECRETKEYBYTES = 49;
+ CRYPTO_PUBLICKEYBYTES = 33;
+ CRYPTO_BYTES = 34036;
+ break;
+ case 2: /* Picnic_L1_UR*/
+ CRYPTO_SECRETKEYBYTES = 49;
+ CRYPTO_PUBLICKEYBYTES = 33;
+ CRYPTO_BYTES = 53965;
+ break;
+ case 3: /*Picnic_L3_FS*/
+ CRYPTO_SECRETKEYBYTES = 73;
+ CRYPTO_PUBLICKEYBYTES = 49;
+ CRYPTO_BYTES = 76784;
+ break;
+ case 4: /*Picnic_L3_UR*/
+ CRYPTO_SECRETKEYBYTES = 73;
+ CRYPTO_PUBLICKEYBYTES = 49;
+ CRYPTO_BYTES = 121857;
+ break;
+ case 5: /*Picnic_L5_FS*/
+ CRYPTO_SECRETKEYBYTES = 97;
+ CRYPTO_PUBLICKEYBYTES = 65;
+ CRYPTO_BYTES = 132876;
+ break;
+ case 6: /*Picnic_L5_UR*/
+ CRYPTO_SECRETKEYBYTES = 97;
+ CRYPTO_PUBLICKEYBYTES = 65;
+ CRYPTO_BYTES = 209526;
+ break;
+ case 7: /*Picnic3_L1*/
+ CRYPTO_SECRETKEYBYTES = 52;
+ CRYPTO_PUBLICKEYBYTES = 35;
+ CRYPTO_BYTES = 14612;
+ break;
+ case 8: /*Picnic3_L3*/
+ CRYPTO_SECRETKEYBYTES = 73;
+ CRYPTO_PUBLICKEYBYTES = 49;
+ CRYPTO_BYTES = 35028;
+ break;
+ case 9: /*Picnic3_L5*/
+ CRYPTO_SECRETKEYBYTES = 97;
+ CRYPTO_PUBLICKEYBYTES = 65;
+ CRYPTO_BYTES = 61028;
+ break;
+ case 10: /*Picnic_L1_full*/
+ CRYPTO_SECRETKEYBYTES = 52;
+ CRYPTO_PUBLICKEYBYTES = 35;
+ CRYPTO_BYTES = 32061;
+ break;
+ case 11: /*Picnic_L3_full*/
+ CRYPTO_SECRETKEYBYTES = 73;
+ CRYPTO_PUBLICKEYBYTES = 49;
+ CRYPTO_BYTES = 71179;
+ break;
+ case 12: /*Picnic_L5_full*/
+ CRYPTO_SECRETKEYBYTES = 97;
+ CRYPTO_PUBLICKEYBYTES = 65;
+ CRYPTO_BYTES = 126286;
+ break;
+ default:
+ CRYPTO_SECRETKEYBYTES = -1;
+ CRYPTO_PUBLICKEYBYTES = -1;
+ CRYPTO_BYTES = -1;
+ break;
}
// calculated depending on above parameters
@@ -304,7 +303,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
digest = new ShakeDigest(shakeSize);
}
- public bool crypto_sign_open(byte[] m, byte[] sm, byte[] pk)
+ internal bool crypto_sign_open(byte[] m, byte[] sm, byte[] pk)
{
uint sigLen = Pack.LE_To_UInt32(sm, 0);
byte[] m_from_sm = Arrays.CopyOfRange(sm, 4, 4 + m.Length);
@@ -432,7 +431,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
return status;
}
- void VerifyProof(Signature.Proof proof, View view1, View view2, int challenge, byte[] salt,
+ private void VerifyProof(Signature.Proof proof, View view1, View view2, int challenge, byte[] salt,
uint roundNumber, byte[] tmp, uint[] plaintext, Tape tape)
{
Array.Copy(proof.communicatedBits, 0, view2.communicatedBits, 0, andSizeBytes);
@@ -534,7 +533,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
mpc_LowMC_verify(view1, view2, tape, tmp_ints, plaintext, challenge);
}
- void mpc_LowMC_verify(View view1, View view2, Tape tapes, uint[] tmp, uint[] plaintext, int challenge)
+ private void mpc_LowMC_verify(View view1, View view2, Tape tapes, uint[] tmp, uint[] plaintext, int challenge)
{
Utils.Fill(tmp, 0, tmp.Length, 0);
@@ -576,7 +575,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
Array.Copy(tmp, 3 * stateSizeWords, view2.outputShare, 0, stateSizeWords);
}
- void mpc_substitution_verify(uint[] state, Tape rand, View view1, View view2)
+ private void mpc_substitution_verify(uint[] state, Tape rand, View view1, View view2)
{
uint[] a = new uint[2];
uint[] b = new uint[2];
@@ -611,7 +610,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
}
}
- void mpc_AND_verify(uint[] in1, uint[] in2, uint[] output, Tape rand, View view1, View view2)
+ private void mpc_AND_verify(uint[] in1, uint[] in2, uint[] output, Tape rand, View view1, View view2)
{
uint[] r = {Utils.GetBit(rand.tapes[0], rand.pos), Utils.GetBit(rand.tapes[1], rand.pos)};
@@ -646,7 +645,6 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
}
-
private int DeserializeSignature(Signature sig, byte[] sigBytes, uint sigBytesLen, int sigBytesOffset)
{
Signature.Proof[] proofs = sig.proofs;
@@ -1086,7 +1084,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
return true;
}
- public void crypto_sign(byte[] sm, byte[] m, byte[] sk)
+ internal void crypto_sign(byte[] sm, byte[] m, byte[] sk)
{
picnic_sign(sk, m, sm);
Array.Copy(m, 0, sm, 4, m.Length);
@@ -1142,7 +1140,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
/*** Serialization functions ***/
- int SerializeSignature(Signature sig, byte[] sigBytes, int sigOffset)
+ private int SerializeSignature(Signature sig, byte[] sigBytes, int sigOffset)
{
Signature.Proof[] proofs = sig.proofs;
byte[] challengeBits = sig.challengeBits;
@@ -1204,7 +1202,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
return sigByteIndex - sigOffset;
}
- int GetChallenge(byte[] challenge, int round)
+ private int GetChallenge(byte[] challenge, int round)
{
return (Utils.GetBit(challenge, 2 * round + 1) << 1) | Utils.GetBit(challenge, 2 * round);
}
@@ -1418,7 +1416,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
}
/* Caller must allocate the first parameter */
- void Prove(Signature.Proof proof, int challenge, byte[] seeds, int seedsOffset,
+ private void Prove(Signature.Proof proof, int challenge, byte[] seeds, int seedsOffset,
View[] views, byte[][] commitments, byte[][] gs)
{
if (challenge == 0)
@@ -1456,7 +1454,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
}
}
- void H3(uint[] circuitOutput, uint[] plaintext, uint[][][] viewOutputs,
+ private void H3(uint[] circuitOutput, uint[] plaintext, uint[][][] viewOutputs,
byte[][][] AS, byte[] challengeBits, byte[] salt,
byte[] message, byte[][][] gs)
{
@@ -1659,7 +1657,6 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
int stateOffset;
for (int i = 0; i < numSboxes * 3; i += 3)
{
-
for (int j = 0; j < 3; j++)
{
stateOffset = ((3 + j) * stateSizeWords) * 32;
@@ -1748,7 +1745,6 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
digest.Update((byte) 2);
digest.BlockUpdate(seed, seedOffset, seedSizeBytes);
digest.OutputFinal(tape, 0, digestSizeBytes);
-// Console.Error.Write("tape: " + Hex.toHexString(tape));
/* Expand the hashed seed, salt, round and player indices, and output
* length to create the tape. */
@@ -1949,7 +1945,6 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
return missingLeaves;
}
-
private void HCP(byte[] challengeHash, uint[] challengeC, uint[] challengeP, byte[][] Ch,
byte[] hCv, byte[] salt, uint[] pubKey, uint[] plaintext, byte[] message)
{
@@ -1971,7 +1966,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
}
}
- static int BitsToChunks(int chunkLenBits, byte[] input, int inputLen, uint[] chunks)
+ private static int BitsToChunks(int chunkLenBits, byte[] input, int inputLen, uint[] chunks)
{
if (chunkLenBits > inputLen * 8)
{
@@ -1992,7 +1987,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
return chunkCount;
}
- static uint AppendUnique(uint[] list, uint value, uint position)
+ private static uint AppendUnique(uint[] list, uint value, uint position)
{
if (position == 0)
{
@@ -2171,7 +2166,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
return true;
}
- static uint Extend(uint bit)
+ private static uint Extend(uint bit)
{
return ~(bit - 1);
}
@@ -2233,7 +2228,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
}
}
- protected internal void aux_mpc_sbox(uint[] input, uint[] output, Tape tape)
+ internal void aux_mpc_sbox(uint[] input, uint[] output, Tape tape)
{
for (int i = 0; i < numSboxes * 3; i += 3)
{
@@ -2341,7 +2336,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
digest.OutputFinal(saltAndRoot, 0, saltAndRoot.Length);
}
- static bool is_picnic3(int parameters)
+ private static bool is_picnic3(int parameters)
{
return parameters == 7 /*Picnic3_L1*/ ||
parameters == 8 /*Picnic3_L3*/ ||
@@ -2349,7 +2344,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
}
//todo return int;
- public void crypto_sign_keypair(byte[] pk, byte[] sk, SecureRandom random)
+ internal void crypto_sign_keypair(byte[] pk, byte[] sk, SecureRandom random)
{
// set array sizes
byte[] plaintext_bytes = new byte[PICNIC_MAX_LOWMC_BLOCK_SIZE];
@@ -2474,7 +2469,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
}
}
- protected internal void xor_array(uint[] output, uint[] in1, uint[] in2, int in2_offset, int length)
+ internal void xor_array(uint[] output, uint[] in1, uint[] in2, int in2_offset, int length)
{
for (int i = 0; i < length; i++)
{
@@ -2482,12 +2477,12 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
}
}
- protected internal void matrix_mul(uint[] output, uint[] state, uint[] matrix, int matrixOffset)
+ internal void matrix_mul(uint[] output, uint[] state, uint[] matrix, int matrixOffset)
{
matrix_mul_offset(output, 0, state, 0, matrix, matrixOffset);
}
- protected void matrix_mul_offset(uint[] output, int outputOffset, uint[] state, int stateOffset, uint[] matrix,
+ internal void matrix_mul_offset(uint[] output, int outputOffset, uint[] state, int stateOffset, uint[] matrix,
int matrixOffset)
{
// Use temp to correctly handle the case when state = output
diff --git a/crypto/src/pqc/crypto/picnic/Signature2.cs b/crypto/src/pqc/crypto/picnic/Signature2.cs
index 7659fb314..c6f44380c 100644
--- a/crypto/src/pqc/crypto/picnic/Signature2.cs
+++ b/crypto/src/pqc/crypto/picnic/Signature2.cs
@@ -1,7 +1,7 @@
namespace Org.BouncyCastle.Pqc.Crypto.Picnic
{
- public class Signature2
+ internal class Signature2
{
internal byte[] salt;
internal byte[] iSeedInfo; // Info required to recompute the tree of all initial seeds
@@ -14,7 +14,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
internal Proof2[] proofs; // One proof for each online execution the verifier checks
//todo initialize in engine!
- public Signature2(PicnicEngine engine)
+ internal Signature2(PicnicEngine engine)
{
challengeHash = new byte[engine.digestSizeBytes];
salt = new byte[PicnicEngine.saltSizeBytes];
@@ -23,7 +23,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
proofs = new Proof2[engine.numMPCRounds];
}
- public class Proof2
+ internal class Proof2
{
internal byte[] seedInfo; // Information required to compute the tree with seeds of of all opened parties
internal int seedInfoLen; // Length of seedInfo buffer
@@ -32,7 +32,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
internal byte[] input; // Masked input used in online execution
internal byte[] msgs; // Broadcast messages of unopened party P[t]
- public Proof2(PicnicEngine engine)
+ internal Proof2(PicnicEngine engine)
{
seedInfo = null;
seedInfoLen = 0;
@@ -45,6 +45,3 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
}
}
}
-
-
-
diff --git a/crypto/src/pqc/crypto/picnic/Tape.cs b/crypto/src/pqc/crypto/picnic/Tape.cs
index dd1a44de8..c433b3267 100644
--- a/crypto/src/pqc/crypto/picnic/Tape.cs
+++ b/crypto/src/pqc/crypto/picnic/Tape.cs
@@ -1,125 +1,128 @@
using Org.BouncyCastle.Crypto.Utilities;
-using Org.BouncyCastle.Pqc.Crypto.Picnic;
using Org.BouncyCastle.Utilities;
-public class Tape
+namespace Org.BouncyCastle.Pqc.Crypto.Picnic
{
- internal byte[][] tapes;
- internal int pos;
- int nTapes;
-
- private PicnicEngine engine;
- public Tape(PicnicEngine engine)
+ internal class Tape
{
- this.engine = engine;
- tapes = new byte[engine.numMPCParties][]; //[2 * engine.andSizeBytes];
- for (int i = 0; i < engine.numMPCParties; i++)
- {
- tapes[i] = new byte[2 * engine.andSizeBytes];
- }
- pos = 0;
- nTapes = engine.numMPCParties;
- }
+ internal byte[][] tapes;
+ internal int pos;
+ int nTapes;
- protected internal void SetAuxBits(byte[] input)
- {
- int last = engine.numMPCParties - 1;
- int pos = 0;
- int n = engine.stateSizeBits;
+ private PicnicEngine engine;
- for(int j = 0; j < engine.numRounds; j++)
+ internal Tape(PicnicEngine engine)
{
- for(int i = 0; i < n; i++)
+ this.engine = engine;
+ tapes = new byte[engine.numMPCParties][]; //[2 * engine.andSizeBytes];
+ for (int i = 0; i < engine.numMPCParties; i++)
{
- Utils.SetBit(this.tapes[last], n + n*2*j + i, Utils.GetBit(input, pos++));
+ tapes[i] = new byte[2 * engine.andSizeBytes];
}
+ pos = 0;
+ nTapes = engine.numMPCParties;
}
- }
-
- /* Input is the tapes for one parallel repitition; i.e., tapes[t]
- * Updates the random tapes of all players with the mask values for the output of
- * AND gates, and computes the N-th party's share such that the AND gate invariant
- * holds on the mask values.
- */
- protected internal void ComputeAuxTape(byte[] inputs)
- {
- uint[] roundKey = new uint[PicnicEngine.LOWMC_MAX_WORDS];
- uint[] x = new uint[PicnicEngine.LOWMC_MAX_WORDS];
- uint[] y = new uint[PicnicEngine.LOWMC_MAX_WORDS];
- uint[] key = new uint[PicnicEngine.LOWMC_MAX_WORDS];
- uint[] key0 = new uint[PicnicEngine.LOWMC_MAX_WORDS];
- key0[engine.stateSizeWords - 1] = 0;
- TapesToParityBits(key0, engine.stateSizeBits);
-
-// System.out.print("key0: ");
-// for (int i = 0; i < key0.Length; i++)
-// {System.out.printf("%08x ", key0[i]);}System.out.Println();
-
- // key = key0 x KMatrix[0]^(-1)
- KMatricesWithPointer current = LowmcConstants.Instance.KMatrixInv(engine, 0);
- engine.matrix_mul(key, key0, current.GetData(), current.GetMatrixPointer());
-
-// System.out.print("key: ");
-// for (int i = 0; i < key0.Length; i++)
-// {System.out.printf("%08x ", key[i]);}System.out.Println();
+ internal void SetAuxBits(byte[] input)
+ {
+ int last = engine.numMPCParties - 1;
+ int pos = 0;
+ int n = engine.stateSizeBits;
+ for(int j = 0; j < engine.numRounds; j++)
+ {
+ for(int i = 0; i < n; i++)
+ {
+ Utils.SetBit(this.tapes[last], n + n*2*j + i, Utils.GetBit(input, pos++));
+ }
+ }
+ }
- if(inputs != null)
+ /* Input is the tapes for one parallel repitition; i.e., tapes[t]
+ * Updates the random tapes of all players with the mask values for the output of
+ * AND gates, and computes the N-th party's share such that the AND gate invariant
+ * holds on the mask values.
+ */
+ internal void ComputeAuxTape(byte[] inputs)
{
- Pack.UInt32_To_LE(Arrays.CopyOf(key, engine.stateSizeWords), inputs, 0);
- }
+ uint[] roundKey = new uint[PicnicEngine.LOWMC_MAX_WORDS];
+ uint[] x = new uint[PicnicEngine.LOWMC_MAX_WORDS];
+ uint[] y = new uint[PicnicEngine.LOWMC_MAX_WORDS];
+ uint[] key = new uint[PicnicEngine.LOWMC_MAX_WORDS];
+ uint[] key0 = new uint[PicnicEngine.LOWMC_MAX_WORDS];
+ key0[engine.stateSizeWords - 1] = 0;
+ TapesToParityBits(key0, engine.stateSizeBits);
- for (int r = engine.numRounds; r > 0; r--)
- {
- current = LowmcConstants.Instance.KMatrix(engine, r);
- engine.matrix_mul(roundKey, key, current.GetData(), current.GetMatrixPointer()); // roundKey = key * KMatrix(r)
+ // System.out.print("key0: ");
+ // for (int i = 0; i < key0.Length; i++)
+ // {System.out.printf("%08x ", key0[i]);}System.out.Println();
+
+ // key = key0 x KMatrix[0]^(-1)
+ KMatricesWithPointer current = LowmcConstants.Instance.KMatrixInv(engine, 0);
+ engine.matrix_mul(key, key0, current.GetData(), current.GetMatrixPointer());
- engine.xor_array(x, x, roundKey, 0, engine.stateSizeWords);
+ // System.out.print("key: ");
+ // for (int i = 0; i < key0.Length; i++)
+ // {System.out.printf("%08x ", key[i]);}System.out.Println();
- current = LowmcConstants.Instance.LMatrixInv(engine, r-1);
- engine.matrix_mul(y, x, current.GetData(), current.GetMatrixPointer());
- if(r == 1)
+ if(inputs != null)
{
- // Use key as input
- System.Array.Copy(key0, 0, x, 0, key0.Length);
+ Pack.UInt32_To_LE(Arrays.CopyOf(key, engine.stateSizeWords), inputs, 0);
}
- else
+
+
+ for (int r = engine.numRounds; r > 0; r--)
{
- this.pos = engine.stateSizeBits * 2 * (r - 1);
- // Read input mask shares from tapes
- TapesToParityBits(x, engine.stateSizeBits);
+ current = LowmcConstants.Instance.KMatrix(engine, r);
+ engine.matrix_mul(roundKey, key, current.GetData(), current.GetMatrixPointer()); // roundKey = key * KMatrix(r)
+
+ engine.xor_array(x, x, roundKey, 0, engine.stateSizeWords);
+
+ current = LowmcConstants.Instance.LMatrixInv(engine, r-1);
+ engine.matrix_mul(y, x, current.GetData(), current.GetMatrixPointer());
+
+ if(r == 1)
+ {
+ // Use key as input
+ System.Array.Copy(key0, 0, x, 0, key0.Length);
+ }
+ else
+ {
+ this.pos = engine.stateSizeBits * 2 * (r - 1);
+ // Read input mask shares from tapes
+ TapesToParityBits(x, engine.stateSizeBits);
+ }
+
+ this.pos = engine.stateSizeBits * 2 * (r - 1) + engine.stateSizeBits;
+ engine.aux_mpc_sbox(x, y, this);
}
- this.pos = engine.stateSizeBits * 2 * (r - 1) + engine.stateSizeBits;
- engine.aux_mpc_sbox(x, y, this);
+ // Reset the random tape counter so that the online execution uses the
+ // same random bits as when computing the aux shares
+ this.pos = 0;
}
- // Reset the random tape counter so that the online execution uses the
- // same random bits as when computing the aux shares
- this.pos = 0;
- }
-
- private void TapesToParityBits(uint[] output, int outputBitLen)
- {
- for (int i = 0; i < outputBitLen; i++)
+ private void TapesToParityBits(uint[] output, int outputBitLen)
{
- Utils.SetBitInWordArray(output, i, Utils.Parity16(TapesToWord()));
+ for (int i = 0; i < outputBitLen; i++)
+ {
+ Utils.SetBitInWordArray(output, i, Utils.Parity16(TapesToWord()));
+ }
}
- }
-
- protected internal uint TapesToWord()
- {
- byte[] shares = new byte[4];
- for (int i = 0; i < 16; i++)
+ internal uint TapesToWord()
{
- byte bit = Utils.GetBit(this.tapes[i], this.pos);
- Utils.SetBit(shares, i, bit);
+ byte[] shares = new byte[4];
+
+ for (int i = 0; i < 16; i++)
+ {
+ byte bit = Utils.GetBit(this.tapes[i], this.pos);
+ Utils.SetBit(shares, i, bit);
+ }
+ this.pos++;
+ return Pack.LE_To_UInt32(shares, 0);
}
- this.pos++;
- return Pack.LE_To_UInt32(shares, 0);
}
-}
\ No newline at end of file
+}
diff --git a/crypto/src/pqc/crypto/picnic/Tree.cs b/crypto/src/pqc/crypto/picnic/Tree.cs
index 50f844a52..80b2f87ba 100644
--- a/crypto/src/pqc/crypto/picnic/Tree.cs
+++ b/crypto/src/pqc/crypto/picnic/Tree.cs
@@ -1,12 +1,11 @@
using System;
+
using Org.BouncyCastle.Crypto.Utilities;
-using Org.BouncyCastle.Pqc.Crypto.Picnic;
using Org.BouncyCastle.Utilities;
namespace Org.BouncyCastle.Pqc.Crypto.Picnic
{
-
- public class Tree
+ internal sealed class Tree
{
private static int MAX_SEED_SIZE_BYTES = 32;
private uint MAX_AUX_BYTES;
@@ -22,17 +21,17 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
private PicnicEngine engine;
- protected internal byte[][] GetLeaves()
+ internal byte[][] GetLeaves()
{
return this.nodes;
}
- protected internal uint GetLeavesOffset()
+ internal uint GetLeavesOffset()
{
return this.numNodes - this.numLeaves;
}
- public Tree(PicnicEngine engine, uint numLeaves, int dataSize)
+ internal Tree(PicnicEngine engine, uint numLeaves, int dataSize)
{
this.engine = engine;
MAX_AUX_BYTES = ((PicnicEngine.LOWMC_MAX_AND_GATES + PicnicEngine.LOWMC_MAX_KEY_BITS) / 8 + 1);
@@ -69,7 +68,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
/* Create a Merkle tree by hashing up all nodes.
* leafData must have Length this.numNodes, but some may be NULL. */
- protected internal void BuildMerkleTree(byte[][] leafData, byte[] salt)
+ internal void BuildMerkleTree(byte[][] leafData, byte[] salt)
{
uint firstLeaf = this.numNodes - this.numLeaves;
@@ -92,7 +91,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
}
/* verifyMerkleTree: verify for each leaf that is set */
- protected internal int VerifyMerkleTree(byte[][] leafData, byte[] salt)
+ internal int VerifyMerkleTree(byte[][] leafData, byte[] salt)
{
uint firstLeaf = this.numNodes - this.numLeaves;
@@ -131,7 +130,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
return 0;
}
- protected internal int ReconstructSeeds(uint[] hideList, uint hideListSize,
+ internal int ReconstructSeeds(uint[] hideList, uint hideListSize,
byte[] input, uint inputLen, byte[] salt, uint repIndex)
{
int ret = 0;
@@ -163,7 +162,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
}
/* Serialze the missing nodes that the verifier will require to check commitments for non-missing leaves */
- protected internal byte[] OpenMerkleTree(uint[] missingLeaves, uint missingLeavesSize, int[] outputSizeBytes)
+ internal byte[] OpenMerkleTree(uint[] missingLeaves, uint missingLeavesSize, int[] outputSizeBytes)
{
uint[] revealedSize = new uint[1];
uint[] revealed = this.GetRevealedMerkleNodes(missingLeaves, missingLeavesSize, revealedSize);
@@ -293,7 +292,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
}
- protected internal uint RevealSeedsSize(uint[] hideList, uint hideListSize)
+ internal uint RevealSeedsSize(uint[] hideList, uint hideListSize)
{
uint[] numNodesRevealed = new uint[1];
numNodesRevealed[0] = 0;
@@ -301,7 +300,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
return numNodesRevealed[0] * (uint)engine.seedSizeBytes;
}
- protected internal int RevealSeeds(uint[] hideList, uint hideListSize, byte[] output, int outputSize)
+ internal int RevealSeeds(uint[] hideList, uint hideListSize, byte[] output, int outputSize)
{
// byte[] outputBase = Arrays.clone(output);
uint[] revealedSize = new uint[1];
@@ -330,7 +329,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
return output.Length - outLen;
}
- protected internal uint OpenMerkleTreeSize(uint[] missingLeaves, uint missingLeavesSize)
+ internal uint OpenMerkleTreeSize(uint[] missingLeaves, uint missingLeavesSize)
{
uint[] revealedSize = new uint[1];
uint[] revealed = this.GetRevealedMerkleNodes(missingLeaves, missingLeavesSize, revealedSize);
@@ -454,15 +453,14 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
this.haveNode[parent] = true;
}
-
- protected internal byte[] GetLeaf(uint leafIndex)
+ internal byte[] GetLeaf(uint leafIndex)
{
uint firstLeaf = this.numNodes - this.numLeaves;
return this.nodes[firstLeaf + leafIndex];
}
/* addMerkleNodes: deserialize and add the data for nodes provided by the committer */
- protected internal int AddMerkleNodes(uint[] missingLeaves, uint missingLeavesSize, byte[] input, uint inputSize)
+ internal int AddMerkleNodes(uint[] missingLeaves, uint missingLeavesSize, byte[] input, uint inputSize)
{
// if (inputSize > INT_MAX) {
// return -1;
@@ -495,7 +493,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
return 0;
}
- protected internal void GenerateSeeds(byte[] rootSeed, byte[] salt, uint repIndex)
+ internal void GenerateSeeds(byte[] rootSeed, byte[] salt, uint repIndex)
{
this.nodes[0] = rootSeed;
this.haveNode[0] = true;
@@ -578,6 +576,5 @@ namespace Org.BouncyCastle.Pqc.Crypto.Picnic
return this.exists[i] == 1;
}
-
}
-}
\ No newline at end of file
+}
diff --git a/crypto/src/pqc/crypto/picnic/View.cs b/crypto/src/pqc/crypto/picnic/View.cs
index d72afa9d4..cac47631a 100644
--- a/crypto/src/pqc/crypto/picnic/View.cs
+++ b/crypto/src/pqc/crypto/picnic/View.cs
@@ -1,18 +1,16 @@
-using Org.BouncyCastle.Pqc.Crypto.Picnic;
-
namespace Org.BouncyCastle.Pqc.Crypto.Picnic
{
- public class View
+ internal class View
{
internal uint[] inputShare;
internal byte[] communicatedBits;
internal uint[] outputShare;
- public View(PicnicEngine engine)
+ internal View(PicnicEngine engine)
{
inputShare = new uint[engine.stateSizeBytes];
communicatedBits = new byte[engine.andSizeBytes];
outputShare = new uint[engine.stateSizeBytes];
}
}
-}
\ No newline at end of file
+}
diff --git a/crypto/src/pqc/crypto/sike/Fpx.cs b/crypto/src/pqc/crypto/sike/Fpx.cs
index 9ba332753..140b36afb 100644
--- a/crypto/src/pqc/crypto/sike/Fpx.cs
+++ b/crypto/src/pqc/crypto/sike/Fpx.cs
@@ -29,7 +29,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
}
// Cyclotomic squaring on elements of norm 1, using a^(p+1) = 1.
- protected internal void sqr_Fp2_cycl(ulong[][] a, ulong[] one)
+ internal void sqr_Fp2_cycl(ulong[][] a, ulong[] one)
{
ulong[] t0 = new ulong[engine.param.NWORDS_FIELD];
@@ -44,7 +44,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
// n-way simultaneous inversion using Montgomery's trick.
// SECURITY NOTE: This function does not run in constant time.
// Also, vec and out CANNOT be the same variable!
- protected internal void mont_n_way_inv(ulong[][][] vec, uint n, ulong[][][] output)
+ internal void mont_n_way_inv(ulong[][][] vec, uint n, ulong[][][] output)
{
ulong[][] t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD);
int i;
@@ -68,7 +68,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
// Copy a field element, c = a.
- protected internal void fpcopy(ulong[] a, long aOffset, ulong[] c)
+ internal void fpcopy(ulong[] a, long aOffset, ulong[] c)
{
for (uint i = 0; i < engine.param.NWORDS_FIELD; i++)
{
@@ -77,21 +77,21 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
}
// GF(p^2) addition without correction, c = a+b in GF(p^2).
- protected internal void mp2_add(ulong[][] a, ulong[][] b, ulong[][] c)
+ internal void mp2_add(ulong[][] a, ulong[][] b, ulong[][] c)
{
mp_add(a[0], b[0], c[0], engine.param.NWORDS_FIELD);
mp_add(a[1], b[1], c[1], engine.param.NWORDS_FIELD);
}
// Modular correction, a = a in GF(p^2).
- protected internal void fp2correction(ulong[][] a)
+ internal void fp2correction(ulong[][] a)
{
fpcorrectionPRIME(a[0]);
fpcorrectionPRIME(a[1]);
}
// Multiprecision addition, c = a+b, where lng(a) = lng(b) = nwords. Returns the carry bit.
- protected internal ulong mp_add(ulong[] a, ulong[] b, ulong[] c, uint nwords)
+ internal ulong mp_add(ulong[] a, ulong[] b, ulong[] c, uint nwords)
{
ulong carry = 0;
@@ -169,7 +169,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
// Is x = 0? return 1 (TRUE) if condition is true, 0 (FALSE) otherwise.
// SECURITY NOTE: This function does not run in constant-time.
- protected internal bool is_felm_zero(ulong[] x)
+ internal bool is_felm_zero(ulong[] x)
{
for (uint i = 0; i < engine.param.NWORDS_FIELD; i++)
{
@@ -205,7 +205,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
// Test if a is a square in GF(p^2) and return 1 if true, 0 otherwise
// If a is a quadratic residue, s will be assigned with a partially computed square root of a
- protected internal bool is_sqr_fp2(ulong[][] a, ulong[] s)
+ internal bool is_sqr_fp2(ulong[][] a, ulong[] s)
{
uint i;
ulong[] a0 = new ulong[engine.param.NWORDS_FIELD],
@@ -365,7 +365,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
// GF(p^2) inversion using Montgomery arithmetic, a = (a0-i*a1)/(a0^2+a1^2)
// This uses the binary GCD for inversion in fp and is NOT constant time!!!
- protected internal void fp2inv_mont_bingcd(ulong[][] a)
+ internal void fp2inv_mont_bingcd(ulong[][] a)
{
ulong[][] t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD);
@@ -381,7 +381,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
}
// GF(p^2) division by two, c = a/2 in GF(p^2).
- protected internal void fp2div2(ulong[][] a, ulong[][] c)
+ internal void fp2div2(ulong[][] a, ulong[][] c)
{
//todo/org : make fp class and change this to generic fpdiv2
fpdiv2_PRIME(a[0], c[0]);
@@ -606,7 +606,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
Debug.Assert(t == 0);
}
- protected internal static bool subarrayEquals(ulong[] a, ulong[] b, uint length)
+ internal static bool subarrayEquals(ulong[] a, ulong[] b, uint length)
{
// if(a.Length < length || b.Length < length)
// return false;
@@ -619,7 +619,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
return true;
}
- protected internal static bool subarrayEquals(ulong[][] a, ulong[][] b, uint length)
+ internal static bool subarrayEquals(ulong[][] a, ulong[][] b, uint length)
{
int nwords_feild = b[0].Length;
// if(a[0].Length < length || b[0].Length < length)
@@ -633,7 +633,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
return true;
}
- protected internal static bool subarrayEquals(ulong[][] a, ulong[][] b, uint bOffset, uint length)
+ internal static bool subarrayEquals(ulong[][] a, ulong[][] b, uint bOffset, uint length)
{
int nwords_feild = b[0].Length;
// if(a[0].Length*2 < length || b[0].Length*2 < length)
@@ -647,7 +647,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
return true;
}
- protected internal static bool subarrayEquals(ulong[][] a, ulong[] b, uint bOffset, uint length)
+ internal static bool subarrayEquals(ulong[][] a, ulong[] b, uint bOffset, uint length)
{
int nwords_field = a[0].Length;
// if(a[0].Length < length || b.Length < length)
@@ -662,9 +662,8 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
}
// Computes square roots of elements in (Fp2)^2 using Hamburg's trick.
- protected internal void sqrt_Fp2(ulong[][] u, ulong[][] y)
+ internal void sqrt_Fp2(ulong[][] u, ulong[][] y)
{
-
ulong[] t0 = new ulong[engine.param.NWORDS_FIELD],
t1 = new ulong[engine.param.NWORDS_FIELD],
t2 = new ulong[engine.param.NWORDS_FIELD],
@@ -714,7 +713,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
// GF(p^2) squaring using Montgomery arithmetic, c = a^2 in GF(p^2).
// Inputs: a = a0+a1*i, where a0, a1 are in [0, 2*p-1]
// Output: c = c0+c1*i, where c0, c1 are in [0, 2*p-1]
- protected internal void fp2sqr_mont(ulong[][] a, ulong[][] c)
+ internal void fp2sqr_mont(ulong[][] a, ulong[][] c)
{
ulong[] t1 = new ulong[engine.param.NWORDS_FIELD],
t2 = new ulong[engine.param.NWORDS_FIELD],
@@ -731,7 +730,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
// Modular addition, c = a+b mod PRIME.
// Inputs: a, b in [0, 2*PRIME-1]
// Output: c in [0, 2*PRIME-1]
- protected internal void fpaddPRIME(ulong[] a, ulong[] b, ulong[] c)
+ internal void fpaddPRIME(ulong[] a, ulong[] b, ulong[] c)
{
ulong i, carry = 0;
ulong mask;
@@ -769,7 +768,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
}
// Cyclotomic cubing on elements of norm 1, using a^(p+1) = 1.
- protected internal void cube_Fp2_cycl(ulong[][] a, ulong[] one)
+ internal void cube_Fp2_cycl(ulong[][] a, ulong[] one)
{
ulong[] t0 = new ulong[engine.param.NWORDS_FIELD];
@@ -786,7 +785,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
// Modular subtraction, c = a-b mod PRIME.
// Inputs: a, b in [0, 2*PRIME-1]
// Output: c in [0, 2*PRIME-1]
- protected internal void fpsubPRIME(ulong[] a, ulong[] b, uint bOffset, ulong[] c)
+ internal void fpsubPRIME(ulong[] a, ulong[] b, uint bOffset, ulong[] c)
{
ulong i, borrow = 0;
ulong mask;
@@ -811,7 +810,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
}
}
- protected internal void fpsubPRIME(ulong[] a, uint aOffset, ulong[] b, ulong[] c)
+ internal void fpsubPRIME(ulong[] a, uint aOffset, ulong[] b, ulong[] c)
{
ulong i, borrow = 0;
ulong mask;
@@ -836,7 +835,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
}
}
- protected internal void fpsubPRIME(ulong[] a, ulong[] b, ulong[] c)
+ internal void fpsubPRIME(ulong[] a, ulong[] b, ulong[] c)
{
ulong i, borrow = 0;
ulong mask;
@@ -864,7 +863,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
// todo/org : move to fp_generic
// Modular negation, a = -a mod PRIME.
// Input/output: a in [0, 2*PRIME-1]
- protected internal void fpnegPRIME(ulong[] a)
+ internal void fpnegPRIME(ulong[] a)
{
ulong i, borrow = 0;
@@ -881,7 +880,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
// todo/org : move to fp_generic
// Conversion of a GF(p^2) element from Montgomery representation to standard representation,
// c_i = ma_i*R^(-1) = a_i in GF(p^2).
- protected internal void from_fp2mont(ulong[][] ma, ulong[][] c)
+ internal void from_fp2mont(ulong[][] ma, ulong[][] c)
{
from_mont(ma[0], c[0]);
from_mont(ma[1], c[1]);
@@ -889,7 +888,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
// todo/org : move to fp_generic
// Conversion of GF(p^2) element from Montgomery to standard representation, and encoding by removing leading 0 bytes
- protected internal void fp2_encode(ulong[][] x, byte[] enc, uint encOffset)
+ internal void fp2_encode(ulong[][] x, byte[] enc, uint encOffset)
{
ulong[][] t = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD);
@@ -899,7 +898,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
}
// Parse byte sequence back uinto GF(p^2) element, and conversion to Montgomery representation
- protected internal void fp2_decode(byte[] x, ulong[][] dec, uint xOffset)
+ internal void fp2_decode(byte[] x, ulong[][] dec, uint xOffset)
{
decode_to_digits(x, xOffset, dec[0], engine.param.FP2_ENCODED_BYTES / 2, engine.param.NWORDS_FIELD);
decode_to_digits(x,xOffset + (engine.param.FP2_ENCODED_BYTES/2), dec[1], engine.param.FP2_ENCODED_BYTES / 2, engine.param.NWORDS_FIELD);
@@ -907,7 +906,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
}
// Conversion of elements in Z_r to Montgomery representation, where the order r is up to NBITS_ORDER bits.
- protected internal void to_Montgomery_mod_order(ulong[] a, ulong[] mc, ulong[] order, ulong[] Montgomery_rprime, ulong[] Montgomery_Rprime)
+ internal void to_Montgomery_mod_order(ulong[] a, ulong[] mc, ulong[] order, ulong[] Montgomery_rprime, ulong[] Montgomery_Rprime)
{
Montgomery_multiply_mod_order(a, Montgomery_Rprime, mc, order, Montgomery_rprime);
}
@@ -916,7 +915,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
// ma, mb and mc are assumed to be in Montgomery representation.
// The Montgomery constant r' = -r^(-1) mod 2^(log_2(r)) is the value "Montgomery_rprime", where r is the order.
// Assume log_2(r) is a multiple of RADIX bits
- protected internal void Montgomery_multiply_mod_order(ulong[] ma, ulong[] mb, ulong[] mc, ulong[] order, ulong[] Montgomery_rprime)
+ internal void Montgomery_multiply_mod_order(ulong[] ma, ulong[] mb, ulong[] mc, ulong[] order, ulong[] Montgomery_rprime)
{
ulong i, cout = 0, bout = 0;
ulong mask;
@@ -949,7 +948,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
// Inversion of an odd uinteger modulo an even uinteger of the form 2^m.
// Algorithm 3: Explicit Quadratic Modular inverse modulo 2^m from Dumas'12: http://arxiv.org/pdf/1209.6626.pdf
// If the input is invalid (even), the function outputs c = a.
- protected internal void inv_mod_orderA(ulong[] a, ulong[] c)
+ internal void inv_mod_orderA(ulong[] a, ulong[] c)
{
uint i, f, s = 0;
ulong[] am1 = new ulong[engine.param.NWORDS_ORDER],
@@ -999,7 +998,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
// Multiprecision comba multiply, c = a*b, where lng(a) = lng(b) = nwords.
// NOTE: a and c CANNOT be the same variable!
- protected internal void multiply(ulong[] a, ulong[] b, ulong[] c, uint nwords)
+ internal void multiply(ulong[] a, ulong[] b, ulong[] c, uint nwords)
{
ulong i, j;
ulong t = 0, u = 0, v = 0;
@@ -1187,7 +1186,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
}
// Montgomery inversion modulo order, c = a^(-1)*R mod order.
- protected internal void Montgomery_inversion_mod_order_bingcd(ulong[] a, ulong[] c, ulong[] order, ulong[] Montgomery_rprime, ulong[] Montgomery_Rprime)
+ internal void Montgomery_inversion_mod_order_bingcd(ulong[] a, ulong[] c, ulong[] order, ulong[] Montgomery_rprime, ulong[] Montgomery_Rprime)
{
ulong[] x = new ulong[engine.param.NWORDS_ORDER],
t = new ulong[engine.param.NWORDS_ORDER];
@@ -1211,7 +1210,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
}
// Conversion of elements in Z_r from Montgomery to standard representation, where the order is up to NBITS_ORDER bits.
- protected internal void from_Montgomery_mod_order(ulong[] ma, ulong[] c, ulong[] order, ulong[] Montgomery_rprime)
+ internal void from_Montgomery_mod_order(ulong[] ma, ulong[] c, ulong[] order, ulong[] Montgomery_rprime)
{
ulong[] one = new ulong[engine.param.NWORDS_ORDER];
one[0] = 1;
@@ -1221,7 +1220,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
// Computes the input modulo 3
// The input is assumed to be NWORDS_ORDER ulong
- protected internal uint mod3(ulong[] a)
+ internal uint mod3(ulong[] a)
{
ulong result = 0;
for (int i = 0; i < engine.param.NWORDS_ORDER; ++i)
@@ -1234,7 +1233,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
// Conversion of a GF(p^2) element to Montgomery representation,
// mc_i = a_i*R^2*R^(-1) = a_i*R in GF(p^2).
- protected internal void to_fp2mont(ulong[][] a, ulong[][] mc)
+ internal void to_fp2mont(ulong[][] a, ulong[][] mc)
{
to_mont(a[0], mc[0]);
to_mont(a[1], mc[1]);
@@ -1251,7 +1250,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
// todo/org : move to fp_generic
// Modular correction to reduce field element a in [0, 2*PRIME-1] to [0, PRIME-1].
- protected internal void fpcorrectionPRIME(ulong[] a)
+ internal void fpcorrectionPRIME(ulong[] a)
{
ulong i, borrow = 0;
ulong mask;
@@ -1276,7 +1275,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
}
}
- protected internal byte cmp_f2elm(ulong[][] x, ulong[][] y)
+ internal byte cmp_f2elm(ulong[][] x, ulong[][] y)
{ // Comparison of two GF(p^2) elements in constant time.
// Is x != y? return -1 if condition is true, 0 otherwise.
ulong[][] a = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
@@ -1298,7 +1297,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
// Encoding digits to bytes according to endianness
- protected internal void encode_to_bytes(ulong[] x, byte[] enc, uint encOffset, uint nbytes)
+ internal void encode_to_bytes(ulong[] x, byte[] enc, uint encOffset, uint nbytes)
{
byte[] test = new byte[((nbytes*4+7)&~7)];
Pack.UInt64_To_LE(x, test, 0);
@@ -1306,7 +1305,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
}
// Decoding bytes to digits according to endianness
- protected internal void decode_to_digits(byte[] x, uint xOffset, ulong[] dec, uint nbytes, uint ndigits)
+ internal void decode_to_digits(byte[] x, uint xOffset, ulong[] dec, uint nbytes, uint ndigits)
{
// x -> dec
dec[ndigits - 1] = 0;
@@ -1317,7 +1316,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
}
// r = a - b*i where v = a + b*i
- protected internal void fp2_conj(ulong[][] v, ulong[][] r)
+ internal void fp2_conj(ulong[][] v, ulong[][] r)
{
fpcopy(v[0], 0, r[0]);
fpcopy(v[1], 0, r[1]);
@@ -1368,28 +1367,28 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
}
// Copy a GF(p^2) element, c = a.
- protected internal void fp2copy(ulong[][] a, ulong[][] c)
+ internal void fp2copy(ulong[][] a, ulong[][] c)
{
fpcopy(a[0], 0, c[0]);
fpcopy(a[1], 0, c[1]);
}
// Copy a GF(p^2) element, c = a.
- protected internal void fp2copy(ulong[][] a, uint aOffset, ulong[][] c)
+ internal void fp2copy(ulong[][] a, uint aOffset, ulong[][] c)
{
fpcopy(a[0 + aOffset], 0, c[0]);
fpcopy(a[1 + aOffset], 0, c[1]);
}
// Copy a GF(p^2) element, c = a.
- protected internal void fp2copy(ulong[] a, uint aOffset, ulong[][] c)
+ internal void fp2copy(ulong[] a, uint aOffset, ulong[][] c)
{
fpcopy(a, aOffset, c[0]);
fpcopy(a, aOffset + engine.param.NWORDS_FIELD, c[1]);
}
// Zero a field element, a = 0.
- protected internal void fpzero(ulong[] a)
+ internal void fpzero(ulong[] a)
{
uint i;
@@ -1400,7 +1399,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
}
// GF(p^2) subtraction with correction with 2*p, c = a-b+2p in GF(p^2).
- protected internal void mp2_sub_p2(ulong[][] a, ulong[][] b, ulong[][] c)
+ internal void mp2_sub_p2(ulong[][] a, ulong[][] b, ulong[][] c)
{
//todo/org : make fp class and change this to generic mp_sub_p2
mp_subPRIME_p2(a[0], b[0], c[0]);
@@ -1408,7 +1407,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
}
// Multiprecision comba multiply, c = a*b, where lng(a) = lng(b) = nwords.
- protected internal void mp_mul(ulong[] a, ulong[] b, ulong[] c, uint nwords)
+ internal void mp_mul(ulong[] a, ulong[] b, ulong[] c, uint nwords)
{
ulong i, j;
ulong t = 0, u = 0, v = 0;
@@ -1461,7 +1460,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
}
// Multiprecision comba multiply, c = a*b, where lng(a) = lng(b) = nwords.
- protected internal void mp_mul(ulong[] a, uint aOffset, ulong[] b, ulong[] c, uint nwords)
+ internal void mp_mul(ulong[] a, uint aOffset, ulong[] b, ulong[] c, uint nwords)
{
ulong i, j;
ulong t = 0, u = 0, v = 0;
@@ -1516,7 +1515,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
// GF(p^2) multiplication using Montgomery arithmetic, c = a*b in GF(p^2).
// Inputs: a = a0+a1*i and b = b0+b1*i, where a0, a1, b0, b1 are in [0, 2*p-1]
// Output: c = c0+c1*i, where c0, c1 are in [0, 2*p-1]
- protected internal void fp2mul_mont(ulong[][] a, ulong[][] b, ulong[][] c)
+ internal void fp2mul_mont(ulong[][] a, ulong[][] b, ulong[][] c)
{
ulong[] t1 = new ulong[engine.param.NWORDS_FIELD],
t2 = new ulong[engine.param.NWORDS_FIELD];
@@ -1535,7 +1534,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
rdc_mont(tt1, c[0]); // c[0] = a0*b0 - a1*b1
}
- protected internal void fp2mul_mont(ulong[][] a, ulong[][] b, uint bOffset, ulong[][] c)
+ internal void fp2mul_mont(ulong[][] a, ulong[][] b, uint bOffset, ulong[][] c)
{
// System.out.pruint("b: ");
@@ -1559,7 +1558,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
rdc_mont(tt1, c[0]); // c[0] = a0*b0 - a1*b1
}
- protected internal void fp2mul_mont(ulong[][] a, ulong[] b, uint bOffset, ulong[][] c)
+ internal void fp2mul_mont(ulong[][] a, ulong[] b, uint bOffset, ulong[][] c)
{
ulong[] t1 = new ulong[engine.param.NWORDS_FIELD],
t2 = new ulong[engine.param.NWORDS_FIELD];
@@ -1587,7 +1586,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
}
// Multiprecision subtraction, c = a-b, where lng(a) = lng(b) = nwords. Returns the borrow bit.
- protected internal ulong mp_sub(ulong[] a, ulong[] b, ulong[] c, uint nwords)
+ internal ulong mp_sub(ulong[] a, ulong[] b, ulong[] c, uint nwords)
{
ulong i, borrow = 0;
@@ -1606,7 +1605,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
// Is x < y? return 1 (TRUE) if condition is true, 0 (FALSE) otherwise.
// SECURITY NOTE: This function does not run in constant-time.
- protected internal bool is_orderelm_lt(ulong[] x, ulong[] y)
+ internal bool is_orderelm_lt(ulong[] x, ulong[] y)
{
for (int i = (int)engine.param.NWORDS_ORDER-1; i >= 0; i--)
{
@@ -1637,7 +1636,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
}
// Multiprecision squaring, c = a^2 mod p.
- protected internal void fpsqr_mont(ulong[] ma, ulong[] mc)
+ internal void fpsqr_mont(ulong[] ma, ulong[] mc)
{
ulong[] temp = new ulong[2*engine.param.NWORDS_FIELD];
@@ -1658,7 +1657,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
}
// GF(p^2) inversion using Montgomery arithmetic, a = (a0-i*a1)/(a0^2+a1^2).
- protected internal void fp2inv_mont(ulong[][] a)
+ internal void fp2inv_mont(ulong[][] a)
{
ulong[][] t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD);
@@ -1673,7 +1672,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
// Computes a = 3*a
// The input is assumed to be OBOB_BITS-2 bits ulong and stored in SECRETKEY_B_BYTES
- protected internal void mul3(byte[] a)
+ internal void mul3(byte[] a)
{
ulong[] temp1 = new ulong[engine.param.NWORDS_ORDER],
temp2 = new ulong[engine.param.NWORDS_ORDER];
@@ -1686,7 +1685,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
// Compare two byte arrays in constant time.
// Returns 0 if the byte arrays are equal, -1 otherwise.
- protected internal byte ct_compare(byte[] a, byte[] b, uint len)
+ internal byte ct_compare(byte[] a, byte[] b, uint len)
{
byte r = 0;
@@ -1699,7 +1698,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
// Conditional move in constant time.
// If selector = -1 then load r with a, else if selector = 0 then keep r.
- protected internal void ct_cmov(byte[] r, byte[] a, uint len, byte selector)
+ internal void ct_cmov(byte[] r, byte[] a, uint len, byte selector)
{
for (uint i = 0; i < len; i++)
{
@@ -1708,7 +1707,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
}
// Copy wordsize digits, c = a, where lng(a) = nwords.
- protected internal void copy_words(ulong[] a, ulong[] c, uint nwords)
+ internal void copy_words(ulong[] a, ulong[] c, uint nwords)
{
uint i;
for (i = 0; i < nwords; i++)
@@ -1718,7 +1717,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
}
// c = (2^k)*a
- protected internal void fp2shl(ulong[][] a, uint k, ulong[][] c)
+ internal void fp2shl(ulong[][] a, uint k, ulong[][] c)
{
fp2copy(a, c);
for (uint j = 0; j < k; j++)
@@ -1728,7 +1727,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
}
// Copy wordsize digits, c = a, where lng(a) = nwords.
- protected internal void copy_words(PointProj a, PointProj c)
+ internal void copy_words(PointProj a, PointProj c)
{
uint i;
for (i = 0; i < engine.param.NWORDS_FIELD; i++)
@@ -1759,7 +1758,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
// GF(p^2) addition, c = a+b in GF(p^2).
- protected internal void fp2add(ulong[][] a, ulong[][] b, ulong[][] c)
+ internal void fp2add(ulong[][] a, ulong[][] b, ulong[][] c)
{
//todo/org : make fp class and change this to generic function
fpaddPRIME(a[0], b[0], c[0]);
@@ -1767,7 +1766,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
}
// GF(p^2) subtraction, c = a-b in GF(p^2).
- protected internal void fp2sub(ulong[][] a, ulong[][] b, ulong[][] c)
+ internal void fp2sub(ulong[][] a, ulong[][] b, ulong[][] c)
{
//todo/org : make fp class and change this to generic function
fpsubPRIME(a[0], b[0], c[0]);
@@ -1783,7 +1782,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
}
// Multiprecision multiplication, c = a*b mod p.
- protected internal void fpmul_mont(ulong[] ma, ulong[] mb, ulong[] mc)
+ internal void fpmul_mont(ulong[] ma, ulong[] mb, ulong[] mc)
{
ulong[] temp = new ulong[2*engine.param.NWORDS_FIELD];
@@ -1792,7 +1791,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
}
// Multiprecision multiplication, c = a*b mod p.
- protected internal void fpmul_mont(ulong[] ma, uint maOffset, ulong[] mb, ulong[] mc)
+ internal void fpmul_mont(ulong[] ma, uint maOffset, ulong[] mb, ulong[] mc)
{
ulong[] temp = new ulong[2*engine.param.NWORDS_FIELD];
@@ -2233,5 +2232,4 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
}
}
}
-
- }
\ No newline at end of file
+}
diff --git a/crypto/src/pqc/crypto/sike/Isogeny.cs b/crypto/src/pqc/crypto/sike/Isogeny.cs
index 2d0ef1473..be9e3ba4d 100644
--- a/crypto/src/pqc/crypto/sike/Isogeny.cs
+++ b/crypto/src/pqc/crypto/sike/Isogeny.cs
@@ -12,7 +12,7 @@ internal sealed class Isogeny
// Doubling of a Montgomery point in projective coordinates (X:Z) over affine curve coefficient A.
// Input: projective Montgomery x-coordinates P = (X1:Z1), where x1=X1/Z1 and Montgomery curve constants (A+2)/4.
// Output: projective Montgomery x-coordinates Q = 2*P = (X2:Z2).
- protected internal void Double(PointProj P, PointProj Q, ulong[][] A24, uint k)
+ internal void Double(PointProj P, PointProj Q, ulong[][] A24, uint k)
{
ulong[][] temp = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
a = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
@@ -37,7 +37,7 @@ internal sealed class Isogeny
}
}
- protected internal void CompleteMPoint(ulong[][] A, PointProj P, PointProjFull R)
+ internal void CompleteMPoint(ulong[][] A, PointProj P, PointProjFull R)
{ // Given an xz-only representation on a montgomery curve, compute its affine representation
ulong[][] zero = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
one = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
@@ -81,10 +81,9 @@ internal sealed class Isogeny
internal void Ladder(PointProj P, ulong[] m, ulong[][] A, uint order_bits, PointProj R)
{
- PointProj R0 = new PointProj(engine.param.NWORDS_FIELD),
- R1 = new PointProj(engine.param.NWORDS_FIELD);
+ var R0 = new PointProj(engine.param.NWORDS_FIELD);
+ var R1 = new PointProj(engine.param.NWORDS_FIELD);
ulong[][] A24 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD);
- uint bit = 0;
ulong mask;
int j, swap, prevbit = 0;
@@ -96,7 +95,7 @@ internal sealed class Isogeny
engine.fpx.fp2div2(A24, A24); // A24 = (A+2)/4
j = (int)order_bits - 1;
- bit = (uint) ((m[j >> (int)Internal.LOG2RADIX] >> (int)(j & (Internal.RADIX-1))) & 1);
+ uint bit = (uint) ((m[j >> (int)Internal.LOG2RADIX] >> (int)(j & (Internal.RADIX-1))) & 1);
while (bit == 0)
{
j--;
@@ -106,7 +105,7 @@ internal sealed class Isogeny
// R0 <- P, R1 <- 2P
engine.fpx.fp2copy(P.X, R0.X);
engine.fpx.fp2copy(P.Z, R0.Z);
- xDBL_e(P, R1, A24, 1);
+ XDblE(P, R1, A24, 1);
// Main loop
for (int i = (int)j - 1; i >= 0; i--)
@@ -116,12 +115,12 @@ internal sealed class Isogeny
prevbit = (int) bit;
mask = (ulong) (0 - swap);
- swap_points(R0, R1, mask);
- xDBLADD_proj(R0, R1, P.X, P.Z, A24);
+ SwapPoints(R0, R1, mask);
+ XDblAddProj(R0, R1, P.X, P.Z, A24);
}
swap = 0 ^ prevbit;
mask = (ulong) (0 - swap);
- swap_points(R0, R1, mask);
+ SwapPoints(R0, R1, mask);
engine.fpx.fp2copy(R0.X, R.X);
engine.fpx.fp2copy(R0.Z, R.Z);
@@ -130,7 +129,7 @@ internal sealed class Isogeny
// Simultaneous doubling and differential addition.
// Input: projective Montgomery points P=(XP:ZP) and Q=(XQ:ZQ) such that xP=XP/ZP and xQ=XQ/ZQ, affine difference xPQ=x(P-Q) and Montgomery curve constant A24=(A+2)/4.
// Output: projective Montgomery points P <- 2*P = (X2P:Z2P) such that x(2P)=X2P/Z2P, and Q <- P+Q = (XQP:ZQP) such that = x(Q+P)=XQP/ZQP.
- private void xDBLADD_proj(PointProj P, PointProj Q, ulong[][] XPQ, ulong[][] ZPQ, ulong[][] A24)
+ private void XDblAddProj(PointProj P, PointProj Q, ulong[][] XPQ, ulong[][] ZPQ, ulong[][] A24)
{
ulong[][] t0 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
@@ -162,7 +161,7 @@ internal sealed class Isogeny
// Doubling of a Montgomery point in projective coordinates (X:Z) over affine curve coefficient A.
// Input: projective Montgomery x-coordinates P = (X1:Z1), where x1=X1/Z1 and Montgomery curve constants (A+2)/4.
// Output: projective Montgomery x-coordinates Q = 2*P = (X2:Z2).
- private void xDBL_e(PointProj P, PointProj Q, ulong[][] A24, int e)
+ private void XDblE(PointProj P, PointProj Q, ulong[][] A24, int e)
{
ulong[][] temp = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
a = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
@@ -192,14 +191,14 @@ internal sealed class Isogeny
// Computes [3^e](X:Z) on Montgomery curve with projective constant via e repeated triplings. e triplings in E costs k*(5M + 6S + 9A)
// Input: projective Montgomery x-coordinates P = (X:Z), where x=X/Z, Montgomery curve constant A2 = A/2 and the number of triplings e.
// Output: projective Montgomery x-coordinates Q <- [3^e]P.
- internal void xTPLe_fast(PointProj P, PointProj Q, ulong[][] A2, uint e)
+ internal void XTplEFast(PointProj P, PointProj Q, ulong[][] A2, uint e)
{
- PointProj T = new PointProj(engine.param.NWORDS_FIELD);
+ var T = new PointProj(engine.param.NWORDS_FIELD);
engine.fpx.copy_words(P, T);
for (int j = 0; j < e; j++)
{
- xTPL_fast(T, T, A2);
+ XTplFast(T, T, A2);
}
engine.fpx.copy_words(T, Q);
}
@@ -207,7 +206,7 @@ internal sealed class Isogeny
// Montgomery curve (E: y^2 = x^3 + A*x^2 + x) x-only tripling at a cost 5M + 6S + 9A = 27p + 61a.
// Input : projective Montgomery x-coordinates P = (X:Z), where x=X/Z and Montgomery curve constant A/2.
// Output: projective Montgomery x-coordinates Q = 3*P = (X3:Z3).
- private void xTPL_fast(PointProj P, PointProj Q, ulong[][] A2)
+ private void XTplFast(PointProj P, PointProj Q, ulong[][] A2)
{
ulong[][] t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
t2 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
@@ -238,10 +237,10 @@ internal sealed class Isogeny
}
- protected internal void LADDER3PT(ulong[][] xP, ulong[][] xQ, ulong[][] xPQ, ulong[] m, uint AliceOrBob, PointProj R, ulong[][] A)
+ internal void LADDER3PT(ulong[][] xP, ulong[][] xQ, ulong[][] xPQ, ulong[] m, uint AliceOrBob, PointProj R, ulong[][] A)
{
- PointProj R0 = new PointProj(engine.param.NWORDS_FIELD),
- R2 = new PointProj(engine.param.NWORDS_FIELD);
+ var R0 = new PointProj(engine.param.NWORDS_FIELD);
+ var R2 = new PointProj(engine.param.NWORDS_FIELD);
ulong[][] A24 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD);
ulong mask;
uint i, nbits, bit, swap, prevbit = 0;
@@ -277,17 +276,17 @@ internal sealed class Isogeny
swap = bit ^ prevbit;
prevbit = bit;
mask = 0 - (ulong) swap;
- swap_points(R, R2, mask);
- xDBLADD(R0, R2, R.X, A24);
+ SwapPoints(R, R2, mask);
+ XDblAdd(R0, R2, R.X, A24);
engine.fpx.fp2mul_mont(R2.X, R.Z, R2.X);
}
swap = 0 ^ prevbit;
mask = 0 - (ulong)swap;
- swap_points(R, R2, mask);
+ SwapPoints(R, R2, mask);
}
// Complete point on A = 0 curve
- protected internal void CompletePoint(PointProj P, PointProjFull R)
+ internal void CompletePoint(PointProj P, PointProjFull R)
{
ulong[][] xz = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
s2 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
@@ -318,13 +317,11 @@ internal sealed class Isogeny
// Swap points.
// If option = 0 then P <- P and Q <- Q, else if option = 0xFF...FF then P <- Q and Q <- P
- protected internal void swap_points(PointProj P, PointProj Q, ulong option)
+ internal void SwapPoints(PointProj P, PointProj Q, ulong option)
{
//todo/org : put this in the PointProj class
ulong temp;
- int i;
-
- for (i = 0; i < engine.param.NWORDS_FIELD; i++)
+ for (int i = 0; i < engine.param.NWORDS_FIELD; i++)
{
temp = option & (P.X[0][i] ^ Q.X[0][i]);
P.X[0][i] = temp ^ P.X[0][i];
@@ -344,7 +341,7 @@ internal sealed class Isogeny
// Simultaneous doubling and differential addition.
// Input: projective Montgomery points P=(XP:ZP) and Q=(XQ:ZQ) such that xP=XP/ZP and xQ=XQ/ZQ, affine difference xPQ=x(P-Q) and Montgomery curve constant A24=(A+2)/4.
// Output: projective Montgomery points P <- 2*P = (X2P:Z2P) such that x(2P)=X2P/Z2P, and Q <- P+Q = (XQP:ZQP) such that = x(Q+P)=XQP/ZQP.
- protected internal void xDBLADD(PointProj P, PointProj Q, ulong[][] xPQ, ulong[][] A24)
+ internal void XDblAdd(PointProj P, PointProj Q, ulong[][] xPQ, ulong[][] A24)
{
ulong[][] t0 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
@@ -373,21 +370,21 @@ internal sealed class Isogeny
// Computes [2^e](X:Z) on Montgomery curve with projective constant via e repeated doublings.
// Input: projective Montgomery x-coordinates P = (XP:ZP), such that xP=XP/ZP and Montgomery curve constants A+2C and 4C.
// Output: projective Montgomery x-coordinates Q <- (2^e)*P.
- protected internal void xDBLe(PointProj P, PointProj Q, ulong[][] A24plus, ulong[][] C24, uint e)
+ internal void XDblE(PointProj P, PointProj Q, ulong[][] A24plus, ulong[][] C24, uint e)
{
int i;
engine.fpx.copy_words(P, Q);
for (i = 0; i < e; i++)
{
- xDBL(Q, Q, A24plus, C24);
+ XDbl(Q, Q, A24plus, C24);
}
}
// Doubling of a Montgomery point in projective coordinates (X:Z).
// Input: projective Montgomery x-coordinates P = (X1:Z1), where x1=X1/Z1 and Montgomery curve constants A+2C and 4C.
// Output: projective Montgomery x-coordinates Q = 2*P = (X2:Z2).
- protected void xDBL(PointProj P, PointProj Q, ulong[][] A24plus, ulong[][] C24)
+ internal void XDbl(PointProj P, PointProj Q, ulong[][] A24plus, ulong[][] C24)
{
ulong[][] t0 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD);
@@ -407,7 +404,7 @@ internal sealed class Isogeny
// Tripling of a Montgomery point in projective coordinates (X:Z).
// Input: projective Montgomery x-coordinates P = (X:Z), where x=X/Z and Montgomery curve constants A24plus = A+2C and A24minus = A-2C.
// Output: projective Montgomery x-coordinates Q = 3*P = (X3:Z3).
- private void xTPL(PointProj P, PointProj Q, ulong[][] A24minus, ulong[][] A24plus)
+ private void XTpl(PointProj P, PointProj Q, ulong[][] A24minus, ulong[][] A24plus)
{
ulong[][] t0 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
@@ -444,20 +441,20 @@ internal sealed class Isogeny
// Computes [3^e](X:Z) on Montgomery curve with projective constant via e repeated triplings.
// Input: projective Montgomery x-coordinates P = (XP:ZP), such that xP=XP/ZP and Montgomery curve constants A24plus = A+2C and A24minus = A-2C.
// Output: projective Montgomery x-coordinates Q <- (3^e)*P.
- protected internal void xTPLe(PointProj P, PointProj Q, ulong[][] A24minus, ulong[][] A24plus, uint e)
+ internal void XTplE(PointProj P, PointProj Q, ulong[][] A24minus, ulong[][] A24plus, uint e)
{
int i;
engine.fpx.copy_words(P, Q);
for (i = 0; i < e; i++)
{
- xTPL(Q, Q, A24minus, A24plus);
+ XTpl(Q, Q, A24minus, A24plus);
}
}
// Given the x-coordinates of P, Q, and R, returns the value A corresponding to the Montgomery curve E_A: y^2=x^3+A*x^2+x such that R=Q-P on E_A.
// Input: the x-coordinates xP, xQ, and xR of the points P, Q and R.
// Output: the coefficient A corresponding to the curve E_A: y^2=x^3+A*x^2+x.
- protected internal void get_A(ulong[][] xP, ulong[][] xQ, ulong[][] xR, ulong[][] A)
+ internal void GetA(ulong[][] xP, ulong[][] xQ, ulong[][] xR, ulong[][] A)
{
ulong[][] t0 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
@@ -482,7 +479,7 @@ internal sealed class Isogeny
// Computes the j-invariant of a Montgomery curve with projective constant.
// Input: A,C in GF(p^2).
// Output: j=256*(A^2-3*C^2)^3/(C^4*(A^2-4*C^2)), which is the j-invariant of the Montgomery curve B*y^2=x^3+(A/C)*x^2+x or (equivalently) j-invariant of B'*y^2=C*x^3+A*x^2+C*x.
- protected internal void j_inv(ulong[][] A, ulong[][] C, ulong[][] jinv)
+ internal void JInv(ulong[][] A, ulong[][] C, ulong[][] jinv)
{
ulong[][] t0 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD);
@@ -510,7 +507,7 @@ internal sealed class Isogeny
// Computes the corresponding 3-isogeny of a projective Montgomery point (X3:Z3) of order 3.
// Input: projective point of order three P = (X3:Z3).
// Output: the 3-isogenous Montgomery curve with projective coefficient A/C.
- protected internal void get_3_isog(PointProj P, ulong[][] A24minus, ulong[][] A24plus, ulong[][][] coeff)
+ internal void Get3Isog(PointProj P, ulong[][] A24minus, ulong[][] A24plus, ulong[][][] coeff)
{
ulong[][] t0 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
@@ -540,7 +537,7 @@ internal sealed class Isogeny
// a point P with 2 coefficients in coeff (computed in the function get_3_Isog()).
// Inputs: projective points P = (X3:Z3) and Q = (X:Z).
// Output: the projective point Q <- phi(Q) = (X3:Z3).
- protected internal void eval_3_isog(PointProj Q, ulong[][][] coeff)
+ internal void Eval3Isog(PointProj Q, ulong[][][] coeff)
{
ulong[][] t0 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
@@ -561,7 +558,7 @@ internal sealed class Isogeny
// 3-way simultaneous inversion
// Input: z1,z2,z3
// Output: 1/z1,1/z2,1/z3 (override inputs).
- protected internal void inv_3_way(ulong[][] z1, ulong[][] z2, ulong[][] z3)
+ internal void Inv3Way(ulong[][] z1, ulong[][] z2, ulong[][] z3)
{
ulong[][] t0 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
@@ -581,7 +578,7 @@ internal sealed class Isogeny
// Computes the corresponding 2-isogeny of a projective Montgomery point (X2:Z2) of order 2.
// Input: projective point of order two P = (X2:Z2).
// Output: the 2-isogenous Montgomery curve with projective coefficients A/C.
- protected internal void get_2_isog(PointProj P, ulong[][] A, ulong[][] C)
+ internal void Get2Isog(PointProj P, ulong[][] A, ulong[][] C)
{
engine.fpx.fp2sqr_mont(P.X, A); // A = X2^2
engine.fpx.fp2sqr_mont(P.Z, C); // C = Z2^2
@@ -591,7 +588,7 @@ internal sealed class Isogeny
// Evaluates the isogeny at the point (X:Z) in the domain of the isogeny, given a 2-isogeny phi.
// Inputs: the projective point P = (X:Z) and the 2-isogeny kernel projetive point Q = (X2:Z2).
// Output: the projective point P = phi(P) = (X:Z) in the codomain.
- protected internal void eval_2_isog(PointProj P, PointProj Q)
+ internal void Eval2Isog(PointProj P, PointProj Q)
{
ulong[][] t0 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
@@ -614,7 +611,7 @@ internal sealed class Isogeny
// Input: projective point of order four P = (X4:Z4).
// Output: the 4-isogenous Montgomery curve with projective coefficients A+2C/4C and the 3 coefficients
// that are used to evaluate the isogeny at a point in eval_4_Isog().
- protected internal void get_4_isog(PointProj P, ulong[][] A24plus, ulong[][] C24, ulong[][][] coeff)
+ internal void Get4Isog(PointProj P, ulong[][] A24plus, ulong[][] C24, ulong[][][] coeff)
{
engine.fpx.mp2_sub_p2(P.X, P.Z, coeff[1]); // coeff[1] = X4-Z4
engine.fpx.mp2_add(P.X, P.Z, coeff[2]); // coeff[2] = X4+Z4
@@ -631,7 +628,7 @@ internal sealed class Isogeny
// by the 3 coefficients in coeff (computed in the function get_4_Isog()).
// Inputs: the coefficients defining the isogeny, and the projective point P = (X:Z).
// Output: the projective point P = phi(P) = (X:Z) in the codomain.
- protected internal void eval_4_isog(PointProj P, ulong[][][] coeff)
+ internal void Eval4Isog(PointProj P, ulong[][][] coeff)
{
ulong[][] t0 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD);
@@ -651,9 +648,5 @@ internal sealed class Isogeny
engine.fpx.fp2mul_mont(P.X, t1, P.X); // Xfinal
engine.fpx.fp2mul_mont(P.Z, t0, P.Z); // Zfinal
}
-
-
-
}
-
-}
\ No newline at end of file
+}
diff --git a/crypto/src/pqc/crypto/sike/SIDH.cs b/crypto/src/pqc/crypto/sike/SIDH.cs
index ab01a729f..8246291c6 100644
--- a/crypto/src/pqc/crypto/sike/SIDH.cs
+++ b/crypto/src/pqc/crypto/sike/SIDH.cs
@@ -10,7 +10,7 @@ internal sealed class Sidh
}
// Initialization of basis points
- protected void init_basis(ulong[] gen, ulong[][] XP, ulong[][] XQ, ulong[][] XR)
+ internal void init_basis(ulong[] gen, ulong[][] XP, ulong[][] XQ, ulong[][] XR)
{
engine.fpx.fpcopy(gen, 0, XP[0]);
engine.fpx.fpcopy(gen, engine.param.NWORDS_FIELD, XP[1]);
@@ -23,7 +23,7 @@ internal sealed class Sidh
// Bob's ephemeral public key generation
// Input: a private key PrivateKeyB in the range [0, 2^Floor(Log(2,oB)) - 1].
// Output: the public key PublicKeyB consisting of 3 elements in GF(p^2) which are encoded by removing leading 0 bytes.
- protected internal void EphemeralKeyGeneration_B(byte[] sk, byte[] pk)
+ internal void EphemeralKeyGeneration_B(byte[] sk, byte[] pk)
{
PointProj R = new PointProj(engine.param.NWORDS_FIELD),
phiP = new PointProj(engine.param.NWORDS_FIELD),
@@ -71,29 +71,29 @@ internal sealed class Sidh
engine.fpx.fp2copy(R.Z, pts[npts].Z);
pts_index[npts++] = index;
m = engine.param.strat_Bob[ii++];
- engine.isogeny.xTPLe(R, R, A24minus, A24plus, m);
+ engine.isogeny.XTplE(R, R, A24minus, A24plus, m);
index += m;
}
- engine.isogeny.get_3_isog(R, A24minus, A24plus, coeff);
+ engine.isogeny.Get3Isog(R, A24minus, A24plus, coeff);
for (i = 0; i < npts; i++)
{
- engine.isogeny.eval_3_isog(pts[i], coeff);
+ engine.isogeny.Eval3Isog(pts[i], coeff);
}
- engine.isogeny.eval_3_isog(phiP, coeff);
- engine.isogeny.eval_3_isog(phiQ, coeff);
- engine.isogeny.eval_3_isog(phiR, coeff);
+ engine.isogeny.Eval3Isog(phiP, coeff);
+ engine.isogeny.Eval3Isog(phiQ, coeff);
+ engine.isogeny.Eval3Isog(phiR, coeff);
engine.fpx.fp2copy(pts[npts - 1].X, R.X);
engine.fpx.fp2copy(pts[npts - 1].Z, R.Z);
index = pts_index[npts - 1];
npts -= 1;
}
- engine.isogeny.get_3_isog(R, A24minus, A24plus, coeff);
- engine.isogeny.eval_3_isog(phiP, coeff);
- engine.isogeny.eval_3_isog(phiQ, coeff);
- engine.isogeny.eval_3_isog(phiR, coeff);
- engine.isogeny.inv_3_way(phiP.Z, phiQ.Z, phiR.Z);
+ engine.isogeny.Get3Isog(R, A24minus, A24plus, coeff);
+ engine.isogeny.Eval3Isog(phiP, coeff);
+ engine.isogeny.Eval3Isog(phiQ, coeff);
+ engine.isogeny.Eval3Isog(phiR, coeff);
+ engine.isogeny.Inv3Way(phiP.Z, phiQ.Z, phiR.Z);
engine.fpx.fp2mul_mont(phiP.X, phiP.Z, phiP.X);
engine.fpx.fp2mul_mont(phiQ.X, phiQ.Z, phiQ.X);
@@ -108,7 +108,7 @@ internal sealed class Sidh
// Alice's ephemeral public key generation
// Input: a private key PrivateKeyA in the range [0, 2^eA - 1].
// Output: the public key PublicKeyA consisting of 3 elements in GF(p^2) which are encoded by removing leading 0 bytes.
- protected internal void EphemeralKeyGeneration_A(byte[] ephemeralsk, byte[] ct)
+ internal void EphemeralKeyGeneration_A(byte[] ephemeralsk, byte[] ct)
{
PointProj R = new PointProj(engine.param.NWORDS_FIELD),
phiP = new PointProj(engine.param.NWORDS_FIELD),
@@ -149,12 +149,12 @@ internal sealed class Sidh
if (engine.param.OALICE_BITS % 2 == 1)
{
PointProj S = new PointProj(engine.param.NWORDS_FIELD);
- engine.isogeny.xDBLe(R, S, A24plus, C24, (engine.param.OALICE_BITS - 1));
- engine.isogeny.get_2_isog(S, A24plus, C24);
- engine.isogeny.eval_2_isog(phiP, S);
- engine.isogeny.eval_2_isog(phiQ, S);
- engine.isogeny.eval_2_isog(phiR, S);
- engine.isogeny.eval_2_isog(R, S);
+ engine.isogeny.XDblE(R, S, A24plus, C24, (engine.param.OALICE_BITS - 1));
+ engine.isogeny.Get2Isog(S, A24plus, C24);
+ engine.isogeny.Eval2Isog(phiP, S);
+ engine.isogeny.Eval2Isog(phiQ, S);
+ engine.isogeny.Eval2Isog(phiR, S);
+ engine.isogeny.Eval2Isog(R, S);
}
// Traverse tree
@@ -168,18 +168,18 @@ internal sealed class Sidh
engine.fpx.fp2copy(R.Z, pts[npts].Z);
pts_index[npts++] = index;
m = engine.param.strat_Alice[ii++];
- engine.isogeny.xDBLe(R, R, A24plus, C24, 2*m);
+ engine.isogeny.XDblE(R, R, A24plus, C24, 2*m);
index += m;
}
- engine.isogeny.get_4_isog(R, A24plus, C24, coeff);
+ engine.isogeny.Get4Isog(R, A24plus, C24, coeff);
for (i = 0; i < npts; i++)
{
- engine.isogeny.eval_4_isog(pts[i], coeff);
+ engine.isogeny.Eval4Isog(pts[i], coeff);
}
- engine.isogeny.eval_4_isog(phiP, coeff);
- engine.isogeny.eval_4_isog(phiQ, coeff);
- engine.isogeny.eval_4_isog(phiR, coeff);
+ engine.isogeny.Eval4Isog(phiP, coeff);
+ engine.isogeny.Eval4Isog(phiQ, coeff);
+ engine.isogeny.Eval4Isog(phiR, coeff);
engine.fpx.fp2copy(pts[npts-1].X, R.X);
engine.fpx.fp2copy(pts[npts-1].Z, R.Z);
@@ -187,12 +187,12 @@ internal sealed class Sidh
npts -= 1;
}
- engine.isogeny.get_4_isog(R, A24plus, C24, coeff);
- engine.isogeny.eval_4_isog(phiP, coeff);
- engine.isogeny.eval_4_isog(phiQ, coeff);
- engine.isogeny.eval_4_isog(phiR, coeff);
+ engine.isogeny.Get4Isog(R, A24plus, C24, coeff);
+ engine.isogeny.Eval4Isog(phiP, coeff);
+ engine.isogeny.Eval4Isog(phiQ, coeff);
+ engine.isogeny.Eval4Isog(phiR, coeff);
- engine.isogeny.inv_3_way(phiP.Z, phiQ.Z, phiR.Z);
+ engine.isogeny.Inv3Way(phiP.Z, phiQ.Z, phiR.Z);
engine.fpx.fp2mul_mont(phiP.X, phiP.Z, phiP.X);
engine.fpx.fp2mul_mont(phiQ.X, phiQ.Z, phiQ.X);
engine.fpx.fp2mul_mont(phiR.X, phiR.Z, phiR.X);
@@ -209,7 +209,7 @@ internal sealed class Sidh
// Inputs: Alice's PrivateKeyA is an integer in the range [0, oA-1].
// Bob's PublicKeyB consists of 3 elements in GF(p^2) encoded by removing leading 0 bytes.
// Output: a shared secret SharedSecretA that consists of one element in GF(p^2) encoded by removing leading 0 bytes.
- protected internal void EphemeralSecretAgreement_A(byte[] ephemeralsk, byte[] pk, byte[] jinvariant)
+ internal void EphemeralSecretAgreement_A(byte[] ephemeralsk, byte[] pk, byte[] jinvariant)
{
PointProj R = new PointProj(engine.param.NWORDS_FIELD);
PointProj[] pts = new PointProj[engine.param.MAX_INT_POINTS_ALICE];
@@ -230,7 +230,7 @@ internal sealed class Sidh
engine.fpx.fp2_decode(pk, PKB[2], 2*engine.param.FP2_ENCODED_BYTES);
// Initialize constants: A24plus = A+2C, C24 = 4C, where C=1
- engine.isogeny.get_A(PKB[0], PKB[1], PKB[2], A);
+ engine.isogeny.GetA(PKB[0], PKB[1], PKB[2], A);
engine.fpx.mp_add(engine.param.Montgomery_one, engine.param.Montgomery_one, C24[0], engine.param.NWORDS_FIELD);
engine.fpx.mp2_add(A, C24, A24plus);
engine.fpx.mp_add(C24[0], C24[0], C24[0], engine.param.NWORDS_FIELD);
@@ -243,9 +243,9 @@ internal sealed class Sidh
{
PointProj S = new PointProj(engine.param.NWORDS_FIELD);
- engine.isogeny.xDBLe(R, S, A24plus, C24, engine.param.OALICE_BITS - 1);
- engine.isogeny.get_2_isog(S, A24plus, C24);
- engine.isogeny.eval_2_isog(R, S);
+ engine.isogeny.XDblE(R, S, A24plus, C24, engine.param.OALICE_BITS - 1);
+ engine.isogeny.Get2Isog(S, A24plus, C24);
+ engine.isogeny.Eval2Isog(R, S);
}
// Traverse tree
@@ -259,14 +259,14 @@ internal sealed class Sidh
engine.fpx.fp2copy(R.Z, pts[npts].Z);
pts_index[npts++] = index;
m = engine.param.strat_Alice[ii++];
- engine.isogeny.xDBLe(R, R, A24plus, C24, 2*m);
+ engine.isogeny.XDblE(R, R, A24plus, C24, 2*m);
index += m;
}
- engine.isogeny.get_4_isog(R, A24plus, C24, coeff);
+ engine.isogeny.Get4Isog(R, A24plus, C24, coeff);
for (i = 0; i < npts; i++)
{
- engine.isogeny.eval_4_isog(pts[i], coeff);
+ engine.isogeny.Eval4Isog(pts[i], coeff);
}
engine.fpx.fp2copy(pts[npts-1].X, R.X);
@@ -275,11 +275,11 @@ internal sealed class Sidh
npts -= 1;
}
- engine.isogeny.get_4_isog(R, A24plus, C24, coeff);
+ engine.isogeny.Get4Isog(R, A24plus, C24, coeff);
engine.fpx.mp2_add(A24plus, A24plus, A24plus);
engine.fpx.fp2sub(A24plus, C24, A24plus);
engine.fpx.fp2add(A24plus, A24plus, A24plus);
- engine.isogeny.j_inv(A24plus, C24, jinv);
+ engine.isogeny.JInv(A24plus, C24, jinv);
engine.fpx.fp2_encode(jinv, jinvariant, 0); // Format shared secret
}
@@ -288,7 +288,7 @@ internal sealed class Sidh
// Inputs: Bob's PrivateKeyB is an integer in the range [0, 2^Floor(Log(2,oB)) - 1].
// Alice's PublicKeyA consists of 3 elements in GF(p^2) encoded by removing leading 0 bytes.
// Output: a shared secret SharedSecretB that consists of one element in GF(p^2) encoded by removing leading 0 bytes.
- protected internal void EphemeralSecretAgreement_B(byte[] sk, byte[] ct, byte[] jinvariant_)
+ internal void EphemeralSecretAgreement_B(byte[] sk, byte[] ct, byte[] jinvariant_)
{
PointProj R = new PointProj(engine.param.NWORDS_FIELD);
PointProj[] pts = new PointProj[engine.param.MAX_INT_POINTS_BOB];
@@ -309,7 +309,7 @@ internal sealed class Sidh
engine.fpx.fp2_decode(ct, PKB[2], 2*engine.param.FP2_ENCODED_BYTES);
// Initialize constants: A24plus = A+2C, A24minus = A-2C, where C=1
- engine.isogeny.get_A(PKB[0], PKB[1], PKB[2], A);
+ engine.isogeny.GetA(PKB[0], PKB[1], PKB[2], A);
engine.fpx.mp_add(engine.param.Montgomery_one, engine.param.Montgomery_one, A24minus[0], engine.param.NWORDS_FIELD);
engine.fpx.mp2_add(A, A24minus, A24plus);
engine.fpx.mp2_sub_p2(A, A24minus, A24minus);
@@ -329,13 +329,13 @@ internal sealed class Sidh
engine.fpx.fp2copy(R.Z, pts[npts].Z);
pts_index[npts++] = index;
m = engine.param.strat_Bob[ii++];
- engine.isogeny.xTPLe(R, R, A24minus, A24plus, m);
+ engine.isogeny.XTplE(R, R, A24minus, A24plus, m);
index += m;
}
- engine.isogeny.get_3_isog(R, A24minus, A24plus, coeff);
+ engine.isogeny.Get3Isog(R, A24minus, A24plus, coeff);
for (i = 0; i < npts; i++) {
- engine.isogeny.eval_3_isog(pts[i], coeff);
+ engine.isogeny.Eval3Isog(pts[i], coeff);
}
engine.fpx.fp2copy(pts[npts-1].X, R.X);
@@ -344,14 +344,12 @@ internal sealed class Sidh
npts -= 1;
}
- engine.isogeny.get_3_isog(R, A24minus, A24plus, coeff);
+ engine.isogeny.Get3Isog(R, A24minus, A24plus, coeff);
engine.fpx.fp2add(A24plus, A24minus, A);
engine.fpx.fp2add(A, A, A);
engine.fpx.fp2sub(A24plus, A24minus, A24plus);
- engine.isogeny.j_inv(A, A24plus, jinv);
+ engine.isogeny.JInv(A, A24plus, jinv);
engine.fpx.fp2_encode(jinv, jinvariant_, 0); // Format shared secret
}
-
}
-
-}
\ No newline at end of file
+}
diff --git a/crypto/src/pqc/crypto/sike/SIDH_Compressed.cs b/crypto/src/pqc/crypto/sike/SIDH_Compressed.cs
index b849a8aad..cf69d0f82 100644
--- a/crypto/src/pqc/crypto/sike/SIDH_Compressed.cs
+++ b/crypto/src/pqc/crypto/sike/SIDH_Compressed.cs
@@ -14,7 +14,7 @@ internal sealed class SidhCompressed
this.engine = engine;
}
- protected void init_basis(ulong[] gen, ulong[][] XP, ulong[][] XQ, ulong[][] XR)
+ internal void init_basis(ulong[] gen, ulong[][] XP, ulong[][] XQ, ulong[][] XR)
{ // Initialization of basis points
engine.fpx.fpcopy(gen, 0, XP[0]);
@@ -25,8 +25,7 @@ internal sealed class SidhCompressed
engine.fpx.fpcopy(gen, 5*engine.param.NWORDS_FIELD, XR[1]);
}
-
- protected internal void FormatPrivKey_B(byte[] skB)
+ internal void FormatPrivKey_B(byte[] skB)
{
skB[engine.param.SECRETKEY_B_BYTES-2] &= (byte)engine.param.MASK3_BOB;
skB[engine.param.SECRETKEY_B_BYTES-1] &= (byte)engine.param.MASK2_BOB; // Clear necessary bits so that 3*ephemeralsk is still less than Bob_order
@@ -35,7 +34,7 @@ internal sealed class SidhCompressed
// Generation of Alice's secret key
// Outputs random value in [0, 2^eA - 1]
- protected void random_mod_order_A(byte[] random_digits, SecureRandom random)
+ internal void random_mod_order_A(byte[] random_digits, SecureRandom random)
{
byte[] temp = new byte[engine.param.SECRETKEY_A_BYTES];
random.NextBytes(temp);
@@ -46,7 +45,7 @@ internal sealed class SidhCompressed
// Generation of Bob's secret key
// Outputs random value in [0, 2^Floor(Log(2, oB)) - 1]
- protected void random_mod_order_B(byte[] random_digits, SecureRandom random)
+ internal void random_mod_order_B(byte[] random_digits, SecureRandom random)
{
byte[] temp = new byte[engine.param.SECRETKEY_B_BYTES];
random.NextBytes(temp);
@@ -55,7 +54,7 @@ internal sealed class SidhCompressed
}
// Project 3-pouint ladder
- protected void Ladder3pt_dual(PointProj[] Rs, ulong[] m, uint AliceOrBob, PointProj R, ulong[][] A24)
+ internal void Ladder3pt_dual(PointProj[] Rs, ulong[] m, uint AliceOrBob, PointProj R, ulong[][] A24)
{
PointProj R0 = new PointProj(engine.param.NWORDS_FIELD),
R2 = new PointProj(engine.param.NWORDS_FIELD);
@@ -85,18 +84,16 @@ internal sealed class SidhCompressed
prevbit = bit;
mask = 0 - (ulong)swap;
- engine.isogeny.swap_points(R, R2, mask);
- engine.isogeny.xDBLADD(R0, R2, R.X, A24);
+ engine.isogeny.SwapPoints(R, R2, mask);
+ engine.isogeny.XDblAdd(R0, R2, R.X, A24);
engine.fpx.fp2mul_mont(R2.X, R.Z, R2.X);
}
swap = 0 ^ prevbit;
mask = 0 - (ulong)swap;
- engine.isogeny.swap_points(R, R2, mask);
+ engine.isogeny.SwapPoints(R, R2, mask);
}
-
-
- protected void Elligator2(ulong[][] a24, uint[] r, uint rIndex, ulong[][] x, byte[] bit, uint bitOffset, uint COMPorDEC)
+ internal void Elligator2(ulong[][] a24, uint[] r, uint rIndex, ulong[][] x, byte[] bit, uint bitOffset, uint COMPorDEC)
{ // Generate an x-coordinate of a pouint on curve with (affine) coefficient a24
// Use the counter r
uint i;
@@ -189,8 +186,7 @@ internal sealed class SidhCompressed
// {System.out.printf("%016x ", x[di][dj] );}System.out.Println();}
}
-
- protected void make_positive(ulong[][] x)
+ internal void make_positive(ulong[][] x)
{
uint nbytes = engine.param.NWORDS_FIELD;
ulong[] zero = new ulong[engine.param.NWORDS_FIELD];
@@ -213,8 +209,7 @@ internal sealed class SidhCompressed
engine.fpx.to_fp2mont(x, x);
}
-
- protected void BiQuad_affine(ulong[][] a24, ulong[][] x0, ulong[][] x1, PointProj R)
+ internal void BiQuad_affine(ulong[][] a24, ulong[][] x0, ulong[][] x1, PointProj R)
{
ulong[][] Ap2 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
aa = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
@@ -259,8 +254,7 @@ internal sealed class SidhCompressed
engine.fpx.fp2add(aa, aa, R.Z);
}
-
- protected void get_4_isog_dual(PointProj P, ulong[][] A24, ulong[][] C24, ulong[][][] coeff)
+ internal void get_4_isog_dual(PointProj P, ulong[][] A24, ulong[][] C24, ulong[][][] coeff)
{
engine.fpx.fp2sub(P.X, P.Z, coeff[1]);
engine.fpx.fp2add(P.X, P.Z, coeff[2]);
@@ -275,7 +269,7 @@ internal sealed class SidhCompressed
// if (engine.param.OALICE_BITS % 2 == 1)
- protected void eval_dual_2_isog(ulong[][] X2, ulong[][] Z2, PointProj P)
+ internal void eval_dual_2_isog(ulong[][] X2, ulong[][] Z2, PointProj P)
{
ulong[][] t0 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD);
@@ -288,7 +282,7 @@ internal sealed class SidhCompressed
engine.fpx.fp2mul_mont(Z2, t0, P.X);
}
- protected void eval_final_dual_2_isog(PointProj P)
+ internal void eval_final_dual_2_isog(PointProj P)
{
ulong[][] t0 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD);
@@ -306,7 +300,7 @@ internal sealed class SidhCompressed
}
- protected void eval_dual_4_isog_shared(ulong[][] X4pZ4, ulong[][] X42, ulong[][] Z42, ulong[][][] coeff, uint coeffOffset)
+ internal void eval_dual_4_isog_shared(ulong[][] X4pZ4, ulong[][] X42, ulong[][] Z42, ulong[][][] coeff, uint coeffOffset)
{
// System.out.print("coeff0: ");
// for (uint di = 0; di < 2; di++){
@@ -340,8 +334,7 @@ internal sealed class SidhCompressed
// System.out.printf("%016x ", coeff[2 + coeffOffset][di][dj]);}System.out.Println();}
}
-
- protected void eval_dual_4_isog(ulong[][] A24, ulong[][] C24, ulong[][][] coeff, uint coeffOffset, PointProj P)
+ internal void eval_dual_4_isog(ulong[][] A24, ulong[][] C24, ulong[][][] coeff, uint coeffOffset, PointProj P)
{
ulong[][] t0 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
@@ -365,8 +358,7 @@ internal sealed class SidhCompressed
engine.fpx.fp2mul_mont(coeff[2 + coeffOffset], P.Z, P.Z);
}
-
- protected void eval_full_dual_4_isog(ulong[][][][] As, PointProj P)
+ internal void eval_full_dual_4_isog(ulong[][][][] As, PointProj P)
{
//todo : check
// First all 4-isogenies
@@ -384,8 +376,7 @@ internal sealed class SidhCompressed
eval_final_dual_2_isog(P); // to A = 0
}
-
- protected void TripleAndParabola_proj(PointProjFull R, ulong[][] l1x, ulong[][] l1z)
+ internal void TripleAndParabola_proj(PointProjFull R, ulong[][] l1x, ulong[][] l1z)
{
engine.fpx.fp2sqr_mont(R.X, l1z);
engine.fpx.fp2add(l1z, l1z, l1x);
@@ -394,8 +385,7 @@ internal sealed class SidhCompressed
engine.fpx.fp2add(R.Y, R.Y, l1z);
}
-
- protected void Tate3_proj(PointProjFull P, PointProjFull Q, ulong[][] gX, ulong[][] gZ)
+ internal void Tate3_proj(PointProjFull P, PointProjFull Q, ulong[][] gX, ulong[][] gZ)
{
ulong[][] t0 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
l1x = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD);
@@ -408,8 +398,7 @@ internal sealed class SidhCompressed
engine.fpx.fp2add(gX, t0, gX);
}
-
- protected void FinalExpo3(ulong[][] gX, ulong[][] gZ)
+ internal void FinalExpo3(ulong[][] gX, ulong[][] gZ)
{
uint i;
@@ -432,8 +421,7 @@ internal sealed class SidhCompressed
}
}
-
- protected void FinalExpo3_2way(ulong[][][] gX, ulong[][][] gZ)
+ internal void FinalExpo3_2way(ulong[][][] gX, ulong[][][] gZ)
{
uint i, j;
@@ -463,7 +451,6 @@ internal sealed class SidhCompressed
}
}
-
private bool FirstPoint_dual(PointProj P, PointProjFull R, byte[] ind)
{
PointProjFull R3 = new PointProjFull(engine.param.NWORDS_FIELD),
@@ -580,7 +567,6 @@ internal sealed class SidhCompressed
return true;
}
-
private bool SecondPoint_dual(PointProj P, PointProjFull R, byte[] ind)
{
PointProjFull RS3 = new PointProjFull(engine.param.NWORDS_FIELD);
@@ -612,8 +598,7 @@ internal sealed class SidhCompressed
}
}
-
- protected void FirstPoint3n(ulong[][] a24, ulong[][][][] As, ulong[][] x, PointProjFull R, uint[] r, byte[] ind, byte[] bitEll)
+ internal void FirstPoint3n(ulong[][] a24, ulong[][][][] As, ulong[][] x, PointProjFull R, uint[] r, byte[] ind, byte[] bitEll)
{
bool b = false;
PointProj P = new PointProj(engine.param.NWORDS_FIELD);
@@ -668,8 +653,7 @@ internal sealed class SidhCompressed
}
}
-
- protected void SecondPoint3n(ulong[][] a24, ulong[][][][] As, ulong[][] x, PointProjFull R, uint[] r, byte[] ind, byte[] bitEll)
+ internal void SecondPoint3n(ulong[][] a24, ulong[][][][] As, ulong[][] x, PointProjFull R, uint[] r, byte[] ind, byte[] bitEll)
{
bool b = false;
PointProj P = new PointProj(engine.param.NWORDS_FIELD);
@@ -724,8 +708,7 @@ internal sealed class SidhCompressed
}
}
-
- protected void makeDiff(PointProjFull R, PointProjFull S, PointProj D)
+ internal void makeDiff(PointProjFull R, PointProjFull S, PointProj D)
{
ulong[][] t0 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
@@ -749,8 +732,7 @@ internal sealed class SidhCompressed
}
}
-
- protected void BuildOrdinary3nBasis_dual(ulong[][] a24, ulong[][][][] As, PointProjFull[] R, uint[] r, uint[] bitsEll, uint bitsEllOffset)
+ internal void BuildOrdinary3nBasis_dual(ulong[][] a24, ulong[][][][] As, PointProjFull[] R, uint[] r, uint[] bitsEll, uint bitsEllOffset)
{
PointProj D = new PointProj(engine.param.NWORDS_FIELD);
@@ -809,8 +791,7 @@ internal sealed class SidhCompressed
makeDiff(R[0], R[1], D);
}
-
- protected void FullIsogeny_A_dual(byte[] PrivateKeyA, ulong[][][][] As, ulong[][] a24, uint sike)
+ internal void FullIsogeny_A_dual(byte[] PrivateKeyA, ulong[][][][] As, ulong[][] a24, uint sike)
{
// Input: a private key PrivateKeyA in the range [0, 2^eA - 1].
// Output: the public key PublicKeyA consisting of 3 elements in GF(p^2) which are encoded by removing leading 0 bytes.
@@ -925,9 +906,9 @@ internal sealed class SidhCompressed
{
PointProj S = new PointProj(engine.param.NWORDS_FIELD);
- engine.isogeny.xDBLe(R, S, A24, C24, engine.param.OALICE_BITS - 1);
- engine.isogeny.get_2_isog(S, A24, C24);
- engine.isogeny.eval_2_isog(R, S);
+ engine.isogeny.XDblE(R, S, A24, C24, engine.param.OALICE_BITS - 1);
+ engine.isogeny.Get2Isog(S, A24, C24);
+ engine.isogeny.Eval2Isog(R, S);
engine.fpx.fp2copy(S.X, As[engine.param.MAX_Alice][2]);
engine.fpx.fp2copy(S.Z, As[engine.param.MAX_Alice][3]);
}
@@ -945,7 +926,7 @@ internal sealed class SidhCompressed
engine.fpx.fp2copy(R.Z, pts[npts].Z);
pts_index[npts++] = index;
m = engine.param.strat_Alice[ii++];
- engine.isogeny.xDBLe(R, R, A24, C24, 2*m);
+ engine.isogeny.XDblE(R, R, A24, C24, 2*m);
index += m;
}
@@ -976,7 +957,7 @@ internal sealed class SidhCompressed
get_4_isog_dual(R, A24, C24, coeff);
for (i = 0; i < npts; i++)
{
- engine.isogeny.eval_4_isog(pts[i], coeff);
+ engine.isogeny.Eval4Isog(pts[i], coeff);
// System.out.print(i + "ptsX: ");
// for (uint di = 0; di < 2; di++){
@@ -1043,8 +1024,7 @@ internal sealed class SidhCompressed
// System.out.printf("%016x ", a24[di][dj]);}System.out.Println();}
}
-
- protected void Dlogs3_dual(ulong[][][] f, int[] D, ulong[] d0, ulong[] c0, ulong[] d1, ulong[] c1)
+ internal void Dlogs3_dual(ulong[][][] f, int[] D, ulong[] d0, ulong[] c0, ulong[] d1, ulong[] c1)
{
solve_dlog(f[0], D, d0, 3);
solve_dlog(f[2], D, c0, 3);
@@ -1054,8 +1034,7 @@ internal sealed class SidhCompressed
engine.fpx.mp_sub(engine.param.Bob_order, c1, c1, engine.param.NWORDS_ORDER);
}
-
- protected void BuildOrdinary3nBasis_Decomp_dual(ulong[][] A24, PointProj[] Rs, uint[] r, uint[] bitsEll, uint bitsEllIndex)
+ internal void BuildOrdinary3nBasis_Decomp_dual(ulong[][] A24, PointProj[] Rs, uint[] r, uint[] bitsEll, uint bitsEllIndex)
{
byte[] bitEll = new byte[2];
@@ -1071,8 +1050,7 @@ internal sealed class SidhCompressed
BiQuad_affine(A24, Rs[0].X, Rs[1].X, Rs[2]);
}
-
- protected void PKADecompression_dual(byte[] SecretKeyB, byte[] CompressedPKA, PointProj R, ulong[][] A)
+ internal void PKADecompression_dual(byte[] SecretKeyB, byte[] CompressedPKA, PointProj R, ulong[][] A)
{
byte bit;
uint[] rs = new uint[3];
@@ -1120,7 +1098,7 @@ internal sealed class SidhCompressed
engine.fpx.fpcopy(engine.param.Montgomery_one, 0, Rs[0].Z[0]);
engine.fpx.fpcopy(engine.param.Montgomery_one, 0, Rs[1].Z[0]);
- engine.isogeny.swap_points(Rs[0], Rs[1], ((ulong) -bit));//todo check
+ engine.isogeny.SwapPoints(Rs[0], Rs[1], ((ulong) -bit));//todo check
engine.fpx.decode_to_digits(SecretKeyB, 0, SKin, engine.param.SECRETKEY_B_BYTES, engine.param.NWORDS_ORDER);
engine.fpx.to_Montgomery_mod_order(SKin, t1, engine.param.Bob_order, engine.param.Montgomery_RB2, engine.param.Montgomery_RB1); // Converting to Montgomery representation
engine.fpx.decode_to_digits(CompressedPKA, 0, temp, engine.param.ORDER_B_ENCODED_BYTES, engine.param.NWORDS_ORDER);
@@ -1155,8 +1133,7 @@ internal sealed class SidhCompressed
engine.isogeny.Double(R, R, A24, engine.param.OALICE_BITS); // x, z := Double(A24, x, 1, eA);
}
-
- protected void Compress_PKA_dual(ulong[] d0, ulong[] c0, ulong[] d1, ulong[] c1, ulong[][] a24, uint[] rs, byte[] CompressedPKA)
+ internal void Compress_PKA_dual(ulong[] d0, ulong[] c0, ulong[] d1, ulong[] c1, ulong[][] a24, uint[] rs, byte[] CompressedPKA)
{
uint bit;
ulong[] temp = new ulong[engine.param.NWORDS_ORDER],
@@ -1231,7 +1208,7 @@ internal sealed class SidhCompressed
// Alice's ephemeral public key generation using compression -- SIKE protocol
// Output: PrivateKeyA[MSG_BYTES + engine.param.SECRETKEY_A_BYTES] <- x(K_A) where K_A = PA + sk_A*Q_A
- protected internal uint EphemeralKeyGeneration_A_extended(byte[] PrivateKeyA, byte[] CompressedPKA)
+ internal uint EphemeralKeyGeneration_A_extended(byte[] PrivateKeyA, byte[] CompressedPKA)
{
uint[] rs = new uint[3];
int[] D = new int[engine.param.DLEN_3];
@@ -1363,14 +1340,14 @@ internal sealed class SidhCompressed
engine.fpx.fp2copy(R.Z, pts[npts].Z);
pts_index[npts++] = index;
m = engine.param.strat_Bob[ii++];
- engine.isogeny.xTPLe(R, R, A24minus, A24plus, m);
+ engine.isogeny.XTplE(R, R, A24minus, A24plus, m);
index += m;
}
- engine.isogeny.get_3_isog(R, A24minus, A24plus, coeff);
+ engine.isogeny.Get3Isog(R, A24minus, A24plus, coeff);
for (i = 0; i < npts; i++)
{
- engine.isogeny.eval_3_isog(pts[i], coeff);
+ engine.isogeny.Eval3Isog(pts[i], coeff);
}
engine.fpx.fp2copy(pts[npts-1].X, R.X);
@@ -1379,18 +1356,17 @@ internal sealed class SidhCompressed
npts -= 1;
}
- engine.isogeny.get_3_isog(R, A24minus, A24plus, coeff);
+ engine.isogeny.Get3Isog(R, A24minus, A24plus, coeff);
engine.fpx.fp2add(A24plus, A24minus, A);
engine.fpx.fp2add(A, A, A);
engine.fpx.fp2sub(A24plus, A24minus, A24plus);
- engine.isogeny.j_inv(A, A24plus, jinv);
+ engine.isogeny.JInv(A, A24plus, jinv);
engine.fpx.fp2_encode(jinv, SharedSecretB, 0); // Format shared secret
return 0;
}
-
- protected void BuildEntangledXonly(ulong[][] A, PointProj[] R, byte[] qnr, byte[] ind)
+ internal void BuildEntangledXonly(ulong[][] A, PointProj[] R, byte[] qnr, byte[] ind)
{
ulong[] s = new ulong[engine.param.NWORDS_FIELD];
ulong[][] t_ptr,
@@ -1456,8 +1432,7 @@ internal sealed class SidhCompressed
engine.fpx.fp2mul_mont(t, r, R[2].X);
}
-
- protected void RecoverY(ulong[][] A, PointProj[] xs, PointProjFull[] Rs)
+ internal void RecoverY(ulong[][] A, PointProj[] xs, PointProjFull[] Rs)
{
ulong[][] t0 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
t1 = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
@@ -1497,8 +1472,7 @@ internal sealed class SidhCompressed
engine.fpx.fp2mul_mont(Rs[1].Y, Rs[1].Z, Rs[1].Y);
}
-
- protected void BuildOrdinary2nBasis_dual(ulong[][] A, ulong[][][][] Ds, PointProjFull[] Rs, byte[] qnr, byte[] ind)
+ internal void BuildOrdinary2nBasis_dual(ulong[][] A, ulong[][][][] Ds, PointProjFull[] Rs, byte[] qnr, byte[] ind)
{
uint i;
ulong[] t0 = new ulong[engine.param.NWORDS_FIELD];
@@ -1545,9 +1519,9 @@ internal sealed class SidhCompressed
// Move them back to A = 6
for(i = 0; i < engine.param.MAX_Bob; i++)
{
- engine.isogeny.eval_3_isog(xs[0], Ds[engine.param.MAX_Bob-1-i]);
- engine.isogeny.eval_3_isog(xs[1], Ds[engine.param.MAX_Bob-1-i]);
- engine.isogeny.eval_3_isog(xs[2], Ds[engine.param.MAX_Bob-1-i]);
+ engine.isogeny.Eval3Isog(xs[0], Ds[engine.param.MAX_Bob-1-i]);
+ engine.isogeny.Eval3Isog(xs[1], Ds[engine.param.MAX_Bob-1-i]);
+ engine.isogeny.Eval3Isog(xs[2], Ds[engine.param.MAX_Bob-1-i]);
}
// Recover y-coordinates with a single sqrt on A = 6
@@ -1563,7 +1537,7 @@ internal sealed class SidhCompressed
// Bob's ephemeral public key generation
// Input: a private key PrivateKeyB in the range [0, 2^Floor(Log(2,oB)) - 1].
// Output: the public key PublicKeyB consisting of 3 elements in GF(p^2) which are encoded by removing leading 0 bytes.
- protected void FullIsogeny_B_dual(byte[] PrivateKeyB, ulong[][][][] Ds, ulong[][] A)
+ internal void FullIsogeny_B_dual(byte[] PrivateKeyB, ulong[][][][] Ds, ulong[][] A)
{
PointProj R = new PointProj(engine.param.NWORDS_FIELD),
Q3 = new PointProj(engine.param.NWORDS_FIELD);
@@ -1621,15 +1595,15 @@ internal sealed class SidhCompressed
engine.fpx.fp2copy(R.Z, pts[npts].Z);
pts_index[npts++] = index;
m = engine.param.strat_Bob[ii++];
- engine.isogeny.xTPLe(R, R, A24minus, A24plus, m);
+ engine.isogeny.XTplE(R, R, A24minus, A24plus, m);
index += m;
}
- engine.isogeny.get_3_isog(R, A24minus, A24plus, coeff);
+ engine.isogeny.Get3Isog(R, A24minus, A24plus, coeff);
for (i = 0; i < npts; i++)
{
- engine.isogeny.eval_3_isog(pts[i], coeff);
+ engine.isogeny.Eval3Isog(pts[i], coeff);
}
- engine.isogeny.eval_3_isog(Q3, coeff); // Kernel of dual
+ engine.isogeny.Eval3Isog(Q3, coeff); // Kernel of dual
engine.fpx.fp2sub(Q3.X,Q3.Z,Ds[row-1][0]);
engine.fpx.fp2add(Q3.X,Q3.Z,Ds[row-1][1]);
@@ -1638,8 +1612,8 @@ internal sealed class SidhCompressed
index = pts_index[npts-1];
npts -= 1;
}
- engine.isogeny.get_3_isog(R, A24minus, A24plus, coeff);
- engine.isogeny.eval_3_isog(Q3, coeff); // Kernel of dual
+ engine.isogeny.Get3Isog(R, A24minus, A24plus, coeff);
+ engine.isogeny.Eval3Isog(Q3, coeff); // Kernel of dual
engine.fpx.fp2sub(Q3.X, Q3.Z, Ds[engine.param.MAX_Bob-1][0]);
engine.fpx.fp2add(Q3.X, Q3.Z, Ds[engine.param.MAX_Bob-1][1]);
@@ -1650,8 +1624,7 @@ internal sealed class SidhCompressed
engine.fpx.fp2add(A, A, A); // A = 2*(A24plus+A24mins)/(A24plus-A24minus)
}
-
- protected void Dlogs2_dual(ulong[][][] f, int[] D, ulong[] d0, ulong[] c0, ulong[] d1, ulong[] c1)
+ internal void Dlogs2_dual(ulong[][][] f, int[] D, ulong[] d0, ulong[] c0, ulong[] d1, ulong[] c1)
{
solve_dlog(f[0], D, d0, 2);
solve_dlog(f[2], D, c0, 2);
@@ -1661,8 +1634,7 @@ internal sealed class SidhCompressed
engine.fpx.mp_sub(engine.param.Alice_order, c1, c1, engine.param.NWORDS_ORDER);
}
-
- protected void BuildEntangledXonly_Decomp(ulong[][] A, PointProj[] R, uint qnr, uint ind)
+ internal void BuildEntangledXonly_Decomp(ulong[][] A, PointProj[] R, uint qnr, uint ind)
{
ulong[][] t_ptr,
r = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
@@ -1714,7 +1686,7 @@ internal sealed class SidhCompressed
}
// Bob's PK decompression -- SIKE protocol
- protected void PKBDecompression_extended(byte[] SecretKeyA, uint SecretKeyAOffset, byte[] CompressedPKB, PointProj R, ulong[][] A, byte[] tphiBKA_t, uint tphiBKA_tOffset)
+ internal void PKBDecompression_extended(byte[] SecretKeyA, uint SecretKeyAOffset, byte[] CompressedPKB, PointProj R, ulong[][] A, byte[] tphiBKA_t, uint tphiBKA_tOffset)
{
ulong mask = unchecked((ulong) -1L);
uint qnr, ind;
@@ -1807,12 +1779,12 @@ internal sealed class SidhCompressed
engine.fpx.inv_mod_orderA(tmp2, inv);
engine.fpx.multiply(inv, tmp1, scal, engine.param.NWORDS_ORDER);
scal[engine.param.NWORDS_ORDER-1] &= (ulong)mask;
- engine.isogeny.swap_points(Rs[0], Rs[1], unchecked((ulong)-1L));//check
+ engine.isogeny.SwapPoints(Rs[0], Rs[1], unchecked((ulong)-1L));//check
Ladder3pt_dual(Rs, scal, engine.param.ALICE, R, A24);
}
engine.fpx.fp2div2(A,Adiv2);
- engine.isogeny.xTPLe_fast(R, R, Adiv2, engine.param.OBOB_EXPON);
+ engine.isogeny.XTplEFast(R, R, Adiv2, engine.param.OBOB_EXPON);
engine.fpx.fp2_encode(R.X, tphiBKA_t, tphiBKA_tOffset);
engine.fpx.fp2_encode(R.Z, tphiBKA_t, tphiBKA_tOffset + engine.param.FP2_ENCODED_BYTES);
@@ -1820,7 +1792,7 @@ internal sealed class SidhCompressed
}
// Bob's PK compression -- SIKE protocol
- protected void Compress_PKB_dual_extended(ulong[] d0, ulong[] c0, ulong[] d1, ulong[] c1, ulong[][] A, byte[] qnr, byte[] ind, byte[] CompressedPKB)
+ internal void Compress_PKB_dual_extended(ulong[] d0, ulong[] c0, ulong[] d1, ulong[] c1, ulong[][] A, byte[] qnr, byte[] ind, byte[] CompressedPKB)
{
ulong mask = unchecked((ulong) -1L);
ulong[] tmp = new ulong[2*engine.param.NWORDS_ORDER],
@@ -1876,7 +1848,7 @@ internal sealed class SidhCompressed
}
// Bob's PK decompression -- SIDH protocol
- protected void PKBDecompression(byte[] SecretKeyA, uint SecretKeyAOffset, byte[] CompressedPKB, PointProj R, ulong[][] A)
+ internal void PKBDecompression(byte[] SecretKeyA, uint SecretKeyAOffset, byte[] CompressedPKB, PointProj R, ulong[][] A)
{
ulong mask = unchecked((ulong) -1L);
uint bit,qnr,ind;
@@ -1909,7 +1881,7 @@ internal sealed class SidhCompressed
engine.fpx.fp2div2(A24, A24);
engine.fpx.decode_to_digits(SecretKeyA, SecretKeyAOffset, SKin, engine.param.SECRETKEY_A_BYTES, engine.param.NWORDS_ORDER);
- engine.isogeny.swap_points(Rs[0], Rs[1], 0-(ulong)bit);
+ engine.isogeny.SwapPoints(Rs[0], Rs[1], 0-(ulong)bit);
if (bit == 0)
{
engine.fpx.decode_to_digits(CompressedPKB, engine.param.ORDER_A_ENCODED_BYTES, comp_temp, engine.param.ORDER_A_ENCODED_BYTES, engine.param.NWORDS_ORDER);
@@ -1941,11 +1913,11 @@ internal sealed class SidhCompressed
Ladder3pt_dual(Rs, vone, engine.param.ALICE, R, A24);
}
engine.fpx.fp2div2(A, A24);
- engine.isogeny.xTPLe_fast(R, R, A24, engine.param.OBOB_EXPON);
+ engine.isogeny.XTplEFast(R, R, A24, engine.param.OBOB_EXPON);
}
// Bob's PK compression -- SIDH protocol
- protected void Compress_PKB_dual(ulong[] d0, ulong[] c0, ulong[] d1, ulong[] c1, ulong[][] A, byte[] qnr, byte[] ind, byte[] CompressedPKB)
+ internal void Compress_PKB_dual(ulong[] d0, ulong[] c0, ulong[] d1, ulong[] c1, ulong[][] A, byte[] qnr, byte[] ind, byte[] CompressedPKB)
{
ulong[] tmp = new ulong[2*engine.param.NWORDS_ORDER],
@@ -1990,7 +1962,7 @@ internal sealed class SidhCompressed
}
// Bob's ephemeral public key generation using compression -- SIKE protocol
- protected internal uint EphemeralKeyGeneration_B_extended(byte[] PrivateKeyB, byte[] CompressedPKB, uint sike)
+ internal uint EphemeralKeyGeneration_B_extended(byte[] PrivateKeyB, byte[] CompressedPKB, uint sike)
{
byte[] qnr = new byte[1], ind = new byte[1];
int[] D = new int[engine.param.DLEN_2];
@@ -2114,13 +2086,13 @@ internal sealed class SidhCompressed
}
// Bob's ephemeral public key generation using compression -- SIDH protocol
- protected uint EphemeralKeyGeneration_B(byte[] PrivateKeyB, byte[] CompressedPKB)
+ internal uint EphemeralKeyGeneration_B(byte[] PrivateKeyB, byte[] CompressedPKB)
{
return EphemeralKeyGeneration_B_extended(PrivateKeyB, CompressedPKB, 0);
}
// Alice's ephemeral shared secret computation using compression -- SIKE protocol
- protected internal uint EphemeralSecretAgreement_A_extended(byte[] PrivateKeyA, uint PrivateKeyAOffset, byte[] PKB, byte[] SharedSecretA, uint sike)
+ internal uint EphemeralSecretAgreement_A_extended(byte[] PrivateKeyA, uint PrivateKeyAOffset, byte[] PKB, byte[] SharedSecretA, uint sike)
{
uint i, ii = 0, row, m, index = 0, npts = 0;
uint[] pts_index = new uint[engine.param.MAX_INT_POINTS_ALICE];
@@ -2153,9 +2125,9 @@ internal sealed class SidhCompressed
{
PointProj S = new PointProj(engine.param.NWORDS_FIELD);
- engine.isogeny.xDBLe(R, S, A24plus, C24, (engine.param.OALICE_BITS - 1));
- engine.isogeny.get_2_isog(S, A24plus, C24);
- engine.isogeny.eval_2_isog(R, S);
+ engine.isogeny.XDblE(R, S, A24plus, C24, (engine.param.OALICE_BITS - 1));
+ engine.isogeny.Get2Isog(S, A24plus, C24);
+ engine.isogeny.Eval2Isog(R, S);
}
// Traverse tree
@@ -2169,14 +2141,14 @@ internal sealed class SidhCompressed
engine.fpx.fp2copy(R.Z, pts[npts].Z);
pts_index[npts++] = index;
m = engine.param.strat_Alice[ii++];
- engine.isogeny.xDBLe(R, R, A24plus, C24, 2*m);
+ engine.isogeny.XDblE(R, R, A24plus, C24, 2*m);
index += m;
}
- engine.isogeny.get_4_isog(R, A24plus, C24, coeff);
+ engine.isogeny.Get4Isog(R, A24plus, C24, coeff);
for (i = 0; i < npts; i++)
{
- engine.isogeny.eval_4_isog(pts[i], coeff);
+ engine.isogeny.Eval4Isog(pts[i], coeff);
}
engine.fpx.fp2copy(pts[npts-1].X, R.X);
@@ -2185,11 +2157,11 @@ internal sealed class SidhCompressed
npts -= 1;
}
- engine.isogeny.get_4_isog(R, A24plus, C24, coeff);
+ engine.isogeny.Get4Isog(R, A24plus, C24, coeff);
engine.fpx.fp2add(A24plus, A24plus, A24plus);
engine.fpx.fp2sub(A24plus, C24, A24plus);
engine.fpx.fp2add(A24plus, A24plus, A24plus);
- engine.isogeny.j_inv(A24plus, C24, jinv);
+ engine.isogeny.JInv(A24plus, C24, jinv);
engine.fpx.fp2_encode(jinv, SharedSecretA, 0); // Format shared secret
return 0;
@@ -2200,13 +2172,12 @@ internal sealed class SidhCompressed
// Inputs: Alice's PrivateKeyA is an even integer in the range [2, oA-2], where oA = 2^engine.param.OALICE_BITS.
// Bob's decompressed data consists of point_R in (X:Z) coordinates and the curve parameter param_A in GF(p^2).
// Output: a shared secret SharedSecretA that consists of one element in GF(p^2).
- uint EphemeralSecretAgreement_A(byte[] PrivateKeyA, uint PrivateKeyAOffset, byte[] PKB, byte[] SharedSecretA)
+ private uint EphemeralSecretAgreement_A(byte[] PrivateKeyA, uint PrivateKeyAOffset, byte[] PKB, byte[] SharedSecretA)
{
return EphemeralSecretAgreement_A_extended(PrivateKeyA, PrivateKeyAOffset, PKB, SharedSecretA, 0);
}
-
- protected internal byte validate_ciphertext(byte[] ephemeralsk_, byte[] CompressedPKB, byte[] xKA, uint xKAOffset, byte[] tphiBKA_t, uint tphiBKA_tOffset)
+ internal byte validate_ciphertext(byte[] ephemeralsk_, byte[] CompressedPKB, byte[] xKA, uint xKAOffset, byte[] tphiBKA_t, uint tphiBKA_tOffset)
{ // If ct validation passes returns 0, otherwise returns -1.
PointProj[] phis = new PointProj[3],
pts = new PointProj[engine.param.MAX_INT_POINTS_BOB];
@@ -2264,23 +2235,23 @@ internal sealed class SidhCompressed
engine.fpx.fp2copy(R.Z, pts[npts].Z);
pts_index[npts++] = index;
m = engine.param.strat_Bob[ii++];
- engine.isogeny.xTPLe(R, R, A24minus, A24plus, m);
+ engine.isogeny.XTplE(R, R, A24minus, A24plus, m);
index += m;
}
- engine.isogeny.get_3_isog(R, A24minus, A24plus, coeff);
+ engine.isogeny.Get3Isog(R, A24minus, A24plus, coeff);
for (i = 0; i < npts; i++)
{
- engine.isogeny.eval_3_isog(pts[i], coeff);
+ engine.isogeny.Eval3Isog(pts[i], coeff);
}
- engine.isogeny.eval_3_isog(phis[0], coeff);
+ engine.isogeny.Eval3Isog(phis[0], coeff);
engine.fpx.fp2copy(pts[npts-1].X, R.X);
engine.fpx.fp2copy(pts[npts-1].Z, R.Z);
index = pts_index[npts-1];
npts -= 1;
}
- engine.isogeny.get_3_isog(R, A24minus, A24plus, coeff);
- engine.isogeny.eval_3_isog(phis[0], coeff); // phis[0] <- phiB(PA + skA*QA)
+ engine.isogeny.Get3Isog(R, A24minus, A24plus, coeff);
+ engine.isogeny.Eval3Isog(phis[0], coeff); // phis[0] <- phiB(PA + skA*QA)
engine.fpx.fp2_decode(CompressedPKB, A, 4*engine.param.ORDER_A_ENCODED_BYTES);
@@ -2296,13 +2267,11 @@ internal sealed class SidhCompressed
return (engine.fpx.cmp_f2elm(comp1, comp2));
}
-
-
/// DLOG
// Computes the discrete log of input r = g^d where g = e(P,Q)^ell^e, and P,Q are torsion generators in the initial curve
// Return the integer d
- void solve_dlog(ulong[][] r, int[] D, ulong[] d, uint ell)
+ internal void solve_dlog(ulong[][] r, int[] D, ulong[] d, uint ell)
{
if (ell == 2)
{
@@ -2449,12 +2418,10 @@ internal sealed class SidhCompressed
}
}
-
-
// Traverse a Pohlig-Hellman optimal strategy to solve a discrete log in a group of order ell^e
// Leaves are used to recover the digits which are numbers from 0 to ell^w-1 except by the last leaf that gives a digit between 0 and ell^(e mod w)
// Assume w does not divide the exponent e
- void Traverse_w_notdiv_e_fullsigned(ulong[][] r, uint j, uint k, uint z, uint[] P, ulong[] CT1, ulong[] CT2,
+ internal void Traverse_w_notdiv_e_fullsigned(ulong[][] r, uint j, uint k, uint z, uint[] P, ulong[] CT1, ulong[] CT2,
int[] D, uint Dlen, uint ell, uint ellw, uint ell_emodw, uint w, uint e)
{
ulong[][] rp = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
@@ -2628,12 +2595,10 @@ internal sealed class SidhCompressed
}
}
-
-
// Traverse a Pohlig-Hellman optimal strategy to solve a discrete log in a group of order ell^e
// The leaves of the tree will be used to recover the signed digits which are numbers from +/-{0,1... Ceil((ell^w-1)/2)}
// Assume the integer w divides the exponent e
- void Traverse_w_div_e_fullsigned(ulong[][] r, uint j, uint k, uint z, uint[] P, ulong[] CT, int[] D, uint Dlen, uint ellw, uint w)
+ internal void Traverse_w_div_e_fullsigned(ulong[][] r, uint j, uint k, uint z, uint[] P, ulong[] CT, int[] D, uint Dlen, uint ellw, uint w)
{
ulong[][] rp = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD),
alpha = SikeUtilities.InitArray(2, engine.param.NWORDS_FIELD);
@@ -3158,9 +3123,5 @@ internal sealed class SidhCompressed
}
engine.fpx.fp2copy(temp, fout);
}
-
-
-
}
-
-}
\ No newline at end of file
+}
diff --git a/crypto/src/pqc/crypto/sike/SIKEEngine.cs b/crypto/src/pqc/crypto/sike/SIKEEngine.cs
index 6a825fe44..12f468340 100644
--- a/crypto/src/pqc/crypto/sike/SIKEEngine.cs
+++ b/crypto/src/pqc/crypto/sike/SIKEEngine.cs
@@ -4,43 +4,42 @@ using Org.BouncyCastle.Security;
namespace Org.BouncyCastle.Pqc.Crypto.Sike
{
-internal sealed class SikeEngine
-{
- //private readonly SecureRandom random;
-
- protected internal Internal param;
- protected internal Isogeny isogeny;
- protected internal Fpx fpx;
- private Sidh sidh;
- private SidhCompressed sidhCompressed;
- private bool isCompressed;
-
- public uint GetDefaultSessionKeySize()
+ internal sealed class SikeEngine
{
- return param.MSG_BYTES * 8;
- }
+ internal Internal param;
+ internal Isogeny isogeny;
+ internal Fpx fpx;
+ private Sidh sidh;
+ private SidhCompressed sidhCompressed;
+ private bool isCompressed;
+
+ internal uint GetDefaultSessionKeySize()
+ {
+ return param.MSG_BYTES * 8;
+ }
- public int GetCipherTextSize()
- {
- return param.CRYPTO_CIPHERTEXTBYTES;
- }
+ internal int GetCipherTextSize()
+ {
+ return param.CRYPTO_CIPHERTEXTBYTES;
+ }
- public uint GetPrivateKeySize()
- {
- return param.CRYPTO_SECRETKEYBYTES;
- }
+ internal uint GetPrivateKeySize()
+ {
+ return param.CRYPTO_SECRETKEYBYTES;
+ }
- public uint GetPublicKeySize()
- {
- return param.CRYPTO_PUBLICKEYBYTES;
- }
- public SikeEngine(int ver, bool isCompressed, SecureRandom random)
- {
- //this.random = random;
- this.isCompressed = isCompressed;
- //todo switch for different parameters
- switch(ver)
+ internal uint GetPublicKeySize()
{
+ return param.CRYPTO_PUBLICKEYBYTES;
+ }
+
+ internal SikeEngine(int ver, bool isCompressed, SecureRandom random)
+ {
+ //this.random = random;
+ this.isCompressed = isCompressed;
+ //todo switch for different parameters
+ switch(ver)
+ {
case 434:
param = new P434(isCompressed);
break;
@@ -55,239 +54,236 @@ internal sealed class SikeEngine
break;
default:
break;
-
+ }
+ fpx = new Fpx(this);
+ isogeny = new Isogeny(this);
+ if(isCompressed)
+ {
+ sidhCompressed = new SidhCompressed(this);
+ }
+ sidh = new Sidh(this);
}
- fpx = new Fpx(this);
- isogeny = new Isogeny(this);
- if(isCompressed)
+
+ // SIKE's key generation
+ // Outputs: secret key sk (CRYPTO_SECRETKEYBYTES = MSG_BYTES + SECRETKEY_B_BYTES + CRYPTO_PUBLICKEYBYTES bytes)
+ // public key pk (CRYPTO_PUBLICKEYBYTES bytes)
+ internal int crypto_kem_keypair(byte[] pk, byte[] sk, SecureRandom random)
{
- sidhCompressed = new SidhCompressed(this);
- }
- sidh = new Sidh(this);
- }
+ random.NextBytes(sk, 0, (int)param.MSG_BYTES);
- // SIKE's key generation
- // Outputs: secret key sk (CRYPTO_SECRETKEYBYTES = MSG_BYTES + SECRETKEY_B_BYTES + CRYPTO_PUBLICKEYBYTES bytes)
- // public key pk (CRYPTO_PUBLICKEYBYTES bytes)
- public int crypto_kem_keypair(byte[] pk, byte[] sk, SecureRandom random)
- {
- random.NextBytes(sk, 0, (int)param.MSG_BYTES);
+ if (isCompressed)
+ {
+ // Generation of Alice's secret key
+ // Outputs random value in [0, 2^eA - 1]
- if (isCompressed)
- {
- // Generation of Alice's secret key
- // Outputs random value in [0, 2^eA - 1]
+ random.NextBytes(sk, (int)param.MSG_BYTES, (int)param.SECRETKEY_A_BYTES);
+ sk[param.MSG_BYTES] &= 0xFE; // Make private scalar even
+ sk[param.MSG_BYTES + param.SECRETKEY_A_BYTES - 1] &= (byte)param.MASK_ALICE; // Masking last
- random.NextBytes(sk, (int)param.MSG_BYTES, (int)param.SECRETKEY_A_BYTES);
- sk[param.MSG_BYTES] &= 0xFE; // Make private scalar even
- sk[param.MSG_BYTES + param.SECRETKEY_A_BYTES - 1] &= (byte)param.MASK_ALICE; // Masking last
+ sidhCompressed.EphemeralKeyGeneration_A_extended(sk, pk);
- sidhCompressed.EphemeralKeyGeneration_A_extended(sk, pk);
+ // Append public key pk to secret key sk
+ System.Array.Copy(pk, 0, sk, param.MSG_BYTES + param.SECRETKEY_A_BYTES, param.CRYPTO_PUBLICKEYBYTES);
+ }
+ else
+ {
+ // Generation of Bob's secret key
+ // Outputs random value in [0, 2^Floor(Log(2, oB)) - 1]
+ // todo/org: SIDH.random_mod_order_B(sk, random);
- // Append public key pk to secret key sk
- System.Array.Copy(pk, 0, sk, param.MSG_BYTES + param.SECRETKEY_A_BYTES, param.CRYPTO_PUBLICKEYBYTES);
- }
- else
- {
- // Generation of Bob's secret key
- // Outputs random value in [0, 2^Floor(Log(2, oB)) - 1]
- // todo/org: SIDH.random_mod_order_B(sk, random);
+ random.NextBytes(sk, (int)param.MSG_BYTES, (int)param.SECRETKEY_B_BYTES);
+ sk[param.MSG_BYTES + param.SECRETKEY_B_BYTES - 1] &= (byte)param.MASK_BOB;
- random.NextBytes(sk, (int)param.MSG_BYTES, (int)param.SECRETKEY_B_BYTES);
- sk[param.MSG_BYTES + param.SECRETKEY_B_BYTES - 1] &= (byte)param.MASK_BOB;
+ sidh.EphemeralKeyGeneration_B(sk, pk);
- sidh.EphemeralKeyGeneration_B(sk, pk);
+ // Append public key pk to secret key sk
+ System.Array.Copy(pk, 0, sk, param.MSG_BYTES + param.SECRETKEY_B_BYTES, param.CRYPTO_PUBLICKEYBYTES);
- // Append public key pk to secret key sk
- System.Array.Copy(pk, 0, sk, param.MSG_BYTES + param.SECRETKEY_B_BYTES, param.CRYPTO_PUBLICKEYBYTES);
+ }
+ return 0;
}
- return 0;
- }
-
- // SIKE's encapsulation
- // Input: public key pk (CRYPTO_PUBLICKEYBYTES bytes)
- // Outputs: shared secret ss (CRYPTO_BYTES bytes)
- // ciphertext message ct (CRYPTO_CIPHERTEXTBYTES = CRYPTO_PUBLICKEYBYTES + MSG_BYTES bytes)
- public int crypto_kem_enc(byte[] ct, byte[] ss, byte[] pk, SecureRandom random)
- {
- if(isCompressed)
+ // SIKE's encapsulation
+ // Input: public key pk (CRYPTO_PUBLICKEYBYTES bytes)
+ // Outputs: shared secret ss (CRYPTO_BYTES bytes)
+ // ciphertext message ct (CRYPTO_CIPHERTEXTBYTES = CRYPTO_PUBLICKEYBYTES + MSG_BYTES bytes)
+ internal int crypto_kem_enc(byte[] ct, byte[] ss, byte[] pk, SecureRandom random)
{
- byte[] ephemeralsk = new byte[param.SECRETKEY_B_BYTES];
- byte[] jinvariant = new byte[param.FP2_ENCODED_BYTES];
- byte[] h = new byte[param.MSG_BYTES];
- byte[] temp = new byte[param.CRYPTO_CIPHERTEXTBYTES + param.MSG_BYTES];
+ if(isCompressed)
+ {
+ byte[] ephemeralsk = new byte[param.SECRETKEY_B_BYTES];
+ byte[] jinvariant = new byte[param.FP2_ENCODED_BYTES];
+ byte[] h = new byte[param.MSG_BYTES];
+ byte[] temp = new byte[param.CRYPTO_CIPHERTEXTBYTES + param.MSG_BYTES];
- // Generate ephemeralsk <- G(m||pk) mod oB
- random.NextBytes(temp, 0, (int)param.MSG_BYTES);
- System.Array.Copy(pk, 0, temp, param.MSG_BYTES, param.CRYPTO_PUBLICKEYBYTES);
+ // Generate ephemeralsk <- G(m||pk) mod oB
+ random.NextBytes(temp, 0, (int)param.MSG_BYTES);
+ System.Array.Copy(pk, 0, temp, param.MSG_BYTES, param.CRYPTO_PUBLICKEYBYTES);
- IXof digest = new ShakeDigest(256);
- digest.BlockUpdate(temp, 0, (int) (param.CRYPTO_PUBLICKEYBYTES + param.MSG_BYTES));
- digest.OutputFinal(ephemeralsk, 0, (int) param.SECRETKEY_B_BYTES);
+ IXof digest = new ShakeDigest(256);
+ digest.BlockUpdate(temp, 0, (int) (param.CRYPTO_PUBLICKEYBYTES + param.MSG_BYTES));
+ digest.OutputFinal(ephemeralsk, 0, (int) param.SECRETKEY_B_BYTES);
- sidhCompressed.FormatPrivKey_B(ephemeralsk);
+ sidhCompressed.FormatPrivKey_B(ephemeralsk);
-// System.out.println("ephemeralsk: " + Hex.toHexstring(ephemeralsk));
+ // System.out.println("ephemeralsk: " + Hex.toHexstring(ephemeralsk));
- // Encrypt
- sidhCompressed.EphemeralKeyGeneration_B_extended(ephemeralsk, ct, 1);
+ // Encrypt
+ sidhCompressed.EphemeralKeyGeneration_B_extended(ephemeralsk, ct, 1);
-// System.out.println("ct: " + Hex.toHexstring(ct));
-// System.out.println("pk: " + Hex.toHexstring(pk));
+ // System.out.println("ct: " + Hex.toHexstring(ct));
+ // System.out.println("pk: " + Hex.toHexstring(pk));
- sidhCompressed.EphemeralSecretAgreement_B(ephemeralsk, pk, jinvariant);
+ sidhCompressed.EphemeralSecretAgreement_B(ephemeralsk, pk, jinvariant);
-// System.out.println("jinv: " + Hex.toHexstring(jinvariant));
+ // System.out.println("jinv: " + Hex.toHexstring(jinvariant));
- digest.BlockUpdate(jinvariant, 0, (int) param.FP2_ENCODED_BYTES);
- digest.OutputFinal(h, 0, (int) param.MSG_BYTES);
+ digest.BlockUpdate(jinvariant, 0, (int) param.FP2_ENCODED_BYTES);
+ digest.OutputFinal(h, 0, (int) param.MSG_BYTES);
-// System.out.println("h: " + Hex.toHexstring(h));
-// System.out.println("temp: " + Hex.toHexstring(temp));
+ // System.out.println("h: " + Hex.toHexstring(h));
+ // System.out.println("temp: " + Hex.toHexstring(temp));
- for (int i = 0; i < param.MSG_BYTES; i++)
- {
- ct[i + param.PARTIALLY_COMPRESSED_CHUNK_CT] = (byte) (temp[i] ^ h[i]);
- }
+ for (int i = 0; i < param.MSG_BYTES; i++)
+ {
+ ct[i + param.PARTIALLY_COMPRESSED_CHUNK_CT] = (byte) (temp[i] ^ h[i]);
+ }
- // Generate shared secret ss <- H(m||ct)
- System.Array.Copy(ct, 0, temp, param.MSG_BYTES, param.CRYPTO_CIPHERTEXTBYTES);
+ // Generate shared secret ss <- H(m||ct)
+ System.Array.Copy(ct, 0, temp, param.MSG_BYTES, param.CRYPTO_CIPHERTEXTBYTES);
- digest.BlockUpdate(temp, 0, (int) (param.CRYPTO_CIPHERTEXTBYTES + param.MSG_BYTES));
- digest.OutputFinal(ss, 0, (int) param.CRYPTO_BYTES);
- return 0;
- }
- else
- {
- byte[] ephemeralsk = new byte[param.SECRETKEY_A_BYTES];
- byte[] jinvariant = new byte[param.FP2_ENCODED_BYTES];
- byte[] h = new byte[param.MSG_BYTES];
- byte[] temp = new byte[param.CRYPTO_CIPHERTEXTBYTES + param.MSG_BYTES];
+ digest.BlockUpdate(temp, 0, (int) (param.CRYPTO_CIPHERTEXTBYTES + param.MSG_BYTES));
+ digest.OutputFinal(ss, 0, (int) param.CRYPTO_BYTES);
+ return 0;
+ }
+ else
+ {
+ byte[] ephemeralsk = new byte[param.SECRETKEY_A_BYTES];
+ byte[] jinvariant = new byte[param.FP2_ENCODED_BYTES];
+ byte[] h = new byte[param.MSG_BYTES];
+ byte[] temp = new byte[param.CRYPTO_CIPHERTEXTBYTES + param.MSG_BYTES];
- // Generate ephemeralsk <- G(m||pk) mod oA
- random.NextBytes(temp, 0, (int)param.MSG_BYTES);
- System.Array.Copy(pk, 0, temp, param.MSG_BYTES, param.CRYPTO_PUBLICKEYBYTES);
+ // Generate ephemeralsk <- G(m||pk) mod oA
+ random.NextBytes(temp, 0, (int)param.MSG_BYTES);
+ System.Array.Copy(pk, 0, temp, param.MSG_BYTES, param.CRYPTO_PUBLICKEYBYTES);
- IXof digest = new ShakeDigest(256);
- digest.BlockUpdate(temp, 0, (int) (param.CRYPTO_PUBLICKEYBYTES + param.MSG_BYTES));
- digest.OutputFinal(ephemeralsk, 0, (int) param.SECRETKEY_A_BYTES);
- ephemeralsk[param.SECRETKEY_A_BYTES - 1] &= (byte) param.MASK_ALICE;
+ IXof digest = new ShakeDigest(256);
+ digest.BlockUpdate(temp, 0, (int) (param.CRYPTO_PUBLICKEYBYTES + param.MSG_BYTES));
+ digest.OutputFinal(ephemeralsk, 0, (int) param.SECRETKEY_A_BYTES);
+ ephemeralsk[param.SECRETKEY_A_BYTES - 1] &= (byte) param.MASK_ALICE;
- // Encrypt
- sidh.EphemeralKeyGeneration_A(ephemeralsk, ct);
- sidh.EphemeralSecretAgreement_A(ephemeralsk, pk, jinvariant);
+ // Encrypt
+ sidh.EphemeralKeyGeneration_A(ephemeralsk, ct);
+ sidh.EphemeralSecretAgreement_A(ephemeralsk, pk, jinvariant);
- digest.BlockUpdate(jinvariant, 0, (int) param.FP2_ENCODED_BYTES);
- digest.OutputFinal(h, 0, (int) param.MSG_BYTES);
+ digest.BlockUpdate(jinvariant, 0, (int) param.FP2_ENCODED_BYTES);
+ digest.OutputFinal(h, 0, (int) param.MSG_BYTES);
- for (int i = 0; i < param.MSG_BYTES; i++)
- {
- ct[i + param.CRYPTO_PUBLICKEYBYTES] = (byte) (temp[i] ^ h[i]);
- }
+ for (int i = 0; i < param.MSG_BYTES; i++)
+ {
+ ct[i + param.CRYPTO_PUBLICKEYBYTES] = (byte) (temp[i] ^ h[i]);
+ }
- // Generate shared secret ss <- H(m||ct)
- System.Array.Copy(ct, 0, temp, param.MSG_BYTES, param.CRYPTO_CIPHERTEXTBYTES);
+ // Generate shared secret ss <- H(m||ct)
+ System.Array.Copy(ct, 0, temp, param.MSG_BYTES, param.CRYPTO_CIPHERTEXTBYTES);
- digest.BlockUpdate(temp, 0, (int) (param.CRYPTO_CIPHERTEXTBYTES + param.MSG_BYTES));
- digest.OutputFinal(ss, 0, (int) param.CRYPTO_BYTES);
+ digest.BlockUpdate(temp, 0, (int) (param.CRYPTO_CIPHERTEXTBYTES + param.MSG_BYTES));
+ digest.OutputFinal(ss, 0, (int) param.CRYPTO_BYTES);
- return 0;
+ return 0;
+ }
}
- }
- // SIKE's decapsulation
- // Input: secret key sk (CRYPTO_SECRETKEYBYTES = MSG_BYTES + SECRETKEY_B_BYTES + CRYPTO_PUBLICKEYBYTES bytes)
- // ciphertext message ct (CRYPTO_CIPHERTEXTBYTES = CRYPTO_PUBLICKEYBYTES + MSG_BYTES bytes)
- // Outputs: shared secret ss (CRYPTO_BYTES bytes)
- public int crypto_kem_dec(byte[] ss, byte[] ct, byte[] sk)
- {
- if (isCompressed)
+ // SIKE's decapsulation
+ // Input: secret key sk (CRYPTO_SECRETKEYBYTES = MSG_BYTES + SECRETKEY_B_BYTES + CRYPTO_PUBLICKEYBYTES bytes)
+ // ciphertext message ct (CRYPTO_CIPHERTEXTBYTES = CRYPTO_PUBLICKEYBYTES + MSG_BYTES bytes)
+ // Outputs: shared secret ss (CRYPTO_BYTES bytes)
+ internal int crypto_kem_dec(byte[] ss, byte[] ct, byte[] sk)
{
- byte[] ephemeralsk_ = new byte[param.SECRETKEY_B_BYTES];
- byte[] jinvariant_ = new byte[param.FP2_ENCODED_BYTES + 2*param.FP2_ENCODED_BYTES + param.SECRETKEY_A_BYTES],
- h_ = new byte[param.MSG_BYTES];
- byte[] temp = new byte[param.CRYPTO_CIPHERTEXTBYTES + param.MSG_BYTES];
- byte[] tphiBKA_t = jinvariant_;//jinvariant_[param.FP2_ENCODED_BYTES];
+ if (isCompressed)
+ {
+ byte[] ephemeralsk_ = new byte[param.SECRETKEY_B_BYTES];
+ byte[] jinvariant_ = new byte[param.FP2_ENCODED_BYTES + 2*param.FP2_ENCODED_BYTES + param.SECRETKEY_A_BYTES],
+ h_ = new byte[param.MSG_BYTES];
+ byte[] temp = new byte[param.CRYPTO_CIPHERTEXTBYTES + param.MSG_BYTES];
+ byte[] tphiBKA_t = jinvariant_;//jinvariant_[param.FP2_ENCODED_BYTES];
- // Decrypt
- sidhCompressed.EphemeralSecretAgreement_A_extended(sk, param.MSG_BYTES, ct, jinvariant_, 1);
+ // Decrypt
+ sidhCompressed.EphemeralSecretAgreement_A_extended(sk, param.MSG_BYTES, ct, jinvariant_, 1);
- IXof digest = new ShakeDigest(256);
- digest.BlockUpdate(jinvariant_, 0, (int) param.FP2_ENCODED_BYTES);
- digest.OutputFinal(h_, 0, (int) param.MSG_BYTES);
+ IXof digest = new ShakeDigest(256);
+ digest.BlockUpdate(jinvariant_, 0, (int) param.FP2_ENCODED_BYTES);
+ digest.OutputFinal(h_, 0, (int) param.MSG_BYTES);
-// System.out.println("h_: " + Hex.toHexstring(h_));
+ // System.out.println("h_: " + Hex.toHexstring(h_));
- for (int i = 0; i < param.MSG_BYTES; i++)
- {
- temp[i] = (byte) (ct[i + param.PARTIALLY_COMPRESSED_CHUNK_CT] ^ h_[i]);
- }
+ for (int i = 0; i < param.MSG_BYTES; i++)
+ {
+ temp[i] = (byte) (ct[i + param.PARTIALLY_COMPRESSED_CHUNK_CT] ^ h_[i]);
+ }
- // Generate ephemeralsk_ <- G(m||pk) mod oB
- System.Array.Copy(sk, param.MSG_BYTES + param.SECRETKEY_A_BYTES, temp, param.MSG_BYTES, param.CRYPTO_PUBLICKEYBYTES);
+ // Generate ephemeralsk_ <- G(m||pk) mod oB
+ System.Array.Copy(sk, param.MSG_BYTES + param.SECRETKEY_A_BYTES, temp, param.MSG_BYTES, param.CRYPTO_PUBLICKEYBYTES);
- digest.BlockUpdate(temp, 0, (int) (param.CRYPTO_PUBLICKEYBYTES + param.MSG_BYTES));
- digest.OutputFinal(ephemeralsk_, 0, (int) param.SECRETKEY_B_BYTES);
- sidhCompressed.FormatPrivKey_B(ephemeralsk_);
+ digest.BlockUpdate(temp, 0, (int) (param.CRYPTO_PUBLICKEYBYTES + param.MSG_BYTES));
+ digest.OutputFinal(ephemeralsk_, 0, (int) param.SECRETKEY_B_BYTES);
+ sidhCompressed.FormatPrivKey_B(ephemeralsk_);
- // Generate shared secret ss <- H(m||ct), or output ss <- H(s||ct) in case of ct verification failure
- // No need to recompress, just check if x(phi(P) + t*phi(Q)) == x((a0 + t*a1)*R1 + (b0 + t*b1)*R2)
- byte selector = sidhCompressed.validate_ciphertext(ephemeralsk_, ct, sk, param.MSG_BYTES + param.SECRETKEY_A_BYTES + param.CRYPTO_PUBLICKEYBYTES, tphiBKA_t, param.FP2_ENCODED_BYTES);
- // If ct validation passes (selector = 0) then do ss = H(m||ct), otherwise (selector = -1) load s to do ss = H(s||ct)
- fpx.ct_cmov(temp, sk, param.MSG_BYTES, selector);
+ // Generate shared secret ss <- H(m||ct), or output ss <- H(s||ct) in case of ct verification failure
+ // No need to recompress, just check if x(phi(P) + t*phi(Q)) == x((a0 + t*a1)*R1 + (b0 + t*b1)*R2)
+ byte selector = sidhCompressed.validate_ciphertext(ephemeralsk_, ct, sk, param.MSG_BYTES + param.SECRETKEY_A_BYTES + param.CRYPTO_PUBLICKEYBYTES, tphiBKA_t, param.FP2_ENCODED_BYTES);
+ // If ct validation passes (selector = 0) then do ss = H(m||ct), otherwise (selector = -1) load s to do ss = H(s||ct)
+ fpx.ct_cmov(temp, sk, param.MSG_BYTES, selector);
- System.Array.Copy(ct, 0, temp, param.MSG_BYTES, param.CRYPTO_CIPHERTEXTBYTES);
- digest.BlockUpdate(temp, 0, (int) (param.CRYPTO_CIPHERTEXTBYTES + param.MSG_BYTES));
- digest.OutputFinal(ss, 0, (int) param.CRYPTO_BYTES);
+ System.Array.Copy(ct, 0, temp, param.MSG_BYTES, param.CRYPTO_CIPHERTEXTBYTES);
+ digest.BlockUpdate(temp, 0, (int) (param.CRYPTO_CIPHERTEXTBYTES + param.MSG_BYTES));
+ digest.OutputFinal(ss, 0, (int) param.CRYPTO_BYTES);
- return 0;
- }
- else
- {
- byte[] ephemeralsk_ = new byte[param.SECRETKEY_A_BYTES];
- byte[] jinvariant_ = new byte[param.FP2_ENCODED_BYTES];
- byte[] h_ = new byte[param.MSG_BYTES];
- byte[] c0_ = new byte[param.CRYPTO_PUBLICKEYBYTES];
- byte[] temp = new byte[param.CRYPTO_CIPHERTEXTBYTES + param.MSG_BYTES];
-
- // Decrypt
- // int EphemeralSecretAgreement_B(PrivateKeyB, PublicKeyA, SharedSecretB)
- sidh.EphemeralSecretAgreement_B(sk, ct, jinvariant_);
-
- IXof digest = new ShakeDigest(256);
- digest.BlockUpdate(jinvariant_, 0, (int) param.FP2_ENCODED_BYTES);
- digest.OutputFinal(h_, 0, (int) param.MSG_BYTES);
- for (int i = 0; i < param.MSG_BYTES; i++)
- {
- temp[i] = (byte) (ct[i + param.CRYPTO_PUBLICKEYBYTES] ^ h_[i]);
+ return 0;
}
+ else
+ {
+ byte[] ephemeralsk_ = new byte[param.SECRETKEY_A_BYTES];
+ byte[] jinvariant_ = new byte[param.FP2_ENCODED_BYTES];
+ byte[] h_ = new byte[param.MSG_BYTES];
+ byte[] c0_ = new byte[param.CRYPTO_PUBLICKEYBYTES];
+ byte[] temp = new byte[param.CRYPTO_CIPHERTEXTBYTES + param.MSG_BYTES];
- // Generate ephemeralsk_ <- G(m||pk) mod oA
- System.Array.Copy(sk, param.MSG_BYTES + param.SECRETKEY_B_BYTES, temp, param.MSG_BYTES, param.CRYPTO_PUBLICKEYBYTES);
+ // Decrypt
+ // int EphemeralSecretAgreement_B(PrivateKeyB, PublicKeyA, SharedSecretB)
+ sidh.EphemeralSecretAgreement_B(sk, ct, jinvariant_);
- digest.BlockUpdate(temp, 0, (int) (param.CRYPTO_PUBLICKEYBYTES + param.MSG_BYTES));
- digest.OutputFinal(ephemeralsk_, 0, (int) param.SECRETKEY_A_BYTES);
- ephemeralsk_[param.SECRETKEY_A_BYTES - 1] &= (byte) param.MASK_ALICE;
+ IXof digest = new ShakeDigest(256);
+ digest.BlockUpdate(jinvariant_, 0, (int) param.FP2_ENCODED_BYTES);
+ digest.OutputFinal(h_, 0, (int) param.MSG_BYTES);
+ for (int i = 0; i < param.MSG_BYTES; i++)
+ {
+ temp[i] = (byte) (ct[i + param.CRYPTO_PUBLICKEYBYTES] ^ h_[i]);
+ }
+ // Generate ephemeralsk_ <- G(m||pk) mod oA
+ System.Array.Copy(sk, param.MSG_BYTES + param.SECRETKEY_B_BYTES, temp, param.MSG_BYTES, param.CRYPTO_PUBLICKEYBYTES);
- // Generate shared secret ss <- H(m||ct), or output ss <- H(s||ct) in case of ct verification failure
- sidh.EphemeralKeyGeneration_A(ephemeralsk_, c0_);
+ digest.BlockUpdate(temp, 0, (int) (param.CRYPTO_PUBLICKEYBYTES + param.MSG_BYTES));
+ digest.OutputFinal(ephemeralsk_, 0, (int) param.SECRETKEY_A_BYTES);
+ ephemeralsk_[param.SECRETKEY_A_BYTES - 1] &= (byte) param.MASK_ALICE;
- // If selector = 0 then do ss = H(m||ct), else if selector = -1 load s to do ss = H(s||ct)
- byte selector = fpx.ct_compare(c0_, ct, param.CRYPTO_PUBLICKEYBYTES);
- fpx.ct_cmov(temp, sk, param.MSG_BYTES, selector);
- System.Array.Copy(ct, 0, temp, param.MSG_BYTES, param.CRYPTO_CIPHERTEXTBYTES);
- digest.BlockUpdate(temp, 0, (int) (param.CRYPTO_CIPHERTEXTBYTES + param.MSG_BYTES));
- digest.OutputFinal(ss, 0, (int) param.CRYPTO_BYTES);
+ // Generate shared secret ss <- H(m||ct), or output ss <- H(s||ct) in case of ct verification failure
+ sidh.EphemeralKeyGeneration_A(ephemeralsk_, c0_);
- return 0;
+ // If selector = 0 then do ss = H(m||ct), else if selector = -1 load s to do ss = H(s||ct)
+ byte selector = fpx.ct_compare(c0_, ct, param.CRYPTO_PUBLICKEYBYTES);
+ fpx.ct_cmov(temp, sk, param.MSG_BYTES, selector);
+
+ System.Array.Copy(ct, 0, temp, param.MSG_BYTES, param.CRYPTO_CIPHERTEXTBYTES);
+ digest.BlockUpdate(temp, 0, (int) (param.CRYPTO_CIPHERTEXTBYTES + param.MSG_BYTES));
+ digest.OutputFinal(ss, 0, (int) param.CRYPTO_BYTES);
+
+ return 0;
+ }
}
}
-
}
-
-}
\ No newline at end of file
diff --git a/crypto/src/pqc/crypto/sike/SIKEKEMExtractor.cs b/crypto/src/pqc/crypto/sike/SIKEKEMExtractor.cs
index 5a0aa4a9e..879f1d8ef 100644
--- a/crypto/src/pqc/crypto/sike/SIKEKEMExtractor.cs
+++ b/crypto/src/pqc/crypto/sike/SIKEKEMExtractor.cs
@@ -27,10 +27,10 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
public byte[] ExtractSecret(byte[] encapsulation)
{
- return ExtractSecret(encapsulation, engine.GetDefaultSessionKeySize());
+ return ExtractSecret(encapsulation, (int)engine.GetDefaultSessionKeySize());
}
- public byte[] ExtractSecret(byte[] encapsulation, uint sessionKeySizeInBits)
+ public byte[] ExtractSecret(byte[] encapsulation, int sessionKeySizeInBits)
{
Console.Error.WriteLine("WARNING: the SIKE algorithm is only for research purposes, insecure");
byte[] session_key = new byte[sessionKeySizeInBits / 8];
diff --git a/crypto/src/pqc/crypto/sike/SIKEKEMGenerator.cs b/crypto/src/pqc/crypto/sike/SIKEKEMGenerator.cs
index 94bdb606b..5e4bd41eb 100644
--- a/crypto/src/pqc/crypto/sike/SIKEKEMGenerator.cs
+++ b/crypto/src/pqc/crypto/sike/SIKEKEMGenerator.cs
@@ -23,10 +23,11 @@ namespace Org.BouncyCastle.Pqc.Crypto.Sike
SikePublicKeyParameters key = (SikePublicKeyParameters)recipientKey;
SikeEngine engine = key.Parameters.Engine;
- return GenerateEncapsulated(recipientKey, engine.GetDefaultSessionKeySize());
+ return GenerateEncapsulated(recipientKey, (int)engine.GetDefaultSessionKeySize());
}
- public ISecretWithEncapsulation GenerateEncapsulated(AsymmetricKeyParameter recipientKey, uint sessionKeySizeInBits)
+ public ISecretWithEncapsulation GenerateEncapsulated(AsymmetricKeyParameter recipientKey,
+ int sessionKeySizeInBits)
{
Console.Error.WriteLine("WARNING: the SIKE algorithm is only for research purposes, insecure");
SikePublicKeyParameters key = (SikePublicKeyParameters)recipientKey;
diff --git a/crypto/src/pqc/crypto/sphincsplus/SPHINCSPlusParameters.cs b/crypto/src/pqc/crypto/sphincsplus/SPHINCSPlusParameters.cs
index e8a95fd2f..8cde7cf7f 100644
--- a/crypto/src/pqc/crypto/sphincsplus/SPHINCSPlusParameters.cs
+++ b/crypto/src/pqc/crypto/sphincsplus/SPHINCSPlusParameters.cs
@@ -1,3 +1,4 @@
+using System;
using System.Collections.Generic;
using Org.BouncyCastle.Crypto.Utilities;
@@ -265,9 +266,9 @@ namespace Org.BouncyCastle.Pqc.Crypto.SphincsPlus
* @param id the oid of interest.
* @return the parameter set.
*/
- public static SphincsPlusParameters GetParams(uint id)
+ public static SphincsPlusParameters GetParams(int id)
{
- return oidToParams[id];
+ return oidToParams[Convert.ToUInt32(id)];
}
/**
@@ -276,14 +277,14 @@ namespace Org.BouncyCastle.Pqc.Crypto.SphincsPlus
* @param params the parameters of interest.
* @return the OID for the parameter set.
*/
- public static uint GetID(SphincsPlusParameters parameters)
+ public static int GetID(SphincsPlusParameters parameters)
{
- return paramsToOid[parameters];
+ return Convert.ToInt32(paramsToOid[parameters]);
}
public byte[] GetEncoded()
{
- return Pack.UInt32_To_BE(GetID(this));
+ return Pack.UInt32_To_BE((uint)GetID(this));
}
}
diff --git a/crypto/src/pqc/crypto/sphincsplus/SPHINCSPlusPrivateKeyParameters.cs b/crypto/src/pqc/crypto/sphincsplus/SPHINCSPlusPrivateKeyParameters.cs
index ed5195da2..55757b927 100644
--- a/crypto/src/pqc/crypto/sphincsplus/SPHINCSPlusPrivateKeyParameters.cs
+++ b/crypto/src/pqc/crypto/sphincsplus/SPHINCSPlusPrivateKeyParameters.cs
@@ -53,13 +53,13 @@ namespace Org.BouncyCastle.Pqc.Crypto.SphincsPlus
public byte[] GetEncoded()
{
- var id = Pack.UInt32_To_BE(SphincsPlusParameters.GetID(Parameters));
+ var id = Pack.UInt32_To_BE((uint)SphincsPlusParameters.GetID(Parameters));
return Arrays.ConcatenateAll(id, m_sk.seed, m_sk.prf, m_pk.seed, m_pk.root);
}
public byte[] GetEncodedPublicKey()
{
- var id = Pack.UInt32_To_BE(SphincsPlusParameters.GetID(Parameters));
+ var id = Pack.UInt32_To_BE((uint)SphincsPlusParameters.GetID(Parameters));
return Arrays.ConcatenateAll(id, m_pk.seed, m_pk.root);
}
}
diff --git a/crypto/src/pqc/crypto/sphincsplus/SPHINCSPlusPublicKeyParameters.cs b/crypto/src/pqc/crypto/sphincsplus/SPHINCSPlusPublicKeyParameters.cs
index 96e9324cc..b34843998 100644
--- a/crypto/src/pqc/crypto/sphincsplus/SPHINCSPlusPublicKeyParameters.cs
+++ b/crypto/src/pqc/crypto/sphincsplus/SPHINCSPlusPublicKeyParameters.cs
@@ -38,7 +38,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.SphincsPlus
public byte[] GetEncoded()
{
- var id = Pack.UInt32_To_BE(SphincsPlusParameters.GetID(Parameters));
+ var id = Pack.UInt32_To_BE((uint)SphincsPlusParameters.GetID(Parameters));
return Arrays.ConcatenateAll(id, m_pk.seed, m_pk.root);
}
}
diff --git a/crypto/src/pqc/crypto/utils/PqcUtilities.cs b/crypto/src/pqc/crypto/utils/PqcUtilities.cs
index adb82b6a3..67e58fd28 100644
--- a/crypto/src/pqc/crypto/utils/PqcUtilities.cs
+++ b/crypto/src/pqc/crypto/utils/PqcUtilities.cs
@@ -25,10 +25,12 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities
private readonly static Dictionary<PicnicParameters, DerObjectIdentifier> picnicOids = new Dictionary<PicnicParameters, DerObjectIdentifier>();
private readonly static Dictionary<DerObjectIdentifier, PicnicParameters> picnicParams = new Dictionary<DerObjectIdentifier, PicnicParameters>();
-
+
+#pragma warning disable CS0618 // Type or member is obsolete
private readonly static Dictionary<SikeParameters, DerObjectIdentifier> sikeOids = new Dictionary<SikeParameters, DerObjectIdentifier>();
private readonly static Dictionary<DerObjectIdentifier, SikeParameters> sikeParams = new Dictionary<DerObjectIdentifier, SikeParameters>();
-
+#pragma warning restore CS0618 // Type or member is obsolete
+
private readonly static Dictionary<KyberParameters, DerObjectIdentifier> kyberOids = new Dictionary<KyberParameters, DerObjectIdentifier>();
private readonly static Dictionary<DerObjectIdentifier, KyberParameters> kyberParams = new Dictionary<DerObjectIdentifier, KyberParameters>();
@@ -132,7 +134,8 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities
picnicParams[BCObjectIdentifiers.picnicl1full] = PicnicParameters.picnicl1full;
picnicParams[BCObjectIdentifiers.picnicl3full] = PicnicParameters.picnicl3full;
picnicParams[BCObjectIdentifiers.picnicl5full] = PicnicParameters.picnicl5full;
-
+
+#pragma warning disable CS0618 // Type or member is obsolete
sikeParams[BCObjectIdentifiers.sikep434] = SikeParameters.sikep434;
sikeParams[BCObjectIdentifiers.sikep503] = SikeParameters.sikep503;
sikeParams[BCObjectIdentifiers.sikep610] = SikeParameters.sikep610;
@@ -141,7 +144,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities
sikeParams[BCObjectIdentifiers.sikep503_compressed] = SikeParameters.sikep503_compressed;
sikeParams[BCObjectIdentifiers.sikep610_compressed] = SikeParameters.sikep610_compressed;
sikeParams[BCObjectIdentifiers.sikep751_compressed] = SikeParameters.sikep751_compressed;
-
+
sikeOids[SikeParameters.sikep434] = BCObjectIdentifiers.sikep434;
sikeOids[SikeParameters.sikep503] = BCObjectIdentifiers.sikep503;
sikeOids[SikeParameters.sikep610] = BCObjectIdentifiers.sikep610;
@@ -150,7 +153,8 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities
sikeOids[SikeParameters.sikep503_compressed] = BCObjectIdentifiers.sikep503_compressed;
sikeOids[SikeParameters.sikep610_compressed] = BCObjectIdentifiers.sikep610_compressed;
sikeOids[SikeParameters.sikep751_compressed] = BCObjectIdentifiers.sikep751_compressed;
-
+#pragma warning restore CS0618 // Type or member is obsolete
+
kyberOids[KyberParameters.kyber512] = BCObjectIdentifiers.kyber512;
kyberOids[KyberParameters.kyber768] = BCObjectIdentifiers.kyber768;
kyberOids[KyberParameters.kyber1024] = BCObjectIdentifiers.kyber1024;
@@ -248,17 +252,13 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities
internal static DerObjectIdentifier SphincsPlusOidLookup(SphincsPlusParameters parameters)
{
- uint pId = SphincsPlusParameters.GetID(parameters);
+ int pId = SphincsPlusParameters.GetID(parameters);
if ((pId & 0x020000) == 0x020000)
- {
return BCObjectIdentifiers.sphincsPlus_shake_256;
- }
if ((pId & 0x05) == 0x05 || (pId & 0x06) == 0x06)
- {
return BCObjectIdentifiers.sphincsPlus_sha_512;
- }
return BCObjectIdentifiers.sphincsPlus_sha_256;
}
@@ -272,6 +272,8 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities
{
return picnicParams[oid];
}
+
+#pragma warning disable CS0618 // Type or member is obsolete
internal static DerObjectIdentifier SikeOidLookup(SikeParameters parameters)
{
return sikeOids[parameters];
@@ -281,6 +283,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities
{
return sikeParams[oid];
}
+#pragma warning restore CS0618 // Type or member is obsolete
internal static DerObjectIdentifier BikeOidLookup(BikeParameters parameters)
{
diff --git a/crypto/src/pqc/crypto/utils/PrivateKeyFactory.cs b/crypto/src/pqc/crypto/utils/PrivateKeyFactory.cs
index 7db65dbfb..6ad9bdb0c 100644
--- a/crypto/src/pqc/crypto/utils/PrivateKeyFactory.cs
+++ b/crypto/src/pqc/crypto/utils/PrivateKeyFactory.cs
@@ -81,7 +81,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities
if (algOID.On(BCObjectIdentifiers.sphincsPlus))
{
byte[] keyEnc = Asn1OctetString.GetInstance(keyInfo.ParsePrivateKey()).GetOctets();
- SphincsPlusParameters spParams = SphincsPlusParameters.GetParams((uint)BigInteger.ValueOf(Pack.BE_To_UInt32(keyEnc, 0)).IntValue);
+ SphincsPlusParameters spParams = SphincsPlusParameters.GetParams(BigInteger.ValueOf(Pack.BE_To_UInt32(keyEnc, 0)).IntValue);
return new SphincsPlusPrivateKeyParameters(spParams, Arrays.CopyOfRange(keyEnc, 4, keyEnc.Length));
}
@@ -99,6 +99,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities
return new PicnicPrivateKeyParameters(picnicParams, keyEnc);
}
+#pragma warning disable CS0618 // Type or member is obsolete
if (algOID.On(BCObjectIdentifiers.pqc_kem_sike))
{
byte[] keyEnc = Asn1OctetString.GetInstance(keyInfo.ParsePrivateKey()).GetOctets();
@@ -106,6 +107,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities
return new SikePrivateKeyParameters(sikeParams, keyEnc);
}
+#pragma warning restore CS0618 // Type or member is obsolete
if (algOID.On(BCObjectIdentifiers.pqc_kem_bike))
{
byte[] keyEnc = Asn1OctetString.GetInstance(keyInfo.ParsePrivateKey()).GetOctets();
diff --git a/crypto/src/pqc/crypto/utils/PrivateKeyInfoFactory.cs b/crypto/src/pqc/crypto/utils/PrivateKeyInfoFactory.cs
index 806eae8b7..53b34b3f4 100644
--- a/crypto/src/pqc/crypto/utils/PrivateKeyInfoFactory.cs
+++ b/crypto/src/pqc/crypto/utils/PrivateKeyInfoFactory.cs
@@ -93,6 +93,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities
PqcUtilities.PicnicOidLookup(picnicPrivateKeyParameters.Parameters));
return new PrivateKeyInfo(algorithmIdentifier, new DerOctetString(encoding), attributes);
}
+#pragma warning disable CS0618 // Type or member is obsolete
if (privateKey is SikePrivateKeyParameters sikePrivateKeyParameters)
{
byte[] encoding = sikePrivateKeyParameters.GetEncoded();
@@ -101,14 +102,15 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities
PqcUtilities.SikeOidLookup(sikePrivateKeyParameters.Parameters));
return new PrivateKeyInfo(algorithmIdentifier, new DerOctetString(encoding), attributes);
}
+#pragma warning restore CS0618 // Type or member is obsolete
if (privateKey is FalconPrivateKeyParameters falconPrivateKeyParameters)
{
Asn1EncodableVector v = new Asn1EncodableVector();
v.Add(new DerInteger(1));
- v.Add(new DerOctetString(falconPrivateKeyParameters.GetSpolyf()));
+ v.Add(new DerOctetString(falconPrivateKeyParameters.GetSpolyLittleF()));
v.Add(new DerOctetString(falconPrivateKeyParameters.GetG()));
- v.Add(new DerOctetString(falconPrivateKeyParameters.GetSpolyF()));
+ v.Add(new DerOctetString(falconPrivateKeyParameters.GetSpolyBigF()));
AlgorithmIdentifier algorithmIdentifier = new AlgorithmIdentifier(
PqcUtilities.FalconOidLookup(falconPrivateKeyParameters.Parameters));
diff --git a/crypto/src/pqc/crypto/utils/PublicKeyFactory.cs b/crypto/src/pqc/crypto/utils/PublicKeyFactory.cs
index 5d55a73aa..9eea279b1 100644
--- a/crypto/src/pqc/crypto/utils/PublicKeyFactory.cs
+++ b/crypto/src/pqc/crypto/utils/PublicKeyFactory.cs
@@ -82,7 +82,8 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities
Converters[BCObjectIdentifiers.picnicl1full] = new PicnicConverter();
Converters[BCObjectIdentifiers.picnicl3full] = new PicnicConverter();
Converters[BCObjectIdentifiers.picnicl5full] = new PicnicConverter();
-
+
+#pragma warning disable CS0618 // Type or member is obsolete
Converters[BCObjectIdentifiers.sikep434] = new SikeConverter();
Converters[BCObjectIdentifiers.sikep503] = new SikeConverter();
Converters[BCObjectIdentifiers.sikep610] = new SikeConverter();
@@ -91,7 +92,8 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities
Converters[BCObjectIdentifiers.sikep503_compressed] = new SikeConverter();
Converters[BCObjectIdentifiers.sikep610_compressed] = new SikeConverter();
Converters[BCObjectIdentifiers.sikep751_compressed] = new SikeConverter();
-
+#pragma warning restore CS0618 // Type or member is obsolete
+
Converters[BCObjectIdentifiers.dilithium2] = new DilithiumConverter();
Converters[BCObjectIdentifiers.dilithium3] = new DilithiumConverter();
Converters[BCObjectIdentifiers.dilithium5] = new DilithiumConverter();
@@ -197,11 +199,11 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities
{
internal override AsymmetricKeyParameter GetPublicKeyParameters(SubjectPublicKeyInfo keyInfo, object defaultParams)
{
- byte[] keyEnc = DerOctetString.GetInstance(keyInfo.ParsePublicKey()).GetOctets();
+ byte[] keyEnc = Asn1OctetString.GetInstance(keyInfo.ParsePublicKey()).GetOctets();
- SphincsPlusParameters spParams = SphincsPlusParameters.GetParams((uint)BigInteger.ValueOf(Pack.BE_To_UInt32(keyEnc, 0)).IntValue);
+ SphincsPlusParameters spParams = SphincsPlusParameters.GetParams((int)Pack.BE_To_UInt32(keyEnc, 0));
- return new SphincsPlusPublicKeyParameters(spParams, Arrays.CopyOfRange(keyEnc, 4, keyEnc.Length));
+ return new SphincsPlusPublicKeyParameters(spParams, Arrays.CopyOfRange(keyEnc, 4, keyEnc.Length));
}
}
@@ -223,7 +225,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities
{
internal override AsymmetricKeyParameter GetPublicKeyParameters(SubjectPublicKeyInfo keyInfo, object defaultParams)
{
- byte[] keyEnc = DerOctetString.GetInstance(
+ byte[] keyEnc = Asn1OctetString.GetInstance(
DerSequence.GetInstance(keyInfo.ParsePublicKey())[0]).GetOctets();
SaberParameters saberParams = PqcUtilities.SaberParamsLookup(keyInfo.AlgorithmID.Algorithm);
@@ -237,19 +239,20 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities
{
internal override AsymmetricKeyParameter GetPublicKeyParameters(SubjectPublicKeyInfo keyInfo, object defaultParams)
{
- byte[] keyEnc = DerOctetString.GetInstance(keyInfo.ParsePublicKey()).GetOctets();
+ byte[] keyEnc = Asn1OctetString.GetInstance(keyInfo.ParsePublicKey()).GetOctets();
PicnicParameters picnicParams = PqcUtilities.PicnicParamsLookup(keyInfo.AlgorithmID.Algorithm);
return new PicnicPublicKeyParameters(picnicParams, keyEnc);
}
}
+ [Obsolete("Will be removed")]
private class SikeConverter
: SubjectPublicKeyInfoConverter
{
internal override AsymmetricKeyParameter GetPublicKeyParameters(SubjectPublicKeyInfo keyInfo, object defaultParams)
{
- byte[] keyEnc = DerOctetString.GetInstance(keyInfo.ParsePublicKey()).GetOctets();
+ byte[] keyEnc = Asn1OctetString.GetInstance(keyInfo.ParsePublicKey()).GetOctets();
SikeParameters sikeParams = PqcUtilities.SikeParamsLookup(keyInfo.AlgorithmID.Algorithm);
diff --git a/crypto/src/pqc/crypto/utils/SubjectPublicKeyInfoFactory.cs b/crypto/src/pqc/crypto/utils/SubjectPublicKeyInfoFactory.cs
index 39d437320..b88834e50 100644
--- a/crypto/src/pqc/crypto/utils/SubjectPublicKeyInfoFactory.cs
+++ b/crypto/src/pqc/crypto/utils/SubjectPublicKeyInfoFactory.cs
@@ -89,6 +89,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities
PqcUtilities.PicnicOidLookup(picnicPublicKeyParameters.Parameters));
return new SubjectPublicKeyInfo(algorithmIdentifier, new DerOctetString(encoding));
}
+#pragma warning disable CS0618 // Type or member is obsolete
if (publicKey is SikePublicKeyParameters sikePublicKeyParameters)
{
byte[] encoding = sikePublicKeyParameters.GetEncoded();
@@ -97,6 +98,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Utilities
PqcUtilities.SikeOidLookup(sikePublicKeyParameters.Parameters));
return new SubjectPublicKeyInfo(algorithmIdentifier, new DerOctetString(encoding));
}
+#pragma warning restore CS0618 // Type or member is obsolete
if (publicKey is FalconPublicKeyParameters falconPublicKeyParameters)
{
byte[] encoding = falconPublicKeyParameters.GetEncoded();
diff --git a/crypto/test/BouncyCastle.Crypto.Tests.csproj b/crypto/test/BouncyCastle.Crypto.Tests.csproj
index 9e9282f05..77a873a2a 100644
--- a/crypto/test/BouncyCastle.Crypto.Tests.csproj
+++ b/crypto/test/BouncyCastle.Crypto.Tests.csproj
@@ -5,7 +5,7 @@
<IsPackable>false</IsPackable>
<SignAssembly>false</SignAssembly>
<EnableDefaultItems>false</EnableDefaultItems>
- <NoWarn>1591</NoWarn>
+ <NoWarn>618;1591</NoWarn>
<RootNamespace>Org.BouncyCastle</RootNamespace>
</PropertyGroup>
diff --git a/crypto/test/src/math/test/BigIntegerTest.cs b/crypto/test/src/math/test/BigIntegerTest.cs
index f5973c197..8f477d684 100644
--- a/crypto/test/src/math/test/BigIntegerTest.cs
+++ b/crypto/test/src/math/test/BigIntegerTest.cs
@@ -773,11 +773,13 @@ namespace Org.BouncyCastle.Math.Tests
BigInteger x = new BigInteger(128, random);
object y;
+#pragma warning disable SYSLIB0011 // Type or member is obsolete
var formatter = new BinaryFormatter();
formatter.Serialize(buf, x);
buf.Position = 0;
y = formatter.Deserialize(buf);
+#pragma warning restore SYSLIB0011 // Type or member is obsolete
Assert.AreEqual(buf.Length, buf.Position);
Assert.AreEqual(x, y);
|
