From: Andreas Steffen Date: Tue, 18 Mar 2014 09:03:16 +0000 (+0100) Subject: Implemented ntru_private_key class X-Git-Tag: 5.1.3dr1~13 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=337f0c8a2f603e551fdb2e5bee8b49b9c1470f8f;p=thirdparty%2Fstrongswan.git Implemented ntru_private_key class --- diff --git a/src/libstrongswan/plugins/ntru/Makefile.am b/src/libstrongswan/plugins/ntru/Makefile.am index d5bf8b9f7a..fec2a70951 100644 --- a/src/libstrongswan/plugins/ntru/Makefile.am +++ b/src/libstrongswan/plugins/ntru/Makefile.am @@ -17,6 +17,8 @@ libstrongswan_ntru_la_SOURCES = \ ntru_mgf1.h ntru_mgf1.c \ ntru_param_set.h ntru_param_set.c \ ntru_poly.h ntru_poly.c \ + ntru_public_key.h ntru_public_key.c \ + ntru_private_key.h ntru_private_key.c \ ntru_trits.h ntru_trits.c \ ntru_crypto/ntru_crypto.h \ ntru_crypto/ntru_crypto_ntru_convert.h \ diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto.h index 677b6d0ad0..33a7e961dd 100644 --- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto.h +++ b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto.h @@ -113,102 +113,4 @@ ntru_crypto_ntru_encrypt( no. of octets in ciphertext */ uint8_t *ct); /* out - address for ciphertext */ - -/* ntru_crypto_ntru_decrypt - * - * Implements NTRU decryption (SVES) for the parameter set specified in - * the private key blob. - * - * The maximum size of the output plaintext may be queried by invoking - * this function with pt = NULL. In this case, no decryption is performed, - * NTRU_OK is returned, and the maximum size the plaintext could be is - * returned in pt_len. - * Note that until the decryption is performed successfully, the actual size - * of the resulting plaintext cannot be known. - * - * When pt != NULL, at invocation *pt_len must be the size of the pt buffer. - * Upon return it is the actual size of the plaintext. - * - * Returns NTRU_OK if successful. - * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pt) is NULL. - * Returns NTRU_BAD_LENGTH if a length argument (privkey_blob) is zero, or if - * ct_len is invalid for the parameter set. - * Returns NTRU_BAD_PRIVATE_KEY if the private-key blob is invalid - * (unknown format, corrupt, bad length). - * Returns NTRU_BUFFER_TOO_SMALL if the plaintext buffer is too small. - * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap. - * Returns NTRU_FAIL if a decryption error occurs. - */ - -NTRUCALL -ntru_crypto_ntru_decrypt( - uint16_t privkey_blob_len, /* in - no. of octets in private key - blob */ - uint8_t const *privkey_blob, /* in - pointer to private key */ - uint16_t ct_len, /* in - no. of octets in ciphertext */ - uint8_t const *ct, /* in - pointer to ciphertext */ - uint16_t *pt_len, /* in/out - no. of octets in pt, addr for - no. of octets in plaintext */ - uint8_t *pt); /* out - address for plaintext */ - - -/* ntru_crypto_ntru_encrypt_keygen - * - * Implements key generation for NTRUEncrypt for the parameter set specified. - * - * Before invoking this function, a DRBG must be instantiated using - * ntru_crypto_drbg_instantiate() to obtain a DRBG handle, and in that - * instantiation the requested security strength must be at least as large - * as the security strength of the NTRU parameter set being used. - * Failure to instantiate the DRBG with the proper security strength will - * result in this function returning NTRU_DRBG_FAIL. - * - * The required minimum size of the output public-key buffer (pubkey_blob) - * may be queried by invoking this function with pubkey_blob = NULL. - * In this case, no key generation is performed, NTRU_OK is returned, and - * the required minimum size for pubkey_blob is returned in pubkey_blob_len. - * - * The required minimum size of the output private-key buffer (privkey_blob) - * may be queried by invoking this function with privkey_blob = NULL. - * In this case, no key generation is performed, NTRU_OK is returned, and - * the required minimum size for privkey_blob is returned in privkey_blob_len. - * - * The required minimum sizes of both pubkey_blob and privkey_blob may be - * queried as described above, in a single invocation of this function. - * - * When pubkey_blob != NULL and privkey_blob != NULL, at invocation - * *pubkey_blob_len must be the size of the pubkey_blob buffer and - * *privkey_blob_len must be the size of the privkey_blob buffer. - * Upon return, *pubkey_blob_len is the actual size of the public-key blob - * and *privkey_blob_len is the actual size of the private-key blob. - * - * Returns NTRU_OK if successful. - * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pubkey_blob - * or privkey_blob) is NULL. - * Returns NTRU_INVALID_PARAMETER_SET if the parameter-set ID is invalid. - * Returns NTRU_BAD_LENGTH if a length argument is invalid. - * Returns NTRU_BUFFER_TOO_SMALL if either the pubkey_blob buffer or the - * privkey_blob buffer is too small. - * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap. - * Returns NTRU_FAIL if the polynomial generated for f is not invertible in - * (Z/qZ)[X]/(X^N - 1), which is extremely unlikely. - * Should this occur, this function should simply be invoked again. - */ - -NTRUCALL -ntru_crypto_ntru_encrypt_keygen( - ntru_drbg_t *drbg, /* in - handle of DRBG */ - ntru_param_set_id_t param_set_id, /* in - parameter set ID */ - uint16_t *pubkey_blob_len, /* in/out - no. of octets in - pubkey_blob, addr - for no. of octets - in pubkey_blob */ - uint8_t *pubkey_blob, /* out - address for - public key blob */ - uint16_t *privkey_blob_len, /* in/out - no. of octets in - privkey_blob, addr - for no. of octets - in privkey_blob */ - uint8_t *privkey_blob); /* out - address for - private key blob */ #endif /* NTRU_CRYPTO_H */ diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt.c b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt.c index 8ebcf2c3f4..01891234fe 100644 --- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt.c +++ b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt.c @@ -97,7 +97,7 @@ ntru_crypto_ntru_encrypt( uint32_t dr2 = 0; uint32_t dr3 = 0; uint16_t ring_mult_tmp_len; - int16_t m1 = 0; + int16_t m1; uint16_t *scratch_buf = NULL; uint16_t *ringel_buf = NULL; uint8_t *b_buf = NULL; @@ -243,7 +243,7 @@ ntru_crypto_ntru_encrypt( uint16_t pubkey_packed_len; /* unpack the public key */ - assert(pubkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS); + assert(pubkey_pack_type == NTRU_KEY_PACKED_COEFFICIENTS); pubkey_packed_len = (params->N * params->q_bits + 7) >> 3; ntru_octets_2_elements(pubkey_packed_len, pubkey_packed, params->q_bits, ringel_buf); @@ -302,6 +302,7 @@ ntru_crypto_ntru_encrypt( /* form the msg representative m' by adding Mtrin to mask, mod p */ if (params->is_product_form) { + m1 = 0; for (i = 0; i < mprime_len; i++) { tmp_buf[i] = mask_trits[i] + Mtrin_buf[i]; @@ -342,7 +343,6 @@ ntru_crypto_ntru_encrypt( else msg_rep_good = ntru_poly_check_min_weight(mprime_len, tmp_buf, params->min_msg_rep_wt); - msg_rep_good = TRUE; } } while ((result == NTRU_OK) && !msg_rep_good); @@ -372,661 +372,3 @@ ntru_crypto_ntru_encrypt( return result; } - - -/* ntru_crypto_ntru_decrypt - * - * Implements NTRU decryption (SVES) for the parameter set specified in - * the private key blob. - * - * The maximum size of the output plaintext may be queried by invoking - * this function with pt = NULL. In this case, no decryption is performed, - * NTRU_OK is returned, and the maximum size the plaintext could be is - * returned in pt_len. - * Note that until the decryption is performed successfully, the actual size - * of the resulting plaintext cannot be known. - * - * When pt != NULL, at invocation *pt_len must be the size of the pt buffer. - * Upon return it is the actual size of the plaintext. - * - * Returns NTRU_OK if successful. - * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pt) is NULL. - * Returns NTRU_BAD_LENGTH if a length argument (privkey_blob) is zero, or if - * ct_len is invalid for the parameter set. - * Returns NTRU_BAD_PRIVATE_KEY if the private-key blob is invalid - * (unknown format, corrupt, bad length). - * Returns NTRU_BUFFER_TOO_SMALL if the plaintext buffer is too small. - * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap. - * Returns NTRU_FAIL if a decryption error occurs. - */ - -uint32_t -ntru_crypto_ntru_decrypt( - uint16_t privkey_blob_len, /* in - no. of octets in private key - blob */ - uint8_t const *privkey_blob, /* in - pointer to private key */ - uint16_t ct_len, /* in - no. of octets in ciphertext */ - uint8_t const *ct, /* in - pointer to ciphertext */ - uint16_t *pt_len, /* in/out - no. of octets in pt, addr for - no. of octets in plaintext */ - uint8_t *pt) /* out - address for plaintext */ -{ - ntru_param_set_t *params = NULL; - uint8_t const *privkey_packed = NULL; - uint8_t const *pubkey_packed = NULL; - uint8_t privkey_pack_type = 0x00; - uint8_t pubkey_pack_type = 0x00; - size_t scratch_buf_len; - uint32_t dF_r; - uint32_t dF_r1 = 0; - uint32_t dF_r2 = 0; - uint32_t dF_r3 = 0; - uint16_t ring_mult_tmp_len; - int16_t m1 = 0; - uint16_t *scratch_buf = NULL; - uint16_t *ringel_buf1 = NULL; - uint16_t *ringel_buf2 = NULL; - uint16_t *i_buf = NULL; - uint8_t *m_buf = NULL; - uint8_t *tmp_buf = NULL; - uint8_t *Mtrin_buf = NULL; - uint8_t *M_buf = NULL; - uint8_t *ptr = NULL; - hash_algorithm_t hash_algid; - uint16_t cmprime_len; - uint16_t mod_q_mask; - uint16_t q_mod_p; - uint16_t cm_len = 0; - uint16_t num_zeros; - uint16_t i; - bool decryption_ok = TRUE; - uint32_t result = NTRU_OK; - ntru_trits_t *mask; - uint8_t *mask_trits; - chunk_t seed; - ntru_poly_t *F_poly, *r_poly; - - /* check for bad parameters */ - if (!privkey_blob || !ct || !pt_len) - { - return NTRU_BAD_PARAMETER; - } - if ((privkey_blob_len == 0) || (ct_len == 0)) - { - return NTRU_BAD_LENGTH; - } - - /* get a pointer to the parameter-set parameters, the packing types for - * the public and private keys, and pointers to the packed public and - * private keys - */ - - if (!ntru_crypto_ntru_encrypt_key_parse(FALSE /* privkey */, - privkey_blob_len, - privkey_blob, &pubkey_pack_type, - &privkey_pack_type, ¶ms, - &pubkey_packed, &privkey_packed)) - { - return NTRU_BAD_PRIVATE_KEY; - } - - /* return the max plaintext size if requested */ - - if (!pt) - { - *pt_len = params->m_len_max; - return NTRU_OK; - } - - /* cannot check the plaintext buffer size until after the plaintext - * is derived, if we allow plaintext buffers only as large as the - * actual plaintext - */ - - /* check the ciphertext length */ - - if (ct_len != (params->N * params->q_bits + 7) >> 3) - { - return NTRU_BAD_LENGTH; - } - - /* allocate memory for all operations */ - - if (params->is_product_form) - { - ring_mult_tmp_len = params->N << 1; /* 2N 16-bit word buffer */ - dF_r1 = params->dF_r & 0xff; - dF_r2 = (params->dF_r >> 8) & 0xff; - dF_r3 = (params->dF_r >> 16) & 0xff; - dF_r = dF_r1 + dF_r2 + dF_r3; - } else { - ring_mult_tmp_len = params->N; /* N 16-bit word buffer */ - dF_r = params->dF_r; - } - scratch_buf_len = (ring_mult_tmp_len << 1) + - /* X-byte temp buf for ring mult and - other intermediate results */ - (params->N << 2) + /* 2 2N-byte bufs for ring elements - and overflow from temp buffer */ - (dF_r << 2) + /* buffer for F, r indices */ - params->m_len_max; /* buffer for plaintext */ - scratch_buf = malloc(scratch_buf_len); - if (!scratch_buf) - { - return NTRU_OUT_OF_MEMORY; - } - ringel_buf1 = scratch_buf + ring_mult_tmp_len; - ringel_buf2 = ringel_buf1 + params->N; - i_buf = ringel_buf2 + params->N; - m_buf = (uint8_t *)(i_buf + (dF_r << 1)); - tmp_buf = (uint8_t *)scratch_buf; - Mtrin_buf = (uint8_t *)ringel_buf1; - M_buf = Mtrin_buf + params->N; - - /* set hash algorithm based on security strength */ - hash_algid = (params->sec_strength_len <= 20) ? HASH_SHA1 : HASH_SHA256; - - /* set constants */ - mod_q_mask = params->q - 1; - q_mod_p = params->q % 3; - - /* unpack the ciphertext */ - ntru_octets_2_elements(ct_len, ct, params->q_bits, ringel_buf2); - - /* unpack the private key */ - if (privkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_TRITS) - { - ntru_packed_trits_2_indices(privkey_packed, params->N, i_buf, - i_buf + dF_r); - - } - else if (privkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_INDICES) - { - ntru_octets_2_elements( - (((uint16_t)dF_r << 1) * params->N_bits + 7) >> 3, - privkey_packed, params->N_bits, i_buf); - - } - else - { - assert(FALSE); - } - - /* form cm': - * F * e - * A = e * (1 + pF) mod q = e + pFe mod q - * a = A in the range [-q/2, q/2) - * cm' = a mod p - */ - F_poly = ntru_poly_create_from_data(i_buf, params->N, params->q, - params->dF_r, params->dF_r, - params->is_product_form); - F_poly->ring_mult(F_poly, ringel_buf2, ringel_buf1); - F_poly->destroy(F_poly); - - cmprime_len = params->N; - if (params->is_product_form) - { - --cmprime_len; - for (i = 0; i < cmprime_len; i++) - { - ringel_buf1[i] = (ringel_buf2[i] + 3 * ringel_buf1[i]) & mod_q_mask; - if (ringel_buf1[i] >= (params->q >> 1)) - { - ringel_buf1[i] = ringel_buf1[i] - q_mod_p; - } - Mtrin_buf[i] = (uint8_t)(ringel_buf1[i] % 3); - if (Mtrin_buf[i] == 1) - { - ++m1; - } - else if (Mtrin_buf[i] == 2) - { - --m1; - } - } - } - else - { - for (i = 0; i < cmprime_len; i++) - { - ringel_buf1[i] = (ringel_buf2[i] + 3 * ringel_buf1[i]) & mod_q_mask; - if (ringel_buf1[i] >= (params->q >> 1)) - { - ringel_buf1[i] = ringel_buf1[i] - q_mod_p; - } - Mtrin_buf[i] = (uint8_t)(ringel_buf1[i] % 3); - } - } - - /* check that the candidate message representative meets minimum weight - * requirements - */ - - if (params->is_product_form) - { - decryption_ok = m1 < 0 ? (bool)(-m1 <= params->min_msg_rep_wt) : - (bool)( m1 <= params->min_msg_rep_wt); - } - else - { - decryption_ok = ntru_poly_check_min_weight(cmprime_len, Mtrin_buf, - params->min_msg_rep_wt); - } - - /* form cR = e - cm' mod q */ - for (i = 0; i < cmprime_len; i++) - { - if (Mtrin_buf[i] == 1) - { - ringel_buf2[i] = (ringel_buf2[i] - 1) & mod_q_mask; - } - else if (Mtrin_buf[i] == 2) - { - ringel_buf2[i] = (ringel_buf2[i] + 1) & mod_q_mask; - } - } - if (params->is_product_form) - { - ringel_buf2[i] = (ringel_buf2[i] + m1) & mod_q_mask; - } - - /* form cR mod 4 */ - ntru_coeffs_mod4_2_octets(params->N, ringel_buf2, tmp_buf); - - /* form mask */ - seed = chunk_create(tmp_buf, (params->N + 3)/4); - mask = ntru_trits_create(params->N, hash_algid, seed); - if (!mask) - { - result = NTRU_MGF1_FAIL; - } - else - { - mask_trits = mask->get_trits(mask); - - /* form cMtrin by subtracting mask from cm', mod p */ - for (i = 0; i < cmprime_len; i++) - { - Mtrin_buf[i] = Mtrin_buf[i] - mask_trits[i]; - if (Mtrin_buf[i] >= 3) - { - Mtrin_buf[i] += 3; - } - } - mask->destroy(mask); - - if (params->is_product_form) - - /* set the last trit to zero since that's what it was, and - * because it can't be calculated from (cm' - mask) since - * we don't have the correct value for the last cm' trit - */ - - Mtrin_buf[i] = 0; - - /* convert cMtrin to cM (Mtrin to Mbin) */ - - if (!ntru_trits_2_bits(Mtrin_buf, params->N, M_buf)) - decryption_ok = FALSE; - - /* validate the padded message cM and copy cm to m_buf */ - - ptr = M_buf + params->sec_strength_len; - if (params->m_len_len == 2) - cm_len = (uint16_t)(*ptr++) << 16; - cm_len |= (uint16_t)(*ptr++); - if (cm_len > params->m_len_max) { - cm_len = params->m_len_max; - decryption_ok = FALSE; - } - memcpy(m_buf, ptr, cm_len); - ptr += cm_len; - num_zeros = params->m_len_max - cm_len + 1; - for (i = 0; i < num_zeros; i++) { - if (ptr[i] != 0) - decryption_ok = FALSE; - } - - /* form sData (OID || m || b || hTrunc) */ - - ptr = tmp_buf; - memcpy(ptr, params->oid, 3); - ptr += 3; - memcpy(ptr, m_buf, cm_len); - ptr += cm_len; - memcpy(ptr, M_buf, params->sec_strength_len); - ptr += params->sec_strength_len; - memcpy(ptr, pubkey_packed, params->sec_strength_len); - ptr += params->sec_strength_len; - - /* generate cr */ - DBG2(DBG_LIB, "generate polynomial r"); - - seed = chunk_create(tmp_buf, ptr - tmp_buf); - r_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits, - params->N, params->q, - params->dF_r, params->dF_r, - params->is_product_form); - if (!r_poly) - { - result = NTRU_MGF1_FAIL; - } - } - - if (result == NTRU_OK) - { - /* unpack the public key */ - { - uint16_t pubkey_packed_len; - - assert(pubkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS); - pubkey_packed_len = (params->N * params->q_bits + 7) >> 3; - ntru_octets_2_elements(pubkey_packed_len, pubkey_packed, - params->q_bits, ringel_buf1); - } - - /* form cR' = h * cr */ - r_poly->ring_mult(r_poly, ringel_buf1, ringel_buf1); - r_poly->destroy(r_poly); - - /* compare cR' to cR */ - for (i = 0; i < params->N; i++) - { - if (ringel_buf1[i] != ringel_buf2[i]) - { - decryption_ok = FALSE; - } - } - - /* output plaintext and plaintext length */ - if (decryption_ok) - { - if (*pt_len < cm_len) - { - return NTRU_BUFFER_TOO_SMALL; - } - memcpy(pt, m_buf, cm_len); - *pt_len = cm_len; - } - } - - /* cleanup */ - memset(scratch_buf, 0, scratch_buf_len); - free(scratch_buf); - - if (!decryption_ok) - { - return NTRU_FAIL; - } - - return result; -} - - -/* ntru_crypto_ntru_encrypt_keygen - * - * Implements key generation for NTRUEncrypt for the parameter set specified. - * - * The required minimum size of the output public-key buffer (pubkey_blob) - * may be queried by invoking this function with pubkey_blob = NULL. - * In this case, no key generation is performed, NTRU_OK is returned, and - * the required minimum size for pubkey_blob is returned in pubkey_blob_len. - * - * The required minimum size of the output private-key buffer (privkey_blob) - * may be queried by invoking this function with privkey_blob = NULL. - * In this case, no key generation is performed, NTRU_OK is returned, and - * the required minimum size for privkey_blob is returned in privkey_blob_len. - * - * The required minimum sizes of both pubkey_blob and privkey_blob may be - * queried as described above, in a single invocation of this function. - * - * When pubkey_blob != NULL and privkey_blob != NULL, at invocation - * *pubkey_blob_len must be the size of the pubkey_blob buffer and - * *privkey_blob_len must be the size of the privkey_blob buffer. - * Upon return, *pubkey_blob_len is the actual size of the public-key blob - * and *privkey_blob_len is the actual size of the private-key blob. - * - * Returns NTRU_OK if successful. - * Returns NTRU_BAD_PARAMETER if an argument pointer (other than pubkey_blob or - * privkey_blob) is NULL. - * Returns NTRU_INVALID_PARAMETER_SET if the parameter-set ID is invalid. - * Returns NTRU_BAD_LENGTH if a length argument is invalid. - * Returns NTRU_BUFFER_TOO_SMALL if either the pubkey_blob buffer or the - * privkey_blob buffer is too small. - * Returns NTRU_NO_MEMORY if memory needed cannot be allocated from the heap. - * Returns NTRU_FAIL if the polynomial generated for f is not invertible in - * (Z/qZ)[X]/(X^N - 1), which is extremely unlikely. - * Should this occur, this function should simply be invoked again. - */ - -uint32_t -ntru_crypto_ntru_encrypt_keygen( - ntru_drbg_t *drbg, /* in - handle of DRBG */ - ntru_param_set_id_t param_set_id, /* in - parameter set ID */ - uint16_t *pubkey_blob_len, /* in/out - no. of octets in - pubkey_blob, addr - for no. of octets - in pubkey_blob */ - uint8_t *pubkey_blob, /* out - address for - public key blob */ - uint16_t *privkey_blob_len, /* in/out - no. of octets in - privkey_blob, addr - for no. of octets - in privkey_blob */ - uint8_t *privkey_blob) /* out - address for - private key blob */ -{ - ntru_param_set_t *params = NULL; - uint16_t public_key_blob_len; - uint16_t private_key_blob_len; - uint8_t pubkey_pack_type; - uint8_t privkey_pack_type; - size_t scratch_buf_len; - uint32_t dF; - uint32_t dF1 = 0; - uint32_t dF2 = 0; - uint32_t dF3 = 0; - uint16_t *scratch_buf = NULL; - uint16_t *ringel_buf1 = NULL; - uint16_t *ringel_buf2 = NULL; - uint8_t *tmp_buf = NULL; - uint16_t mod_q_mask; - hash_algorithm_t hash_algid; - uint16_t seed_len; - chunk_t seed; - uint32_t result = NTRU_OK; - ntru_poly_t *F_poly = NULL; - ntru_poly_t *g_poly = NULL; - uint16_t *F_indices; - - /* get a pointer to the parameter-set parameters */ - params = ntru_param_set_get_by_id(param_set_id); - if (!params) - { - return NTRU_INVALID_PARAMETER_SET; - } - - /* check for bad parameters */ - if (!pubkey_blob_len || !privkey_blob_len) - { - return NTRU_BAD_PARAMETER; - } - - /* get public and private key packing types and blob lengths */ - ntru_crypto_ntru_encrypt_key_get_blob_params(params, &pubkey_pack_type, - &public_key_blob_len, - &privkey_pack_type, - &private_key_blob_len); - - /* return the pubkey_blob size and/or privkey_blob size if requested */ - - if (!pubkey_blob || !privkey_blob) - { - if (!pubkey_blob) - *pubkey_blob_len = public_key_blob_len; - if (!privkey_blob) - *privkey_blob_len = private_key_blob_len; - return NTRU_OK; - } - - /* check size of output buffers */ - - if ((*pubkey_blob_len < public_key_blob_len) || - (*privkey_blob_len < private_key_blob_len)) - { - return NTRU_BUFFER_TOO_SMALL; - } - - /* allocate memory for all operations */ - if (params->is_product_form) { - dF1 = params->dF_r & 0xff; - dF2 = (params->dF_r >> 8) & 0xff; - dF3 = (params->dF_r >> 16) & 0xff; - dF = dF1 + dF2 + dF3; - } else { - dF = params->dF_r; - } - - scratch_buf_len = (params->N * 8) + /* 4N-byte temp buffer for ring inv - and other intermediate results, - 2N-byte buffer for f, g indices - and overflow from temp buffer, - 2N-byte buffer for f^-1 */ - (dF << 2); /* buffer for F indices */ - scratch_buf = malloc(scratch_buf_len); - if (!scratch_buf) - { - return NTRU_OUT_OF_MEMORY; - } - ringel_buf1 = scratch_buf + (params->N << 1); - ringel_buf2 = ringel_buf1 + params->N; - tmp_buf = (uint8_t *)scratch_buf; - - /* set hash algorithm and seed length based on security strength */ - if (params->sec_strength_len <= 20) - { - hash_algid = HASH_SHA1; - } - else - { - hash_algid = HASH_SHA256; - } - seed_len = params->sec_strength_len + 8; - - /* set constants */ - - mod_q_mask = params->q - 1; - - /* get random bytes for seed for generating trinary F - * as a list of indices - */ - - if (drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE, - seed_len, tmp_buf)) - { - result = NTRU_OK; - } - else - { - result = NTRU_DRBG_FAIL; - } - - if (result == NTRU_OK) - { - DBG2(DBG_LIB, "generate polynomial F"); - - seed = chunk_create(tmp_buf, seed_len); - F_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits, - params->N, params->q, - params->dF_r, params->dF_r, - params->is_product_form); - if (!F_poly) - { - result = NTRU_MGF1_FAIL; - } - } - - if (result == NTRU_OK) - { - int i; - - F_poly->get_array(F_poly, ringel_buf1); - - /* form f = 1 + pF */ - for (i = 0; i < params->N; i++) - { - ringel_buf1[i] = (ringel_buf1[i] * 3) & mod_q_mask; - } - ringel_buf1[0] = (ringel_buf1[0] + 1) & mod_q_mask; - - /* find f^-1 in (Z/qZ)[X]/(X^N - 1) */ - if (!ntru_ring_inv(ringel_buf1, params->N, params->q, - scratch_buf, ringel_buf2)) - { - result = NTRU_FAIL; - } - } - - if (result == NTRU_OK) - { - - /* get random bytes for seed for generating trinary polynomial g - * as a list of indices - */ - if (!drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE, - seed_len, tmp_buf)) - { - result = NTRU_DRBG_FAIL; - } - } - - if (result == NTRU_OK) - { - DBG2(DBG_LIB, "generate polynomial g"); - - seed = chunk_create(tmp_buf, seed_len); - g_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits, - params->N, params->q, - params->dg + 1, params->dg, FALSE); - if (!g_poly) - { - result = NTRU_MGF1_FAIL; - } - } - - if (result == NTRU_OK) - { - uint16_t i; - - /* compute h = p * (f^-1 * g) mod q */ - g_poly->ring_mult(g_poly, ringel_buf2, ringel_buf2); - g_poly->destroy(g_poly); - - for (i = 0; i < params->N; i++) - { - ringel_buf2[i] = (ringel_buf2[i] * 3) & mod_q_mask; - } - - /* create public key blob */ - ntru_crypto_ntru_encrypt_key_create_pubkey_blob(params, ringel_buf2, - pubkey_pack_type, - pubkey_blob); - *pubkey_blob_len = public_key_blob_len; - - /* create private key blob */ - F_indices = F_poly->get_indices(F_poly); - ntru_crypto_ntru_encrypt_key_create_privkey_blob(params, ringel_buf2, - F_indices, - privkey_pack_type, - tmp_buf, privkey_blob); - *privkey_blob_len = private_key_blob_len; - } - - /* cleanup */ - DESTROY_IF(F_poly); - memset(scratch_buf, 0, scratch_buf_len); - free(scratch_buf); - - return result; -} diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.c b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.c index dec6bbc8ef..702b574e3a 100644 --- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.c +++ b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.c @@ -72,13 +72,13 @@ ntru_crypto_ntru_encrypt_key_parse( /* parse key blob based on tag */ tag = key_blob[0]; switch (tag) { - case NTRU_ENCRYPT_PUBKEY_TAG: + case NTRU_PUBKEY_TAG: if (!pubkey_parse) return FALSE; break; - case NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG: - case NTRU_ENCRYPT_PRIVKEY_TRITS_TAG: - case NTRU_ENCRYPT_PRIVKEY_INDICES_TAG: + case NTRU_PRIVKEY_DEFAULT_TAG: + case NTRU_PRIVKEY_TRITS_TAG: + case NTRU_PRIVKEY_INDICES_TAG: assert(privkey_pack_type); assert(privkey); if (pubkey_parse) @@ -89,10 +89,10 @@ ntru_crypto_ntru_encrypt_key_parse( } switch (tag) { - case NTRU_ENCRYPT_PUBKEY_TAG: - case NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG: - case NTRU_ENCRYPT_PRIVKEY_TRITS_TAG: - case NTRU_ENCRYPT_PRIVKEY_INDICES_TAG: + case NTRU_PUBKEY_TAG: + case NTRU_PRIVKEY_DEFAULT_TAG: + case NTRU_PRIVKEY_TRITS_TAG: + case NTRU_PRIVKEY_INDICES_TAG: /* Version 0: * byte 0: tag @@ -136,7 +136,7 @@ ntru_crypto_ntru_encrypt_key_parse( /* check packing type for product-form private keys */ if (p->is_product_form && - (tag == NTRU_ENCRYPT_PRIVKEY_TRITS_TAG)) + (tag == NTRU_PRIVKEY_TRITS_TAG)) return FALSE; /* set packed-key length for packed indices */ @@ -151,16 +151,16 @@ ntru_crypto_ntru_encrypt_key_parse( /* set private-key packing type if defaulted */ - if (tag == NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG) { + if (tag == NTRU_PRIVKEY_DEFAULT_TAG) { if (p->is_product_form || (privkey_packed_indices_len <= privkey_packed_trits_len)) - tag = NTRU_ENCRYPT_PRIVKEY_INDICES_TAG; + tag = NTRU_PRIVKEY_INDICES_TAG; else - tag = NTRU_ENCRYPT_PRIVKEY_TRITS_TAG; + tag = NTRU_PRIVKEY_TRITS_TAG; } - if (tag == NTRU_ENCRYPT_PRIVKEY_TRITS_TAG) + if (tag == NTRU_PRIVKEY_TRITS_TAG) privkey_packed_len = privkey_packed_trits_len; else privkey_packed_len = privkey_packed_indices_len; @@ -170,14 +170,14 @@ ntru_crypto_ntru_encrypt_key_parse( *pubkey = key_blob + 5; *privkey = *pubkey + pubkey_packed_len; - *privkey_pack_type = (tag == NTRU_ENCRYPT_PRIVKEY_TRITS_TAG) ? - NTRU_ENCRYPT_KEY_PACKED_TRITS : - NTRU_ENCRYPT_KEY_PACKED_INDICES; + *privkey_pack_type = (tag == NTRU_PRIVKEY_TRITS_TAG) ? + NTRU_KEY_PACKED_TRITS : + NTRU_KEY_PACKED_INDICES; } /* return parameter set pointer */ - *pubkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS; + *pubkey_pack_type = NTRU_KEY_PACKED_COEFFICIENTS; *params = p; } default: @@ -185,171 +185,3 @@ ntru_crypto_ntru_encrypt_key_parse( } return TRUE; } - - -/* ntru_crypto_ntru_encrypt_key_get_blob_params - * - * Returns public and private key packing types and blob lengths given - * a packing format. For now, only a default packing format exists. - * - * Only public-key params may be returned by setting privkey_pack_type - * and privkey_blob_len to NULL. - */ - -void -ntru_crypto_ntru_encrypt_key_get_blob_params( - ntru_param_set_t *params, /* in - pointer to - param set - parameters */ - uint8_t *pubkey_pack_type, /* out - addr for pubkey - packing type */ - uint16_t *pubkey_blob_len, /* out - addr for no. of - bytes in - pubkey blob */ - uint8_t *privkey_pack_type, /* out - addr for privkey - packing type */ - uint16_t *privkey_blob_len) /* out - addr for no. of - bytes in - privkey blob */ -{ - uint16_t pubkey_packed_len = (params->N * params->q_bits + 7) >> 3; - - assert(params); - assert(pubkey_pack_type); - assert(pubkey_blob_len); - - *pubkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS; - *pubkey_blob_len = 5 + pubkey_packed_len; - - if (privkey_pack_type && privkey_blob_len) { - uint16_t privkey_packed_trits_len = (params->N + 4) / 5; - uint16_t privkey_packed_indices_len; - uint16_t dF; - - if (params->is_product_form) - dF = (uint16_t)( (params->dF_r & 0xff) + /* df1 */ - ((params->dF_r >> 8) & 0xff) + /* df2 */ - ((params->dF_r >> 16) & 0xff)); /* df3 */ - else - dF = (uint16_t)params->dF_r; - privkey_packed_indices_len = ((dF << 1) * params->N_bits + 7) >> 3; - - if (params->is_product_form || - (privkey_packed_indices_len <= privkey_packed_trits_len)) { - *privkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_INDICES; - *privkey_blob_len = - 5 + pubkey_packed_len + privkey_packed_indices_len; - } else { - *privkey_pack_type = NTRU_ENCRYPT_KEY_PACKED_TRITS; - *privkey_blob_len = - 5 + pubkey_packed_len + privkey_packed_trits_len; - } - } -} - - -/* ntru_crypto_ntru_encrypt_key_create_pubkey_blob - * - * Returns a public key blob, packed according to the packing type provided. - */ - -void -ntru_crypto_ntru_encrypt_key_create_pubkey_blob( - ntru_param_set_t *params, /* in - pointer to - param set - parameters */ - uint16_t const *pubkey, /* in - pointer to the - coefficients - of the pubkey */ - uint8_t pubkey_pack_type, /* out - pubkey packing - type */ - uint8_t *pubkey_blob) /* out - addr for the - pubkey blob */ -{ - assert(params); - assert(pubkey); - assert(pubkey_blob); - - switch (pubkey_pack_type) { - case NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS: - *pubkey_blob++ = NTRU_ENCRYPT_PUBKEY_TAG; - *pubkey_blob++ = (uint8_t)sizeof(params->oid); - memcpy(pubkey_blob, params->oid, sizeof(params->oid)); - pubkey_blob += sizeof(params->oid); - ntru_elements_2_octets(params->N, pubkey, params->q_bits, - pubkey_blob); - break; - default: - assert(FALSE); - } -} - - -/* ntru_crypto_ntru_encrypt_key_create_privkey_blob - * - * Returns a private key blob, packed according to the packing type provided. - */ - -void -ntru_crypto_ntru_encrypt_key_create_privkey_blob( - ntru_param_set_t *params, /* in - pointer to - param set - parameters */ - uint16_t const *pubkey, /* in - pointer to the - coefficients - of the pubkey */ - uint16_t const *privkey, /* in - pointer to the - indices of the - privkey */ - uint8_t privkey_pack_type, /* in - privkey packing - type */ - uint8_t *buf, /* in - temp, N bytes */ - uint8_t *privkey_blob) /* out - addr for the - privkey blob */ -{ - assert(params); - assert(pubkey); - assert(privkey); - assert(privkey_blob); - - switch (privkey_pack_type) { - case NTRU_ENCRYPT_KEY_PACKED_TRITS: - case NTRU_ENCRYPT_KEY_PACKED_INDICES: - - /* format header and packed public key */ - - *privkey_blob++ = NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG; - *privkey_blob++ = (uint8_t)sizeof(params->oid); - memcpy(privkey_blob, params->oid, sizeof(params->oid)); - privkey_blob += sizeof(params->oid); - ntru_elements_2_octets(params->N, pubkey, params->q_bits, - privkey_blob); - privkey_blob += (params->N * params->q_bits + 7) >> 3; - - /* add packed private key */ - - if (privkey_pack_type == NTRU_ENCRYPT_KEY_PACKED_TRITS) { - ntru_indices_2_packed_trits(privkey, (uint16_t)params->dF_r, - (uint16_t)params->dF_r, - params->N, buf, privkey_blob); - } else { - uint32_t dF; - - if (params->is_product_form) { - dF = (params->dF_r & 0xff) + - ((params->dF_r >> 8) & 0xff) + - ((params->dF_r >> 16) & 0xff); - } else { - dF = params->dF_r; - } - ntru_elements_2_octets((uint16_t)dF << 1, privkey, - params->N_bits, privkey_blob); - } - break; - default: - assert(FALSE); - break; - } -} - - diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.h index c38c3fc27d..637e49c95b 100644 --- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.h +++ b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_encrypt_key.h @@ -30,19 +30,6 @@ #include "ntru_param_set.h" -/* key-blob definitions */ - -#define NTRU_ENCRYPT_PUBKEY_TAG 0x01 -#define NTRU_ENCRYPT_PRIVKEY_DEFAULT_TAG 0x02 -#define NTRU_ENCRYPT_PRIVKEY_TRITS_TAG 0xfe -#define NTRU_ENCRYPT_PRIVKEY_INDICES_TAG 0xff - -/* packing types */ - -#define NTRU_ENCRYPT_KEY_PACKED_COEFFICIENTS 0x01 -#define NTRU_ENCRYPT_KEY_PACKED_INDICES 0x02 -#define NTRU_ENCRYPT_KEY_PACKED_TRITS 0x03 - /* function declarations */ @@ -75,93 +62,4 @@ ntru_crypto_ntru_encrypt_key_parse( uint8_t const **privkey); /* out - addr for ptr to packed privkey */ - -/* ntru_crypto_ntru_encrypt_key_get_blob_params - * - * Returns public and private key packing types and blob lengths given - * a packing format. For now, only a default packing format exists. - * - * Only public-key params may be returned by setting privkey_pack_type - * and privkey_blob_len to NULL. - */ - -extern void -ntru_crypto_ntru_encrypt_key_get_blob_params( - ntru_param_set_t *params, /* in - pointer to - param set - parameters */ - uint8_t *pubkey_pack_type, /* out - addr for pubkey - packing type */ - uint16_t *pubkey_blob_len, /* out - addr for no. of - bytes in - pubkey blob */ - uint8_t *privkey_pack_type, /* out - addr for privkey - packing type */ - uint16_t *privkey_blob_len); /* out - addr for no. of - bytes in - privkey blob */ - - -/* ntru_crypto_ntru_encrypt_key_create_pubkey_blob - * - * Returns a public key blob, packed according to the packing type provided. - */ - -extern void -ntru_crypto_ntru_encrypt_key_create_pubkey_blob( - ntru_param_set_t *params, /* in - pointer to - param set - parameters */ - uint16_t const *pubkey, /* in - pointer to the - coefficients - of the pubkey */ - uint8_t pubkey_pack_type, /* out - addr for pubkey - packing type */ - uint8_t *pubkey_blob); /* out - addr for the - pubkey blob */ - - -/* ntru_crypto_ntru_encrypt_key_recreate_pubkey_blob - * - * Returns a public key blob, recreated from an already-packed public key. - */ - -extern void -ntru_crypto_ntru_encrypt_key_recreate_pubkey_blob( - ntru_param_set_t *params, /* in - pointer to - param set - parameters */ - uint16_t packed_pubkey_len, /* in - no. octets in - packed pubkey */ - uint8_t const *packed_pubkey, /* in - pointer to the - packed pubkey */ - uint8_t pubkey_pack_type, /* out - pubkey packing - type */ - uint8_t *pubkey_blob); /* out - addr for the - pubkey blob */ - - -/* ntru_crypto_ntru_encrypt_key_create_privkey_blob - * - * Returns a privlic key blob, packed according to the packing type provided. - */ - -extern void -ntru_crypto_ntru_encrypt_key_create_privkey_blob( - ntru_param_set_t *params, /* in - pointer to - param set - parameters */ - uint16_t const *pubkey, /* in - pointer to the - coefficients - of the pubkey */ - uint16_t const *privkey, /* in - pointer to the - indices of the - privkey */ - uint8_t privkey_pack_type, /* in - privkey packing - type */ - uint8_t *buf, /* in - temp, N bytes */ - uint8_t *privkey_blob); /* out - addr for the - privkey blob */ - - #endif /* NTRU_CRYPTO_NTRU_ENCRYPT_KEY_H */ diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.c b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.c index 8e4eede87f..e5393849c9 100644 --- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.c +++ b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.c @@ -51,192 +51,3 @@ ntru_poly_check_min_weight( return TRUE; } -/* ntru_ring_mult_coefficients - * - * Multiplies ring element (polynomial) "a" by ring element (polynomial) "b" - * to produce ring element (polynomial) "c" in (Z/qZ)[X]/(X^N - 1). - * This is a convolution operation. - * - * Ring element "b" has coefficients in the range [0,N). - * - * This assumes q is 2^r where 8 < r < 16, so that overflow of the sum - * beyond 16 bits does not matter. - */ - -void -ntru_ring_mult_coefficients( - uint16_t const *a, /* in - pointer to polynomial a */ - uint16_t const *b, /* in - pointer to polynomial b */ - uint16_t N, /* in - no. of coefficients in a, b, c */ - uint16_t q, /* in - large modulus */ - uint16_t *c) /* out - address for polynomial c */ -{ - uint16_t const *bptr = b; - uint16_t mod_q_mask = q - 1; - uint16_t i, k; - - /* c[k] = sum(a[i] * b[k-i]) mod q */ - memset(c, 0, N * sizeof(uint16_t)); - for (k = 0; k < N; k++) { - i = 0; - while (i <= k) - c[k] += a[i++] * *bptr--; - bptr += N; - while (i < N) - c[k] += a[i++] * *bptr--; - c[k] &= mod_q_mask; - ++bptr; - } -} - - -/* ntru_ring_inv - * - * Finds the inverse of a polynomial, a, in (Z/2^rZ)[X]/(X^N - 1). - * - * This assumes q is 2^r where 8 < r < 16, so that operations mod q can - * wait until the end, and only 16-bit arrays need to be used. - */ - -bool -ntru_ring_inv( - uint16_t *a, /* in - pointer to polynomial a */ - uint16_t N, /* in - no. of coefficients in a */ - uint16_t q, /* in - large modulus */ - uint16_t *t, /* in - temp buffer of 2N elements */ - uint16_t *a_inv) /* out - address for polynomial a^-1 */ -{ - uint8_t *b = (uint8_t *)t; /* b cannot be in a_inv since it must be - rotated and copied there as a^-1 mod 2 */ - uint8_t *c = b + N; /* c cannot be in a_inv since it exchanges - with b, and b cannot be in a_inv */ - uint8_t *f = c + N; - uint8_t *g = (uint8_t *)a_inv; /* g needs N + 1 bytes */ - uint16_t *t2 = t + N; - uint16_t deg_b; - uint16_t deg_c; - uint16_t deg_f; - uint16_t deg_g; - uint16_t k = 0; - bool done = FALSE; - uint16_t i, j; - - /* form a^-1 in (Z/2Z)[X]/X^N - 1) */ - memset(b, 0, (N << 1)); /* clear to init b, c */ - - /* b(X) = 1 */ - b[0] = 1; - deg_b = 0; - - /* c(X) = 0 (cleared above) */ - deg_c = 0; - - /* f(X) = a(X) mod 2 */ - for (i = 0; i < N; i++) - f[i] = (uint8_t)(a[i] & 1); - deg_f = N - 1; - - /* g(X) = X^N - 1 */ - g[0] = 1; - memset(g + 1, 0, N - 1); - g[N] = 1; - deg_g = N; - - /* until f(X) = 1 */ - - while (!done) - { - - /* while f[0] = 0, f(X) /= X, c(X) *= X, k++ */ - - for (i = 0; (i <= deg_f) && (f[i] == 0); ++i); - if (i > deg_f) - return FALSE; - if (i) { - f = f + i; - deg_f = deg_f - i; - deg_c = deg_c + i; - for (j = deg_c; j >= i; j--) - c[j] = c[j-i]; - for (j = 0; j < i; j++) - c[j] = 0; - k = k + i; - } - - /* adjust degree of f(X) if the highest coefficients are zero - * Note: f[0] = 1 from above so the loop will terminate. - */ - - while (f[deg_f] == 0) - --deg_f; - - /* if f(X) = 1, done - * Note: f[0] = 1 from above, so only check the x term and up - */ - - for (i = 1; (i <= deg_f) && (f[i] == 0); ++i); - if (i > deg_f) { - done = TRUE; - break; - } - - /* if deg_f < deg_g, f <-> g, b <-> c */ - - if (deg_f < deg_g) { - uint8_t *x; - - x = f; - f = g; - g = x; - deg_f ^= deg_g; - deg_g ^= deg_f; - deg_f ^= deg_g; - x = b; - b = c; - c = x; - deg_b ^= deg_c; - deg_c ^= deg_b; - deg_b ^= deg_c; - } - - /* f(X) += g(X), b(X) += c(X) */ - - for (i = 0; i <= deg_g; i++) - f[i] ^= g[i]; - - if (deg_c > deg_b) - deg_b = deg_c; - for (i = 0; i <= deg_c; i++) - b[i] ^= c[i]; - } - - /* a^-1 in (Z/2Z)[X]/(X^N - 1) = b(X) shifted left k coefficients */ - - j = 0; - if (k >= N) - k = k - N; - for (i = k; i < N; i++) - a_inv[j++] = (uint16_t)(b[i]); - for (i = 0; i < k; i++) - a_inv[j++] = (uint16_t)(b[i]); - - /* lift a^-1 in (Z/2Z)[X]/(X^N - 1) to a^-1 in (Z/qZ)[X]/(X^N -1) */ - - for (j = 0; j < 4; ++j) { /* assumes 256 < q <= 65536 */ - - /* a^-1 = a^-1 * (2 - a * a^-1) mod q */ - - memcpy(t2, a_inv, N * sizeof(uint16_t)); - ntru_ring_mult_coefficients(a, t2, N, q, t); - for (i = 0; i < N; ++i) - t[i] = q - t[i]; - t[0] = t[0] + 2; - ntru_ring_mult_coefficients(t2, t, N, q, a_inv); - } - - return TRUE; - - -} - - diff --git a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.h b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.h index 1e9d467ede..938e7b2cf0 100644 --- a/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.h +++ b/src/libstrongswan/plugins/ntru/ntru_crypto/ntru_crypto_ntru_poly.h @@ -55,42 +55,4 @@ ntru_poly_check_min_weight( uint8_t *ringels, /* in - pointer to trinary ring elements */ uint16_t min_wt); /* in - minimum weight */ -/* ntru_ring_mult_coefficients - * - * Multiplies ring element (polynomial) "a" by ring element (polynomial) "b" - * to produce ring element (polynomial) "c" in (Z/qZ)[X]/(X^N - 1). - * This is a convolution operation. - * - * Ring element "b" has coefficients in the range [0,N). - * - * This assumes q is 2^r where 8 < r < 16, so that overflow of the sum - * beyond 16 bits does not matter. - */ - -extern void -ntru_ring_mult_coefficients( - uint16_t const *a, /* in - pointer to polynomial a */ - uint16_t const *b, /* in - pointer to polynomial b */ - uint16_t N, /* in - no. of coefficients in a, b, c */ - uint16_t q, /* in - large modulus */ - uint16_t *c); /* out - address for polynomial c */ - - -/* ntru_ring_inv - * - * Finds the inverse of a polynomial, a, in (Z/2^rZ)[X]/(X^N - 1). - * - * This assumes q is 2^r where 8 < r < 16, so that operations mod q can - * wait until the end, and only 16-bit arrays need to be used. - */ - -extern bool -ntru_ring_inv( - uint16_t *a, /* in - pointer to polynomial a */ - uint16_t N, /* in - no. of coefficients in a */ - uint16_t q, /* in - large modulus */ - uint16_t *t, /* in - temp buffer of 2N elements */ - uint16_t *a_inv); /* out - address for polynomial a^-1 */ - - #endif /* NTRU_CRYPTO_NTRU_POLY_H */ diff --git a/src/libstrongswan/plugins/ntru/ntru_ke.c b/src/libstrongswan/plugins/ntru/ntru_ke.c index 14bd0cd87c..95acffd82b 100644 --- a/src/libstrongswan/plugins/ntru/ntru_ke.c +++ b/src/libstrongswan/plugins/ntru/ntru_ke.c @@ -16,6 +16,8 @@ #include "ntru_ke.h" #include "ntru_drbg.h" #include "ntru_param_set.h" +#include "ntru_private_key.h" +#include "ntru_public_key.h" #include "ntru_crypto/ntru_crypto.h" @@ -71,12 +73,17 @@ struct private_ntru_ke_t { /** * NTRU Public Key */ - chunk_t pub_key; + ntru_public_key_t *pubkey; /** * NTRU Private Key */ - chunk_t priv_key; + ntru_private_key_t *privkey; + + /** + * NTRU Public Key Encoding + */ + chunk_t pubkey_enc; /** * NTRU encrypted shared secret @@ -112,8 +119,6 @@ struct private_ntru_ke_t { METHOD(diffie_hellman_t, get_my_public_value, void, private_ntru_ke_t *this, chunk_t *value) { - uint16_t pub_key_len, priv_key_len; - *value = chunk_empty; if (this->responder) @@ -125,34 +130,21 @@ METHOD(diffie_hellman_t, get_my_public_value, void, } else { - if (this->pub_key.len == 0) + if (!this->pubkey) { - /* determine the NTRU public and private key sizes */ - if (ntru_crypto_ntru_encrypt_keygen(this->drbg, this->param_set->id, - &pub_key_len, NULL, - &priv_key_len, NULL) != NTRU_OK) - { - DBG1(DBG_LIB, "error determining NTRU public and private key " - "sizes"); - return; - } - this->pub_key = chunk_alloc(pub_key_len); - this->priv_key = chunk_alloc(priv_key_len); - /* generate a random NTRU public/private key pair */ - if (ntru_crypto_ntru_encrypt_keygen(this->drbg, this->param_set->id, - &pub_key_len, this->pub_key.ptr, - &priv_key_len, this->priv_key.ptr) != NTRU_OK) + this->privkey = ntru_private_key_create(this->drbg, this->param_set); + if (!this->privkey) { DBG1(DBG_LIB, "NTRU keypair generation failed"); - chunk_free(&this->priv_key); - chunk_free(&this->pub_key); return; } - DBG3(DBG_LIB, "NTRU public key: %B", &this->pub_key); - DBG4(DBG_LIB, "NTRU private key: %B", &this->priv_key); + this->pubkey = this->privkey->get_public_key(this->privkey); + this->pubkey_enc = this->pubkey->get_encoding(this->pubkey); + this->pubkey_enc = chunk_clone(this->pubkey_enc); + DBG3(DBG_LIB, "NTRU public key: %B", &this->pubkey_enc); } - *value = chunk_clone(this->pub_key); + *value = chunk_clone(this->pubkey_enc); } } @@ -173,9 +165,9 @@ METHOD(diffie_hellman_t, get_shared_secret, status_t, METHOD(diffie_hellman_t, set_other_public_value, void, private_ntru_ke_t *this, chunk_t value) { - u_int16_t plaintext_len, ciphertext_len; + u_int16_t ciphertext_len; - if (this->priv_key.len) + if (this->privkey) { /* initiator decrypting shared secret */ if (value.len == 0) @@ -183,29 +175,14 @@ METHOD(diffie_hellman_t, set_other_public_value, void, DBG1(DBG_LIB, "empty NTRU ciphertext"); return; } - this->ciphertext = chunk_clone(value); - DBG3(DBG_LIB, "NTRU ciphertext: %B", &this->ciphertext); - - /* determine the size of the maximum plaintext */ - if (ntru_crypto_ntru_decrypt(this->priv_key.len, this->priv_key.ptr, - this->ciphertext.len, this->ciphertext.ptr, - &plaintext_len, NULL) != NTRU_OK) - { - DBG1(DBG_LIB, "error determining maximum plaintext size"); - return; - } - this->shared_secret = chunk_alloc(plaintext_len); + DBG3(DBG_LIB, "NTRU ciphertext: %B", &value); /* decrypt the shared secret */ - if (ntru_crypto_ntru_decrypt(this->priv_key.len, this->priv_key.ptr, - this->ciphertext.len, this->ciphertext.ptr, - &plaintext_len, this->shared_secret.ptr) != NTRU_OK) + if (!this->privkey->decrypt(this->privkey, value, &this->shared_secret)) { DBG1(DBG_LIB, "NTRU decryption of shared secret failed"); - chunk_free(&this->shared_secret); return; } - this->shared_secret.len = plaintext_len; this->computed = TRUE; } else @@ -214,17 +191,19 @@ METHOD(diffie_hellman_t, set_other_public_value, void, this->responder = TRUE; /* check the NTRU public key format */ - if (value.len < 5 || value.ptr[0] != 1 || value.ptr[1] != 3) + if (value.len < 5 || + value.ptr[0] != NTRU_PUBKEY_TAG || + value.ptr[1] != NTRU_OID_LEN) { DBG1(DBG_LIB, "received NTRU public key with invalid header"); return; } - if (!memeq(value.ptr + 2, this->param_set->oid, 3)) + if (!memeq(value.ptr + 2, this->param_set->oid, NTRU_OID_LEN)) { DBG1(DBG_LIB, "received NTRU public key with wrong OID"); return; } - this->pub_key = chunk_clone(value); + this->pubkey_enc = chunk_clone(value); /* shared secret size is chosen as twice the cryptographical strength */ this->shared_secret = chunk_alloc(2 * this->strength / BITS_PER_BYTE); @@ -241,7 +220,7 @@ METHOD(diffie_hellman_t, set_other_public_value, void, /* determine the size of the ciphertext */ if (ntru_crypto_ntru_encrypt(this->drbg, - this->pub_key.len, this->pub_key.ptr, + this->pubkey_enc.len, this->pubkey_enc.ptr, this->shared_secret.len, this->shared_secret.ptr, &ciphertext_len, NULL) != NTRU_OK) { @@ -252,7 +231,7 @@ METHOD(diffie_hellman_t, set_other_public_value, void, /* encrypt the shared secret */ if (ntru_crypto_ntru_encrypt(this->drbg, - this->pub_key.len, this->pub_key.ptr, + this->pubkey_enc.len, this->pubkey_enc.ptr, this->shared_secret.len, this->shared_secret.ptr, &ciphertext_len, this->ciphertext.ptr) != NTRU_OK) { @@ -273,11 +252,12 @@ METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t, METHOD(diffie_hellman_t, destroy, void, private_ntru_ke_t *this) { + DESTROY_IF(this->privkey); + DESTROY_IF(this->pubkey); this->drbg->destroy(this->drbg); this->entropy->destroy(this->entropy); - chunk_free(&this->pub_key); + chunk_free(&this->pubkey_enc); chunk_free(&this->ciphertext); - chunk_clear(&this->priv_key); chunk_clear(&this->shared_secret); free(this); } diff --git a/src/libstrongswan/plugins/ntru/ntru_param_set.c b/src/libstrongswan/plugins/ntru/ntru_param_set.c index 2bc61f653f..4af1e3091e 100644 --- a/src/libstrongswan/plugins/ntru/ntru_param_set.c +++ b/src/libstrongswan/plugins/ntru/ntru_param_set.c @@ -17,6 +17,8 @@ #include "ntru_param_set.h" +#include + ENUM(ntru_param_set_id_names, NTRU_EES401EP1, NTRU_EES743EP1, "ees401ep1", "ees449ep1", @@ -370,3 +372,4 @@ ntru_param_set_t* ntru_param_set_get_by_oid(uint8_t const *oid) return NULL; } +EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_param_set_get_by_id); diff --git a/src/libstrongswan/plugins/ntru/ntru_param_set.h b/src/libstrongswan/plugins/ntru/ntru_param_set.h index c3ccf8956c..20d75dc473 100644 --- a/src/libstrongswan/plugins/ntru/ntru_param_set.h +++ b/src/libstrongswan/plugins/ntru/ntru_param_set.h @@ -28,6 +28,26 @@ typedef struct ntru_param_set_t ntru_param_set_t; #include +/** + * Encoding types for NTRU encryption public/private key blobs + */ +#define NTRU_PUBKEY_TAG 0x01 +#define NTRU_PRIVKEY_DEFAULT_TAG 0x02 +#define NTRU_PRIVKEY_TRITS_TAG 0xfe +#define NTRU_PRIVKEY_INDICES_TAG 0xff + +/** + * Size in octets of the OID designating the NTRU encryption parameter set + */ +#define NTRU_OID_LEN 3 + +/** + * Packing types for NTRU encryption public/private keys + */ +#define NTRU_KEY_PACKED_COEFFICIENTS 0x01 +#define NTRU_KEY_PACKED_INDICES 0x02 +#define NTRU_KEY_PACKED_TRITS 0x03 + /** * NTRU encryption parameter set ID list */ @@ -60,23 +80,23 @@ extern enum_name_t *ntru_param_set_id_names; * NTRU encryption parameter set definitions */ struct ntru_param_set_t { - ntru_param_set_id_t id; /* NTRU parameter set ID */ - uint8_t oid[3]; /* pointer to OID */ - uint8_t der_id; /* parameter-set DER id */ - uint8_t N_bits; /* no. of bits in N (i.e. in an index */ - uint16_t N; /* ring dimension */ - uint16_t sec_strength_len; /* no. of octets of security strength */ - uint16_t q; /* big modulus */ - uint8_t q_bits; /* no. of bits in q (i.e. in a coefficient */ - bool is_product_form; /* if product form used */ - uint32_t dF_r; /* no. of +1 or -1 coefficients in ring elements - F, r */ - uint16_t dg; /* no. - 1 of +1 coefficients or - no. of -1 coefficients in ring element g */ - uint16_t m_len_max; /* max no. of plaintext octets */ - uint16_t min_msg_rep_wt; /* min. message representative weight */ - uint8_t c_bits; /* no. bits in candidate for deriving an index */ - uint8_t m_len_len; /* no. of octets to hold mLenOctets */ + ntru_param_set_id_t id; /* NTRU parameter set ID */ + uint8_t oid[NTRU_OID_LEN]; /* pointer to OID */ + uint8_t der_id; /* parameter-set DER id */ + uint8_t N_bits; /* no. of bits in N (i.e. in an index */ + uint16_t N; /* ring dimension */ + uint16_t sec_strength_len; /* no. of octets of security strength */ + uint16_t q; /* big modulus */ + uint8_t q_bits; /* no. of bits in q (i.e. in a coefficient */ + bool is_product_form; /* if product form used */ + uint32_t dF_r; /* no. of +1 or -1 coefficients in ring elements + F, r */ + uint16_t dg; /* no. - 1 of +1 coefficients or + no. of -1 coefficients in ring element g */ + uint16_t m_len_max; /* max no. of plaintext octets */ + uint16_t min_msg_rep_wt; /* min. message representative weight */ + uint8_t c_bits; /* no. bits in candidate for deriving an index */ + uint8_t m_len_len; /* no. of octets to hold mLenOctets */ }; /** diff --git a/src/libstrongswan/plugins/ntru/ntru_private_key.c b/src/libstrongswan/plugins/ntru/ntru_private_key.c new file mode 100644 index 0000000000..9e824630d0 --- /dev/null +++ b/src/libstrongswan/plugins/ntru/ntru_private_key.c @@ -0,0 +1,745 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * Copyright (C) 2009-2013 Security Innovation + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "ntru_private_key.h" +#include "ntru_trits.h" +#include "ntru_poly.h" + +#include "ntru_crypto/ntru_crypto_ntru_convert.h" + +#include +#include + +typedef struct private_ntru_private_key_t private_ntru_private_key_t; + +/** + * Private data of an ntru_private_key_t object. + */ +struct private_ntru_private_key_t { + + /** + * Public ntru_private_key_t interface. + */ + ntru_private_key_t public; + + /** + * NTRU Parameter Set + */ + ntru_param_set_t *params; + + /** + * Polynomial F which is the private key + */ + ntru_poly_t *privkey; + + /** + * Polynomial h which is the public key + */ + uint16_t *pubkey; + + /** + * Encoding of the private key + */ + chunk_t encoding; + +}; + +METHOD(ntru_private_key_t, get_public_key, ntru_public_key_t*, + private_ntru_private_key_t *this) +{ + return ntru_public_key_create(this->params, this->pubkey); +} + +/** + * Generate NTRU encryption private key encoding + */ +static void generate_encoding(private_ntru_private_key_t *this) +{ + size_t pubkey_len, privkey_len, privkey_trits_len, privkey_indices_len; + int privkey_pack_type; + uint16_t *indices; + uint8_t *trits; + u_char *enc; + + /* compute public key length encoded as packed coefficients */ + pubkey_len = (this->params->N * this->params->q_bits + 7) / 8; + + /* compute private key length encoded as packed trits coefficients */ + privkey_trits_len = (this->params->N + 4) / 5; + + /* compute private key length encoded as packed indices */ + privkey_indices_len = (this->privkey->get_size(this->privkey) * + this->params->N_bits + 7) / 8; + + if (this->params->is_product_form || + privkey_indices_len <= privkey_trits_len) + { + privkey_pack_type = NTRU_KEY_PACKED_INDICES; + privkey_len = privkey_indices_len; + } + else + { + privkey_pack_type = NTRU_KEY_PACKED_TRITS; + privkey_len = privkey_trits_len; + } + + /* allocate memory for private key encoding */ + this->encoding = chunk_alloc(2 + NTRU_OID_LEN + pubkey_len + privkey_len); + enc = this->encoding.ptr; + + /* format header and packed public key */ + *enc++ = NTRU_PRIVKEY_DEFAULT_TAG; + *enc++ = NTRU_OID_LEN; + memcpy(enc, this->params->oid, NTRU_OID_LEN); + enc += NTRU_OID_LEN; + ntru_elements_2_octets(this->params->N, this->pubkey, + this->params->q_bits, enc); + enc += pubkey_len; + + /* add packed private key */ + indices = this->privkey->get_indices(this->privkey); + + if (privkey_pack_type == NTRU_KEY_PACKED_TRITS) + { + /* encode private key as packed trits */ + trits = malloc(this->params->N); + ntru_indices_2_packed_trits(indices, this->params->dF_r, + this->params->dF_r, this->params->N, trits, enc); + memwipe(trits, this->params->N); + free(trits); + } + else + { + /* encode private key as packed indices */ + ntru_elements_2_octets(this->privkey->get_size(this->privkey), + indices, this->params->N_bits, enc); + } +} + +METHOD(ntru_private_key_t, get_encoding, chunk_t, + private_ntru_private_key_t *this) +{ + return this->encoding; +} + +/** + * Checks that the number of 0, +1, and -1 trinary ring elements meet or exceed + * a minimum weight. + * + * @param N degree of polynomial + * @param t array of trinary ring elements + * @param min_wt minimum weight + * @return TRUE if minimum weight met or exceeded + */ +static bool check_min_weight(uint16_t N, uint8_t *t, uint16_t min_wt) +{ + uint16_t wt[3]; + int i; + + wt[0] = wt[1] = wt[2] = 0; + + for (i = 0; i < N; i++) + { + ++wt[t[i]]; + } + + return (wt[0] >= min_wt) && (wt[1] >= min_wt) && (wt[2] >= min_wt); +} + +METHOD(ntru_private_key_t, decrypt, bool, + private_ntru_private_key_t *this, chunk_t ciphertext, chunk_t *plaintext) +{ + hash_algorithm_t hash_algid; + size_t t_len, seed1_len, seed2_len; + uint16_t *t1, *t2, *t = NULL; + uint16_t mod_q_mask, q_mod_p, cmprime_len, cm_len = 0, num_zeros; + uint8_t *Mtrin, *M, *cm, *mask_trits, *ptr; + int16_t m1 = 0; + chunk_t seed = chunk_empty; + ntru_trits_t *mask; + ntru_poly_t *r_poly; + bool success = TRUE; + int i; + + *plaintext = chunk_empty; + + if (ciphertext.len != (this->params->N * this->params->q_bits + 7) / 8) + { + DBG1(DBG_LIB, "wrong NTRU ciphertext length"); + return FALSE; + } + + /* allocate temporary array t */ + t_len = 2 * this->params->N * sizeof(uint16_t); + t = malloc(t_len); + t1 = t; + t2 = t + this->params->N; + Mtrin = (uint8_t *)t1; + M = Mtrin + this->params->N; + + /* set hash algorithm based on security strength */ + hash_algid = (this->params->sec_strength_len <= 20) ? HASH_SHA1 : + HASH_SHA256; + + /* set constants */ + mod_q_mask = this->params->q - 1; + q_mod_p = this->params->q % 3; + + /* unpack the ciphertext */ + ntru_octets_2_elements(ciphertext.len, ciphertext.ptr, + this->params->q_bits, t2); + + /* form cm': + * F * e + * A = e * (1 + pF) mod q = e + pFe mod q + * a = A in the range [-q/2, q/2) + * cm' = a mod p + */ + this->privkey->ring_mult(this->privkey, t2, t1); + + cmprime_len = this->params->N; + if (this->params->is_product_form) + { + --cmprime_len; + for (i = 0; i < cmprime_len; i++) + { + t1[i] = (t2[i] + 3 * t1[i]) & mod_q_mask; + if (t1[i] >= (this->params->q / 2)) + { + t1[i] -= q_mod_p; + } + Mtrin[i] = (uint8_t)(t1[i] % 3); + if (Mtrin[i] == 1) + { + ++m1; + } + else if (Mtrin[i] == 2) + { + --m1; + } + } + } + else + { + for (i = 0; i < cmprime_len; i++) + { + t1[i] = (t2[i] + 3 * t1[i]) & mod_q_mask; + if (t1[i] >= (this->params->q / 2)) + { + t1[i] -= q_mod_p; + } + Mtrin[i] = (uint8_t)(t1[i] % 3); + } + } + + /** + * check that the candidate message representative meets + * minimum weight requirements + */ + if (this->params->is_product_form) + { + success = (abs(m1) <= this->params->min_msg_rep_wt); + } + else + { + success = check_min_weight(cmprime_len, Mtrin, + this->params->min_msg_rep_wt); + } + if (!success) + { + DBG1(DBG_LIB, "decryption failed due to unsufficient minimum weight"); + } + + /* form cR = e - cm' mod q */ + for (i = 0; i < cmprime_len; i++) + { + if (Mtrin[i] == 1) + { + t2[i] = (t2[i] - 1) & mod_q_mask; + } + else if (Mtrin[i] == 2) + { + t2[i] = (t2[i] + 1) & mod_q_mask; + } + } + if (this->params->is_product_form) + { + t2[i] = (t2[i] + m1) & mod_q_mask; + } + + /* allocate memory for the larger of the two seeds */ + seed1_len = (this->params->N + 3)/4; + seed2_len = 3 + 2*this->params->sec_strength_len + this->params->m_len_max; + seed = chunk_alloc(max(seed1_len, seed2_len)); + seed.len = seed1_len; + + /* form cR mod 4 */ + ntru_coeffs_mod4_2_octets(this->params->N, t2, seed.ptr); + + /* form mask */ + mask = ntru_trits_create(this->params->N, hash_algid, seed); + if (!mask) + { + DBG1(DBG_LIB, "mask creation failed"); + success = FALSE; + goto err; + } + + mask_trits = mask->get_trits(mask); + + /* form cMtrin by subtracting mask from cm', mod p */ + for (i = 0; i < cmprime_len; i++) + { + Mtrin[i] -= mask_trits[i]; + if (Mtrin[i] >= 3) + { + Mtrin[i] += 3; + } + } + mask->destroy(mask); + + if (this->params->is_product_form) + { + /* set the last trit to zero since that's what it was, and + * because it can't be calculated from (cm' - mask) since + * we don't have the correct value for the last cm' trit + */ + Mtrin[i] = 0; + } + + /* convert cMtrin to cM (Mtrin to Mbin) */ + if (!ntru_trits_2_bits(Mtrin, this->params->N, M)) + { + success = FALSE; + goto err; + } + + /* skip the random padding */ + ptr = M + this->params->sec_strength_len; + + /* validate the padded message cM and copy cm to m_buf */ + if (this->params->m_len_len == 2) + { + cm_len = (uint16_t)(*ptr++) << 16; + } + cm_len |= (uint16_t)(*ptr++); + + if (cm_len > this->params->m_len_max) + { + cm_len = this->params->m_len_max; + DBG1(DBG_LIB, "NTRU message length is larger than maximum length"); + success = FALSE; + } + cm = ptr; + ptr += cm_len; + + /* check if the remaining padding consists of zeros */ + num_zeros = this->params->m_len_max - cm_len + 1; + for (i = 0; i < num_zeros; i++) + { + if (ptr[i] != 0) + { + DBG1(DBG_LIB, "non-zero trailing padding detected"); + success = FALSE; + break; + } + } + + /* form sData (OID || m || b || hTrunc) */ + ptr = seed.ptr; + memcpy(ptr, this->params->oid, 3); + ptr += 3; + memcpy(ptr, cm, cm_len); + ptr += cm_len; + memcpy(ptr, M, this->params->sec_strength_len); + ptr += this->params->sec_strength_len; + memcpy(ptr, this->encoding.ptr + 2 + NTRU_OID_LEN, + this->params->sec_strength_len); + ptr += this->params->sec_strength_len; + seed.len = ptr - seed.ptr; + + /* generate cr */ + DBG2(DBG_LIB, "generate polynomial r"); + r_poly = ntru_poly_create_from_seed(hash_algid, seed, + this->params->c_bits, this->params->N, + this->params->q, this->params->dF_r, + this->params->dF_r, this->params->is_product_form); + if (!r_poly) + { + success = FALSE; + goto err; + } + + /* output plaintext in allocated chunk */ + *plaintext = chunk_clone(chunk_create(cm, cm_len)); + + /* form cR' = h * cr */ + r_poly->ring_mult(r_poly, this->pubkey, t1); + r_poly->destroy(r_poly); + + /* compare cR' to cR */ + for (i = 0; i < this->params->N; i++) + { + if (t[i] != t2[i]) + { + DBG1(DBG_LIB, "cR' does not equal cR'"); + success = FALSE; + } + } + memwipe(t, t_len); + +err: + /* cleanup */ + chunk_clear(&seed); + free(t); + + return success; +} + +METHOD(ntru_private_key_t, destroy, void, + private_ntru_private_key_t *this) +{ + DESTROY_IF(this->privkey); + chunk_clear(&this->encoding); + free(this->pubkey); + free(this); +} + +/** + * Multiplies ring element (polynomial) "a" by ring element (polynomial) "b" + * to produce ring element (polynomial) "c" in (Z/qZ)[X]/(X^N - 1). + * This is a convolution operation. + * + * Ring element "b" has coefficients in the range [0,N). + * + * This assumes q is 2^r where 8 < r < 16, so that overflow of the sum + * beyond 16 bits does not matter. + * + * @param a polynomial a + * @param b polynomial b + * @param N no. of coefficients in a, b, c + * @param q large modulus + * @param c polynomial c = a * b + */ +static void ring_mult_c(uint16_t *a, uint16_t *b, uint16_t N, uint16_t q, + uint16_t *c) +{ + uint16_t *bptr = b; + uint16_t mod_q_mask = q - 1; + int i, k; + + /* c[k] = sum(a[i] * b[k-i]) mod q */ + memset(c, 0, N * sizeof(uint16_t)); + for (k = 0; k < N; k++) + { + i = 0; + while (i <= k) + { + c[k] += a[i++] * *bptr--; + } + bptr += N; + while (i < N) + { + c[k] += a[i++] * *bptr--; + } + c[k] &= mod_q_mask; + ++bptr; + } +} + +/** + * Finds the inverse of a polynomial a in (Z/2^rZ)[X]/(X^N - 1). + * + * This assumes q is 2^r where 8 < r < 16, so that operations mod q can + * wait until the end, and only 16-bit arrays need to be used. + * + * @param a polynomial a + * @param N no. of coefficients in a + * @param q large modulus + * @param t temporary buffer of size 2N elements + * @param a_inv polynomial for inverse of a + */ +static bool ring_inv(uint16_t *a, uint16_t N, uint16_t q, uint16_t *t, + uint16_t *a_inv) +{ + uint8_t *b = (uint8_t *)t; + uint8_t *c = b + N; + uint8_t *f = c + N; + uint8_t *g = (uint8_t *)a_inv; + uint16_t *t2 = t + N; + uint16_t deg_b, deg_c, deg_f, deg_g; + bool done = FALSE; + int i, j, k = 0; + + /* form a^-1 in (Z/2Z)[X]/X^N - 1) */ + memset(b, 0, 2 * N); /* clear to init b, c */ + + /* b(X) = 1 */ + b[0] = 1; + deg_b = 0; + + /* c(X) = 0 (cleared above) */ + deg_c = 0; + + /* f(X) = a(X) mod 2 */ + for (i = 0; i < N; i++) + { + f[i] = (uint8_t)(a[i] & 1); + } + deg_f = N - 1; + + /* g(X) = X^N - 1 */ + g[0] = 1; + memset(g + 1, 0, N - 1); + g[N] = 1; + deg_g = N; + + /* until f(X) = 1 */ + while (!done) + { + /* while f[0] = 0, f(X) /= X, c(X) *= X, k++ */ + for (i = 0; (i <= deg_f) && (f[i] == 0); ++i); + + if (i > deg_f) + { + return FALSE; + } + if (i) + { + f = f + i; + deg_f = deg_f - i; + deg_c = deg_c + i; + for (j = deg_c; j >= i; j--) + { + c[j] = c[j-i]; + } + for (j = 0; j < i; j++) + { + c[j] = 0; + } + k = k + i; + } + + /* adjust degree of f(X) if the highest coefficients are zero + * Note: f[0] = 1 from above so the loop will terminate. + */ + while (f[deg_f] == 0) + { + --deg_f; + } + + /* if f(X) = 1, done + * Note: f[0] = 1 from above, so only check the x term and up + */ + for (i = 1; (i <= deg_f) && (f[i] == 0); ++i); + + if (i > deg_f) + { + done = TRUE; + break; + } + + /* if deg_f < deg_g, f <-> g, b <-> c */ + if (deg_f < deg_g) + { + uint8_t *x; + + x = f; + f = g; + g = x; + deg_f ^= deg_g; + deg_g ^= deg_f; + deg_f ^= deg_g; + x = b; + b = c; + c = x; + deg_b ^= deg_c; + deg_c ^= deg_b; + deg_b ^= deg_c; + } + + /* f(X) += g(X), b(X) += c(X) */ + for (i = 0; i <= deg_g; i++) + { + f[i] ^= g[i]; + } + if (deg_c > deg_b) + { + deg_b = deg_c; + } + for (i = 0; i <= deg_c; i++) + { + b[i] ^= c[i]; + } + } + + /* a^-1 in (Z/2Z)[X]/(X^N - 1) = b(X) shifted left k coefficients */ + j = 0; + if (k >= N) + { + k = k - N; + } + for (i = k; i < N; i++) + { + a_inv[j++] = (uint16_t)(b[i]); + } + for (i = 0; i < k; i++) + { + a_inv[j++] = (uint16_t)(b[i]); + } + + /* lift a^-1 in (Z/2Z)[X]/(X^N - 1) to a^-1 in (Z/qZ)[X]/(X^N -1) */ + for (j = 0; j < 4; ++j) /* assumes 256 < q <= 65536 */ + { + /* a^-1 = a^-1 * (2 - a * a^-1) mod q */ + memcpy(t2, a_inv, N * sizeof(uint16_t)); + ring_mult_c(a, t2, N, q, t); + for (i = 0; i < N; ++i) + { + t[i] = q - t[i]; + } + t[0] = t[0] + 2; + ring_mult_c(t2, t, N, q, a_inv); + } + + return TRUE; +} + +/* + * Described in header. + */ +ntru_private_key_t *ntru_private_key_create(ntru_drbg_t *drbg, ntru_param_set_t *params) +{ + private_ntru_private_key_t *this; + size_t t_len; + uint16_t *t1, *t2, *t = NULL; + uint16_t mod_q_mask; + hash_algorithm_t hash_algid; + ntru_poly_t *g_poly; + chunk_t seed; + int i; + + INIT(this, + .public = { + .get_public_key = _get_public_key, + .get_encoding = _get_encoding, + .decrypt = _decrypt, + .destroy = _destroy, + }, + .params = params, + .pubkey = malloc(params->N * sizeof(uint16_t)), + ); + + /* set hash algorithm and seed length based on security strength */ + if (params->sec_strength_len <= 20) + { + hash_algid = HASH_SHA1; + } + else + { + hash_algid = HASH_SHA256; + } + seed =chunk_alloc(params->sec_strength_len + 8); + + /* get random seed for generating trinary F as a list of indices */ + if (!drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE, + seed.len, seed.ptr)) + { + goto err; + } + + DBG2(DBG_LIB, "generate polynomial F"); + this->privkey = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits, + params->N, params->q, + params->dF_r, params->dF_r, + params->is_product_form); + if (!this->privkey) + { + goto err; + } + + /* allocate temporary array t */ + t_len = 3 * params->N * sizeof(uint16_t); + t = malloc(t_len); + t1 = t + 2 * params->N; + + /* extend sparse private key polynomial f to N array elements */ + this->privkey->get_array(this->privkey, t1); + + /* set mask for large modulus */ + mod_q_mask = params->q - 1; + + /* form f = 1 + pF */ + for (i = 0; i < params->N; i++) + { + t1[i] = (t1[i] * 3) & mod_q_mask; + } + t1[0] = (t1[0] + 1) & mod_q_mask; + + /* use the public key array as a temporary buffer */ + t2 = this->pubkey; + + /* find f^-1 in (Z/qZ)[X]/(X^N - 1) */ + if (!ring_inv(t1, params->N, params->q, t, t2)) + { + goto err; + } + + /* get random seed for generating trinary g as a list of indices */ + if (!drbg->generate(drbg, params->sec_strength_len * BITS_PER_BYTE, + seed.len, seed.ptr)) + { + goto err; + } + + DBG2(DBG_LIB, "generate polynomial g"); + g_poly = ntru_poly_create_from_seed(hash_algid, seed, params->c_bits, + params->N, params->q, params->dg + 1, + params->dg, FALSE); + if (!g_poly) + { + goto err; + } + + /* compute public key polynomial h = p * (f^-1 * g) mod q */ + g_poly->ring_mult(g_poly, t2, t2); + g_poly->destroy(g_poly); + + for (i = 0; i < params->N; i++) + { + this->pubkey[i] = (t2[i] * 3) & mod_q_mask; + } + + /* cleanup temporary storage */ + chunk_clear(&seed); + memwipe(t, t_len); + free(t); + + /* generate private key encoding */ + generate_encoding(this); + + return &this->public; + +err: + chunk_free(&seed); + free(t); + destroy(this); + + return NULL; +} + +EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_private_key_create); diff --git a/src/libstrongswan/plugins/ntru/ntru_private_key.h b/src/libstrongswan/plugins/ntru/ntru_private_key.h new file mode 100644 index 0000000000..ded4be4e31 --- /dev/null +++ b/src/libstrongswan/plugins/ntru/ntru_private_key.h @@ -0,0 +1,78 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup ntru_private_key ntru_private_key + * @{ @ingroup ntru_p + */ + +#ifndef NTRU_PRIVATE_KEY_H_ +#define NTRU_PRIVATE_KEY_H_ + +typedef struct ntru_private_key_t ntru_private_key_t; + +#include "ntru_drbg.h" +#include "ntru_param_set.h" +#include "ntru_public_key.h" + +#include + +/** + * Implements an NTRU encryption public/private key pair + */ +struct ntru_private_key_t { + + + /** + * Returns the NTRU encryption public key as an encoded binary blob + * + * @return NTRU encryption public key (must be freed after use) + */ + ntru_public_key_t* (*get_public_key)(ntru_private_key_t *this); + + /** + * Returns the packed encoding of the NTRU encryption private key + * + * @return Packed encoding of NTRU encryption private key + */ + chunk_t (*get_encoding)(ntru_private_key_t *this); + + /** + * Decrypts an NTRU ciphertext + * + * @param ciphertext NTRU Ciphertext + * @param plaintext Plaintext + * @return TRUE if decryption was successful + */ + bool (*decrypt)(ntru_private_key_t *this, chunk_t ciphertext, + chunk_t *plaintext); + + /** + * Destroy ntru_private_key_t object + */ + void (*destroy)(ntru_private_key_t *this); +}; + +/** + * Creates an NTRU encryption public/private key pair using a NIST DRBG + * + * @param drbg Digital Random Bit Generator used for key generation + * @param params NTRU encryption parameter set to be used + */ +ntru_private_key_t *ntru_private_key_create(ntru_drbg_t *drbg, ntru_param_set_t *params); + + +#endif /** NTRU_PRIVATE_KEY_H_ @}*/ + diff --git a/src/libstrongswan/plugins/ntru/ntru_public_key.c b/src/libstrongswan/plugins/ntru/ntru_public_key.c new file mode 100644 index 0000000000..6974b76306 --- /dev/null +++ b/src/libstrongswan/plugins/ntru/ntru_public_key.c @@ -0,0 +1,110 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * Copyright (C) 2009-2013 Security Innovation + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "ntru_public_key.h" + +#include "ntru_crypto/ntru_crypto_ntru_convert.h" + +#include + +typedef struct private_ntru_public_key_t private_ntru_public_key_t; + +/** + * Private data of an ntru_public_key_t object. + */ +struct private_ntru_public_key_t { + /** + * Public ntru_public_key_t interface. + */ + ntru_public_key_t public; + + /** + * NTRU Parameter Set + */ + ntru_param_set_t *params; + + /** + * Polynomial h which is the public key + */ + uint16_t *pubkey; + + /** + * Encoding of the public key + */ + chunk_t encoding; + +}; + +METHOD(ntru_public_key_t, get_encoding, chunk_t, + private_ntru_public_key_t *this) +{ + if (!this->encoding.len) + { + size_t pubkey_len; + u_char *enc; + + /* compute public key length encoded as packed coefficients */ + pubkey_len = (this->params->N * this->params->q_bits + 7) / 8; + + /* allocate memory for public key encoding */ + this->encoding = chunk_alloc(2 + NTRU_OID_LEN + pubkey_len); + enc = this->encoding.ptr; + + /* format header and packed public key */ + *enc++ = NTRU_PUBKEY_TAG; + *enc++ = NTRU_OID_LEN; + memcpy(enc, this->params->oid, NTRU_OID_LEN); + enc += NTRU_OID_LEN; + ntru_elements_2_octets(this->params->N, this->pubkey, + this->params->q_bits, enc); + } + return this->encoding; +} + +METHOD(ntru_public_key_t, destroy, void, + private_ntru_public_key_t *this) +{ + chunk_clear(&this->encoding); + free(this->pubkey); + free(this); +} + +/* + * Described in header. + */ +ntru_public_key_t *ntru_public_key_create(ntru_param_set_t *params, + uint16_t *pubkey) +{ + private_ntru_public_key_t *this; + int i; + + INIT(this, + .public = { + .get_encoding = _get_encoding, + .destroy = _destroy, + }, + .params = params, + .pubkey = malloc(params->N * sizeof(uint16_t)), + ); + + for (i = 0; i < params->N; i++) + { + this->pubkey[i] = pubkey[i]; + } + + return &this->public; +} diff --git a/src/libstrongswan/plugins/ntru/ntru_public_key.h b/src/libstrongswan/plugins/ntru/ntru_public_key.h new file mode 100644 index 0000000000..2fd5f6484f --- /dev/null +++ b/src/libstrongswan/plugins/ntru/ntru_public_key.h @@ -0,0 +1,59 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup ntru_public_key ntru_public_key + * @{ @ingroup ntru_p + */ + +#ifndef NTRU_PUBLIC_KEY_H_ +#define NTRU_PUBLIC_KEY_H_ + +typedef struct ntru_public_key_t ntru_public_key_t; + +#include "ntru_param_set.h" + +#include + +/** + * Implements an NTRU encryption public key + */ +struct ntru_public_key_t { + + /** + * Returns the packed encoding of the NTRU encryption public key + * + * @return Packed encoding of NTRU encryption public key + */ + chunk_t (*get_encoding)(ntru_public_key_t *this); + + /** + * Destroy ntru_public_key_t object + */ + void (*destroy)(ntru_public_key_t *this); +}; + +/** + * Creates an NTRU encryption public key + * + * @param params NTRU encryption parameter set to be used + * @param pubkey Coefficients of public key polynomial h + */ +ntru_public_key_t *ntru_public_key_create(ntru_param_set_t *params, + uint16_t *pubkey); + + +#endif /** NTRU_PUBLIC_KEY_H_ @}*/ + diff --git a/src/libstrongswan/tests/suites/test_ntru.c b/src/libstrongswan/tests/suites/test_ntru.c index a46f5742ce..3204c89a88 100644 --- a/src/libstrongswan/tests/suites/test_ntru.c +++ b/src/libstrongswan/tests/suites/test_ntru.c @@ -20,6 +20,8 @@ #include #include #include +#include +#include #include IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_drbg_create, ntru_drbg_t*, @@ -41,6 +43,12 @@ IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_poly_create_from_data, ntru_poly_t*, uint32_t indices_len_p, uint32_t indices_len_m, bool is_product_form) +IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_param_set_get_by_id, ntru_param_set_t* , + ntru_param_set_id_t id) + +IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_private_key_create, ntru_private_key_t*, + ntru_drbg_t *drbg, ntru_param_set_t *params) + /** * NTRU parameter sets to test */ @@ -793,62 +801,349 @@ START_TEST(test_ntru_array) } END_TEST +START_TEST(test_ntru_param_set) +{ + ck_assert(ntru_param_set_get_by_id(-1) == NULL); + ck_assert(ntru_param_set_get_by_id(16) == NULL); +} +END_TEST + +typedef struct { + ntru_param_set_id_t id; + chunk_t entropy; + chunk_t encoding; +} privkey_test_t; + +privkey_test_t privkey_tests[] = { + { + NTRU_EES401EP1, + chunk_from_chars( + 0x0C, 0x2F, 0x24, 0xE1, 0xA4, 0x81, 0x26, 0xA2, + 0x6C, 0xEA, 0xCD, 0x1A, 0xF3, 0xEB, 0x3D, 0xBF, + 0xEA, 0xAE, 0xC3, 0x0D, 0xC1), + chunk_from_chars( + 0x02, 0x03, 0x00, 0x02, 0x04, 0x3E, 0xF3, 0xCB, + 0x7A, 0x58, 0x13, 0x75, 0xBB, 0x87, 0xF5, 0xBF, + 0x2E, 0x18, 0xAE, 0x03, 0xAF, 0xB8, 0x33, 0x85, + 0xD8, 0xBF, 0x8A, 0xB5, 0x8C, 0xA6, 0xDF, 0x03, + 0x90, 0x1E, 0xE4, 0x83, 0xA4, 0x95, 0x40, 0xB5, + 0x08, 0x92, 0x29, 0xD8, 0x83, 0xA8, 0x42, 0xB2, + 0x69, 0xC2, 0x00, 0x8B, 0xAE, 0x80, 0x00, 0x4F, + 0x3D, 0xDD, 0xFB, 0xDB, 0x9A, 0xD8, 0x0F, 0xFF, + 0xBC, 0x21, 0xD5, 0xE6, 0x04, 0x9C, 0xDD, 0x3B, + 0x2D, 0x16, 0x4B, 0xC7, 0x3D, 0xBE, 0xDE, 0xBB, + 0x6F, 0xF4, 0x8A, 0x31, 0xCD, 0x23, 0x19, 0xC2, + 0x3C, 0xE1, 0xE2, 0xEE, 0xE4, 0xE7, 0x2E, 0xFC, + 0x5C, 0xDD, 0xAD, 0x0C, 0x9D, 0x98, 0xC5, 0x18, + 0x2A, 0x80, 0x21, 0x93, 0x61, 0xC4, 0x9A, 0x16, + 0xE8, 0x9B, 0xF7, 0x3B, 0x6D, 0x06, 0x91, 0x9E, + 0x71, 0x59, 0xBE, 0x8E, 0x65, 0x61, 0xB2, 0x69, + 0x9C, 0x82, 0x58, 0x0D, 0x63, 0x7A, 0x1F, 0x2A, + 0x1C, 0x2C, 0x92, 0x8C, 0x8D, 0xCA, 0x2B, 0x45, + 0x24, 0x79, 0xDB, 0x7F, 0x1D, 0x2F, 0xAB, 0x88, + 0x8C, 0x1D, 0xE3, 0x15, 0x8F, 0xCD, 0x46, 0x8C, + 0x45, 0x20, 0x88, 0x1C, 0x17, 0xE0, 0xE5, 0x89, + 0xF4, 0x60, 0x56, 0x3C, 0x6B, 0x9F, 0x2A, 0xD9, + 0xD0, 0xAE, 0x3B, 0xB6, 0xC2, 0xB7, 0x58, 0xC6, + 0x6E, 0x09, 0x36, 0x21, 0x0B, 0xDD, 0xE9, 0x52, + 0x33, 0x27, 0x39, 0xC8, 0x51, 0x59, 0x69, 0x25, + 0xC6, 0x3D, 0x19, 0x5C, 0x5E, 0x74, 0xD0, 0x62, + 0xD9, 0x26, 0x90, 0xC7, 0x64, 0x92, 0xA8, 0x72, + 0xD1, 0x77, 0x1F, 0x78, 0xC5, 0x11, 0xBD, 0x5D, + 0x3C, 0x1B, 0x1F, 0x8B, 0x5B, 0xE4, 0x5D, 0xA1, + 0x27, 0x6D, 0x20, 0x24, 0x32, 0x53, 0xF3, 0xB0, + 0xE6, 0x71, 0x61, 0xCC, 0xFC, 0x4A, 0x06, 0xDA, + 0xBE, 0xD7, 0x9F, 0x2F, 0xEB, 0x44, 0xD0, 0x8A, + 0x7D, 0x8E, 0x82, 0xF5, 0x84, 0xCF, 0x8E, 0xE5, + 0x4B, 0xA4, 0x30, 0x77, 0xBD, 0x14, 0xB9, 0x75, + 0x02, 0x68, 0xDF, 0x71, 0x89, 0x81, 0xF2, 0x95, + 0xC3, 0x67, 0x6E, 0x37, 0xE4, 0xD0, 0xC9, 0x1E, + 0x02, 0xDE, 0x2D, 0x79, 0x99, 0xE8, 0x7D, 0x5C, + 0x99, 0xF2, 0x1A, 0xDE, 0x12, 0x9B, 0xD1, 0x83, + 0x9B, 0x01, 0xD3, 0xEB, 0x2B, 0x8E, 0x9C, 0xA5, + 0x19, 0xE8, 0x2E, 0xFE, 0x23, 0x6E, 0xAD, 0x8F, + 0x3C, 0xAF, 0xB9, 0xE6, 0xDB, 0x07, 0xA4, 0x31, + 0x02, 0x2B, 0x6A, 0xA0, 0xFB, 0x51, 0x6C, 0xD0, + 0x26, 0xD5, 0xAD, 0x29, 0x65, 0x10, 0xCE, 0xF8, + 0x84, 0x4D, 0x1E, 0x37, 0x92, 0xA2, 0xD1, 0xFA, + 0xF6, 0xC0, 0x36, 0x4C, 0x23, 0x3A, 0x42, 0xAA, + 0xB8, 0x0D, 0x4E, 0xD4, 0x40, 0x61, 0xD5, 0x36, + 0x62, 0x23, 0x7C, 0x1C, 0x5E, 0xEA, 0x16, 0xAD, + 0x4F, 0x30, 0xF9, 0x16, 0x99, 0xCE, 0xC5, 0x50, + 0xAC, 0x8F, 0x6F, 0x98, 0xD7, 0xE3, 0x89, 0x6E, + 0x3A, 0x12, 0xCE, 0xA7, 0xA4, 0x17, 0x74, 0xDC, + 0xDB, 0xFA, 0xFF, 0xF9, 0x35, 0xD7, 0xF5, 0x77, + 0x03, 0xF5, 0xBF, 0x81, 0x6C, 0x9F, 0x62, 0xA6, + 0x8A, 0x5B, 0xA3, 0xEF, 0x9D, 0xC3, 0xF6, 0x3A, + 0x6A, 0xC0, 0x42, 0x71, 0xAF, 0x90, 0xCA, 0x1D, + 0x86, 0x78, 0xD7, 0x2C, 0xFE, 0xB6, 0x99, 0x15, + 0x8C, 0x10, 0x42, 0x92, 0x2C, 0x05, 0x43, 0x92, + 0x69, 0x05, 0x8D, 0x9E, 0xBC, 0xAB, 0x8F, 0x28, + 0xAA, 0x4B, 0xFB, 0x25, 0xD9, 0xAD, 0x29, 0xFF, + 0x33, 0x65, 0x14, 0xC3, 0x75, 0x1F, 0xCF, 0xFC, + 0x20, 0x83, 0xBF, 0xB9, 0xA5, 0x4B, 0x7B, 0xD9, + 0x07, 0x5C, 0xA1, 0xD1, 0x5A, 0x3E, 0x94, 0xF8, + 0x03, 0xDE, 0xB8, 0x94, 0x11, 0x92, 0x80, 0x77, + 0x57, 0x45, 0x1E, 0x6B, 0xA5, 0x15, 0xDB, 0x48, + 0xB6, 0x9E, 0x02, 0xF1, 0x61, 0x4A, 0xAC, 0x1D, + 0x49, 0xBC, 0xA9, 0x3F, 0x03, 0x50, 0xAC, 0x02, + 0x8E, 0x84, 0xE0, 0x12, 0x37, 0x76, 0xBC, 0x4A, + 0xF9, 0xC6, 0x74, 0x36, 0xFC, 0x92, 0x1D, 0x59, + 0x0C, 0x04, 0xD2, 0x14, 0xB7, 0x11, 0xE9, 0xE2, + 0xFE, 0x0C, 0xE1, 0xDA, 0x8B, 0xCA, 0x10, 0xA1, + 0x60, 0xB6, 0x57, 0x51, 0x00, 0xD6, 0x5B, 0x55, + 0x09, 0x60, 0xE8, 0x00, 0x40, 0x45, 0x56, 0xBA, + 0x83, 0x1E, 0x36, 0x12, 0x59, 0x4B, 0x19, 0x00, + 0x53, 0xAE, 0x62, 0xA6, 0x29, 0x39, 0xED, 0x87, + 0x24, 0x37, 0x1E, 0x1B, 0xCF, 0x3F, 0x3A, 0x71, + 0x31, 0xB5, 0x50, 0x8D, 0x4B, 0x53, 0x53, 0x75, + 0x3F, 0x33, 0x39, 0x09, 0x2A, 0x78, 0xA8, 0x71, + 0x3E, 0x63, 0xC5, 0x61, 0x73, 0xB6, 0xE1, 0x71, + 0x16, 0xDA, 0x06, 0xBF, 0x3F, 0x22, 0x74, 0x89, + 0x08, 0xD2, 0x05, 0x0B, 0x16, 0xC8, 0xF0, 0x17, + 0x4E, 0xA2, 0x65, 0x67, 0x6D, 0x02) + }, + { + NTRU_EES743EP1, + chunk_from_chars( + 0x9B, 0xAB, 0x57, 0xDB, 0x2C, 0x60, 0x83, 0x48, + 0x9F, 0xC9, 0x70, 0x8F, 0x69, 0xF7, 0xB4, 0xBB, + 0x63, 0x5C, 0x9A, 0x63, 0x07, 0x80, 0x17, 0xD3, + 0xCD, 0xB1, 0x57, 0x79, 0xFE, 0x8D, 0x81, 0x70, + 0xEB, 0x50, 0xFA, 0x05, 0xFB, 0x97, 0xB2, 0xAB, + 0x25, 0xED, 0xD8, 0x18, 0x1C, 0xFE, 0x96, 0x7D), + chunk_from_chars( + 0x02, 0x03, 0x00, 0x06, 0x10, 0x14, 0x53, 0x73, + 0x56, 0xF5, 0xA9, 0x34, 0xDE, 0xA6, 0x4D, 0x46, + 0x05, 0x9E, 0x80, 0xAE, 0xB6, 0x74, 0x91, 0xFF, + 0xFB, 0x48, 0xD3, 0x5C, 0x61, 0x12, 0x46, 0x02, + 0x9F, 0x53, 0x45, 0x87, 0x47, 0xBD, 0x6B, 0x26, + 0xF7, 0x36, 0xD3, 0x99, 0x1B, 0xD7, 0xEA, 0xA3, + 0xA8, 0x94, 0xFF, 0x93, 0x46, 0x7C, 0x2C, 0x5F, + 0x87, 0x8C, 0x38, 0xB3, 0x7B, 0xC6, 0x49, 0xE2, + 0x88, 0xCA, 0x67, 0x89, 0xD0, 0x6D, 0x7C, 0xAE, + 0x7C, 0x98, 0x84, 0xDA, 0x6B, 0x93, 0x92, 0xEF, + 0x4A, 0xD1, 0x4A, 0xD2, 0x5B, 0x13, 0xF8, 0x59, + 0x15, 0x2E, 0xBC, 0x70, 0x8D, 0x2D, 0xA9, 0x47, + 0xA1, 0x99, 0x19, 0x3F, 0x67, 0xE8, 0x18, 0xA7, + 0x17, 0x07, 0xB3, 0x14, 0xF6, 0x20, 0xA1, 0xD8, + 0x33, 0xE8, 0x08, 0x6A, 0xC1, 0x39, 0x99, 0x08, + 0xB4, 0x88, 0xEB, 0x48, 0x7D, 0xFB, 0xF5, 0xEF, + 0x03, 0x0D, 0x25, 0xB7, 0x98, 0xF3, 0xF1, 0x15, + 0x63, 0xE4, 0x0F, 0xFD, 0x54, 0x9F, 0x56, 0xE9, + 0xD1, 0x44, 0xE5, 0x89, 0x66, 0x14, 0x91, 0x1C, + 0xFD, 0xD6, 0xFD, 0x38, 0xAE, 0x39, 0xE3, 0xF7, + 0xCD, 0x77, 0xC2, 0xEA, 0x2E, 0xE4, 0xB7, 0x2B, + 0xBA, 0x7A, 0xD1, 0x75, 0xB8, 0x28, 0x65, 0x18, + 0xF4, 0xC6, 0xBD, 0xD0, 0x17, 0x7E, 0xEA, 0x86, + 0x7E, 0xFC, 0x95, 0xD6, 0x4C, 0x92, 0x01, 0xC3, + 0xFF, 0x04, 0x9B, 0xF8, 0xD6, 0xB3, 0x8F, 0x72, + 0xEF, 0x64, 0x09, 0x61, 0xF8, 0xE4, 0x48, 0xFC, + 0x0D, 0xEE, 0xEF, 0xA2, 0x9F, 0x3A, 0x2B, 0x1A, + 0xFB, 0x8B, 0xA0, 0x9C, 0x11, 0x0B, 0x97, 0x75, + 0x30, 0x7C, 0xB8, 0x9F, 0xEE, 0x3B, 0x53, 0x85, + 0x7D, 0xE9, 0xCB, 0xC4, 0x4D, 0xD7, 0x7F, 0x59, + 0x10, 0x72, 0x19, 0x3A, 0xC9, 0x38, 0xFE, 0xE8, + 0xB3, 0x06, 0x55, 0x8D, 0xA2, 0x5A, 0x3D, 0x79, + 0x67, 0x0E, 0x90, 0xC9, 0x25, 0x6D, 0x45, 0x9C, + 0x39, 0x79, 0x5F, 0x18, 0x35, 0x9F, 0xC1, 0x49, + 0x08, 0x6F, 0x1C, 0x47, 0x09, 0x0D, 0x49, 0x7C, + 0x3C, 0x7B, 0xB1, 0x09, 0x92, 0x1C, 0x4E, 0x5A, + 0xDA, 0x74, 0x9E, 0xBB, 0x55, 0x9D, 0xBB, 0x1E, + 0x43, 0x28, 0x62, 0xAF, 0x02, 0xB0, 0x1A, 0xEA, + 0x13, 0x0A, 0x70, 0x0F, 0x60, 0x0F, 0x62, 0xA2, + 0x4E, 0x1F, 0xB2, 0xEA, 0x06, 0xDD, 0x18, 0x02, + 0x6C, 0xF3, 0x82, 0xF1, 0x80, 0x7F, 0xA7, 0x2F, + 0xCC, 0xC6, 0x18, 0xEA, 0xFF, 0x1F, 0xAD, 0xC6, + 0xBA, 0x0C, 0x0E, 0x04, 0xB2, 0x58, 0x1D, 0xB6, + 0x01, 0xA3, 0x97, 0xDF, 0x7D, 0x9B, 0xB5, 0x0A, + 0xAD, 0x30, 0x2B, 0xC5, 0x67, 0x40, 0x07, 0xF1, + 0xD5, 0x6C, 0x11, 0x10, 0xE1, 0x69, 0x30, 0xAD, + 0x90, 0x06, 0xDB, 0xF8, 0xEA, 0x92, 0x9B, 0x39, + 0x57, 0x38, 0x7B, 0xE4, 0xB2, 0xA2, 0x89, 0xFD, + 0xB1, 0x6D, 0x88, 0x41, 0x62, 0x4D, 0x18, 0xB6, + 0x3F, 0x12, 0x81, 0xDE, 0xE6, 0xDC, 0x4A, 0x31, + 0x61, 0x26, 0xB1, 0x4B, 0x95, 0xC1, 0x69, 0xDC, + 0xDC, 0xAC, 0xD0, 0x15, 0xFC, 0x21, 0xC5, 0x20, + 0x5F, 0x97, 0x76, 0x41, 0xC1, 0xF2, 0xD7, 0x95, + 0x1D, 0x25, 0x23, 0x36, 0x86, 0xFA, 0x7E, 0xF4, + 0x14, 0x9F, 0x9D, 0x9F, 0xB2, 0xBB, 0x25, 0x1D, + 0xD5, 0x7A, 0x6F, 0x9E, 0xF7, 0xEF, 0x9D, 0x63, + 0x1E, 0xD5, 0xDE, 0x6A, 0xE6, 0x46, 0x48, 0x1F, + 0xE1, 0x0C, 0x4D, 0x82, 0xC9, 0x19, 0x3B, 0x65, + 0xA4, 0x06, 0x13, 0xB7, 0x04, 0xB1, 0x62, 0xF7, + 0x08, 0xAE, 0xED, 0x42, 0x6D, 0xCC, 0x6C, 0xA6, + 0x06, 0x06, 0x41, 0x3E, 0x0C, 0x89, 0x4C, 0xBD, + 0x00, 0x4F, 0x0E, 0xA9, 0x72, 0x06, 0x21, 0x82, + 0xD2, 0xB6, 0x6C, 0xB0, 0xB0, 0x01, 0x5B, 0xDD, + 0x05, 0xCE, 0x71, 0x6E, 0x00, 0x58, 0xC7, 0xA6, + 0x5B, 0xF6, 0xFB, 0x6B, 0x62, 0xB1, 0xE8, 0x4D, + 0xAC, 0xC0, 0x6B, 0xF4, 0x40, 0x69, 0xEE, 0x0D, + 0xE7, 0x82, 0x61, 0x8D, 0x35, 0x01, 0x97, 0x4E, + 0xF2, 0xCC, 0xF5, 0x7F, 0xBF, 0xE4, 0xEC, 0x9C, + 0xC4, 0xD2, 0xD9, 0x65, 0x78, 0x98, 0xD8, 0xB0, + 0xFA, 0xA8, 0xFB, 0xB0, 0xCE, 0x22, 0x5D, 0x0B, + 0x27, 0xDF, 0x0E, 0x63, 0x42, 0xFE, 0x89, 0x13, + 0x99, 0xB2, 0x02, 0x0B, 0xF6, 0x04, 0xB6, 0xAF, + 0x9F, 0x8C, 0xA6, 0x17, 0x0D, 0xD9, 0x5B, 0x45, + 0xE4, 0x08, 0x53, 0x51, 0xE0, 0xD5, 0x22, 0x72, + 0xBE, 0xAD, 0x74, 0x69, 0xB9, 0xFB, 0x91, 0xF8, + 0xC1, 0x89, 0x28, 0x71, 0x27, 0x62, 0xB1, 0xF0, + 0xFD, 0x78, 0xBC, 0x82, 0xFE, 0x76, 0xBE, 0x7B, + 0x47, 0x79, 0x32, 0x71, 0xAD, 0xD6, 0x76, 0x46, + 0xFB, 0x32, 0xE8, 0x4B, 0x98, 0x9A, 0xC6, 0x85, + 0xF2, 0xF1, 0x8A, 0xEC, 0xC2, 0x4E, 0x9B, 0x2F, + 0x2D, 0x6F, 0xC9, 0x9B, 0xB6, 0x14, 0x35, 0x6D, + 0xD6, 0x5B, 0xF3, 0x02, 0x5A, 0xE5, 0xBD, 0x00, + 0xF7, 0x6E, 0x51, 0xA7, 0xDB, 0x19, 0xAE, 0x01, + 0x01, 0x05, 0x94, 0x23, 0xF7, 0x5B, 0x07, 0x79, + 0xFF, 0x39, 0x58, 0x9C, 0x2A, 0xF7, 0x7E, 0x5D, + 0x81, 0xF9, 0x59, 0xFE, 0xB9, 0x9A, 0x96, 0x63, + 0x1F, 0x65, 0xF6, 0xF0, 0x3D, 0xEA, 0xD7, 0xC2, + 0x8A, 0xCF, 0xB5, 0x58, 0x74, 0x77, 0x23, 0xD6, + 0x72, 0x58, 0xA8, 0xAE, 0x31, 0x8A, 0x59, 0xEA, + 0x69, 0x14, 0x6A, 0x20, 0x78, 0x79, 0x28, 0x5A, + 0xE1, 0x76, 0x6F, 0xA6, 0x1A, 0x9E, 0x47, 0xD2, + 0xAF, 0x63, 0xF8, 0x06, 0xF6, 0xD8, 0xD5, 0x14, + 0xA8, 0xD1, 0xEE, 0x96, 0xCE, 0xBB, 0x8E, 0x22, + 0x69, 0x2F, 0x52, 0x06, 0xB6, 0x6F, 0xC8, 0x99, + 0x96, 0xEA, 0xC6, 0x1D, 0x96, 0x4C, 0x69, 0x95, + 0xFE, 0x74, 0x04, 0x3C, 0x55, 0xD9, 0x5F, 0xE0, + 0x41, 0x21, 0x43, 0x21, 0x5A, 0x50, 0x5D, 0x8B, + 0xE8, 0xB2, 0x51, 0x1B, 0x7C, 0x63, 0x50, 0xAE, + 0x97, 0x4F, 0xBA, 0x7D, 0xF2, 0xB6, 0xB6, 0x16, + 0x1D, 0x47, 0x9E, 0x19, 0x68, 0xD4, 0x6B, 0x2B, + 0x75, 0xCD, 0xAE, 0x65, 0x33, 0x38, 0xF6, 0x6D, + 0xC7, 0x3E, 0x46, 0x98, 0x9E, 0x98, 0x8B, 0x45, + 0x11, 0xA7, 0x12, 0x05, 0xB0, 0x01, 0xC3, 0x51, + 0xA0, 0xEE, 0x7C, 0x16, 0xD1, 0x42, 0x96, 0xC4, + 0xF0, 0x7B, 0x71, 0xCD, 0x50, 0x38, 0xA4, 0xB0, + 0x6E, 0x6F, 0xE0, 0xBD, 0xC4, 0xF7, 0x96, 0x2B, + 0xF1, 0x6D, 0x9F, 0xF3, 0x71, 0x89, 0xFA, 0xB4, + 0x44, 0xA4, 0x32, 0xDC, 0xB2, 0x55, 0x13, 0x31, + 0x83, 0x29, 0x66, 0x21, 0x3E, 0x89, 0xF8, 0x78, + 0x97, 0x9C, 0x64, 0xF9, 0x2C, 0x0A, 0x88, 0xBC, + 0xCA, 0x6F, 0x83, 0x42, 0xF6, 0xD7, 0x00, 0xC4, + 0x19, 0x52, 0xB0, 0x31, 0xA8, 0xBA, 0xE8, 0xD4, + 0xAD, 0x4B, 0x5D, 0xC0, 0x01, 0x20, 0x6C, 0xBB, + 0x1D, 0x9A, 0x1D, 0xD4, 0x19, 0xFD, 0x33, 0xAB, + 0xA0, 0x54, 0x50, 0x91, 0xE9, 0x75, 0x5C, 0x7E, + 0x7E, 0xB3, 0x24, 0x79, 0xAE, 0x10, 0x3C, 0xB4, + 0xB7, 0x0A, 0x1D, 0x86, 0xAD, 0x06, 0x95, 0xCB, + 0x84, 0x9B, 0x0E, 0x8B, 0x77, 0x7E, 0x3E, 0xD2, + 0xA6, 0xDF, 0xAD, 0x4E, 0xFB, 0x69, 0x23, 0xAC, + 0x7A, 0xCB, 0xAA, 0xB0, 0x22, 0xDD, 0xD2, 0xC6, + 0xC7, 0xAD, 0xD7, 0xDE, 0xEC, 0x6F, 0x08, 0x41, + 0x54, 0xD5, 0x52, 0xDC, 0x77, 0xE4, 0x72, 0xF9, + 0x16, 0xB1, 0xC9, 0xAF, 0xB1, 0x3B, 0x18, 0x99, + 0x20, 0x9F, 0x79, 0x63, 0x7B, 0x07, 0xC7, 0x35, + 0xDF, 0xBB, 0xCE, 0x66, 0x93, 0x1B, 0xF5, 0x82, + 0x25, 0x67, 0xC1, 0xF2, 0xF0, 0x89, 0x0F, 0xEF, + 0x84, 0x0D, 0x63, 0xB6, 0x7B, 0xD0, 0x40, 0x8E, + 0xDB, 0x94, 0xCC, 0x71, 0x3C, 0xDB, 0x36, 0x14, + 0x34, 0xFD, 0xA0, 0xB0, 0xC1, 0x45, 0x31, 0xF8, + 0x8D, 0xD8, 0x23, 0xB1, 0x05, 0x14, 0xA9, 0x55, + 0x3A, 0x1A, 0x37, 0x48, 0x68, 0x89, 0x3F, 0x15, + 0x25, 0xD4, 0x99, 0x53, 0x4C, 0x85, 0x98, 0x78, + 0x1D, 0x35, 0x4A, 0x83, 0x79, 0x9A, 0x29, 0x90, + 0x2B, 0x45, 0x76, 0x0C, 0x13, 0x80, 0x4A, 0xE0, + 0x40, 0xED, 0x6B, 0x2E, 0x2A, 0x43, 0xA9, 0x28, + 0xB0, 0x2F, 0x89, 0x01, 0x6B, 0x39, 0x8C, 0x5E, + 0x80, 0x61, 0xD9, 0xEE, 0x0F, 0x41, 0x75, 0xB5, + 0xAE, 0xB6, 0xC2, 0x42, 0x49, 0x8D, 0x89, 0xD8, + 0xF4, 0x78, 0x1D, 0x90, 0x46, 0x26, 0x4C, 0x56, + 0xB7, 0xC0, 0xD9, 0x98, 0x7B, 0x07, 0xA1, 0x20) + } +}; + +START_TEST(test_ntru_privkey) +{ + rng_t *entropy; + ntru_drbg_t *drbg; + ntru_private_key_t *privkey; + ntru_public_key_t *pubkey; + ntru_param_set_t *params; + uint32_t strength; + chunk_t encoding, privkey_encoding, pubkey_encoding; + + params = ntru_param_set_get_by_id(privkey_tests[_i].id); + strength = params->sec_strength_len * BITS_PER_BYTE; + entropy = test_rng_create(privkey_tests[_i].entropy); + drbg = ntru_drbg_create(strength, chunk_from_str("IKE NTRU-KE"), entropy); + ck_assert(drbg != NULL); + + privkey = ntru_private_key_create(drbg, params); + ck_assert(privkey); + + privkey_encoding = privkey->get_encoding(privkey); + encoding = privkey_tests[_i].encoding; + ck_assert(chunk_equals(privkey_encoding, encoding)); + + + pubkey= privkey->get_public_key(privkey); + pubkey_encoding = pubkey->get_encoding(pubkey); + encoding = chunk_clone(encoding); + encoding.ptr[0] = NTRU_PUBKEY_TAG; + encoding.len = pubkey_encoding.len; + ck_assert(chunk_equals(pubkey_encoding, encoding)); + + /* get encoding a second time without generating it again internally */ + pubkey_encoding = pubkey->get_encoding(pubkey); + + chunk_free(&encoding); + privkey->destroy(privkey); + pubkey->destroy(pubkey); +} +END_TEST + START_TEST(test_ntru_ke) { chunk_t pub_key, cipher_text, i_shared_secret, r_shared_secret; diffie_hellman_t *i_ntru, *r_ntru; char buf[10]; - int n, len; + int k, n, len; status_t status; + k = (_i) / countof(parameter_sets); + n = (_i) % countof(parameter_sets); + len = snprintf(buf, sizeof(buf), "%N", diffie_hellman_group_names, - params[_i].group); + params[k].group); ck_assert(len == 8); - ck_assert(streq(buf, params[_i].group_name)); - - for (n = 0; n < countof(parameter_sets); n++) - { - lib->settings->set_str(lib->settings, - "libstrongswan.plugins.ntru.parameter_set", - parameter_sets[n]); + ck_assert(streq(buf, params[k].group_name)); - i_ntru = lib->crypto->create_dh(lib->crypto, params[_i].group); - ck_assert(i_ntru != NULL); - ck_assert(i_ntru->get_dh_group(i_ntru) == params[_i].group); + lib->settings->set_str(lib->settings, + "libstrongswan.plugins.ntru.parameter_set", parameter_sets[n]); - i_ntru->get_my_public_value(i_ntru, &pub_key); - ck_assert(pub_key.len > 0); + i_ntru = lib->crypto->create_dh(lib->crypto, params[k].group); + ck_assert(i_ntru != NULL); + ck_assert(i_ntru->get_dh_group(i_ntru) == params[k].group); - r_ntru = lib->crypto->create_dh(lib->crypto, params[_i].group); - ck_assert(r_ntru != NULL); + i_ntru->get_my_public_value(i_ntru, &pub_key); + ck_assert(pub_key.len > 0); - r_ntru->set_other_public_value(r_ntru, pub_key); - r_ntru->get_my_public_value(r_ntru, &cipher_text); - ck_assert(cipher_text.len > 0); + r_ntru = lib->crypto->create_dh(lib->crypto, params[k].group); + ck_assert(r_ntru != NULL); - status = r_ntru->get_shared_secret(r_ntru, &r_shared_secret); - ck_assert(status == SUCCESS); - ck_assert(r_shared_secret.len > 0); + r_ntru->set_other_public_value(r_ntru, pub_key); + r_ntru->get_my_public_value(r_ntru, &cipher_text); + ck_assert(cipher_text.len > 0); - i_ntru->set_other_public_value(i_ntru, cipher_text); - status = i_ntru->get_shared_secret(i_ntru, &i_shared_secret); + status = r_ntru->get_shared_secret(r_ntru, &r_shared_secret); + ck_assert(status == SUCCESS); + ck_assert(r_shared_secret.len > 0); - if (status == SUCCESS) - { - ck_assert(chunk_equals(i_shared_secret, r_shared_secret)); - } - else - { - ck_assert(i_shared_secret.len == 0); - } + i_ntru->set_other_public_value(i_ntru, cipher_text); + status = i_ntru->get_shared_secret(i_ntru, &i_shared_secret); + ck_assert(status == SUCCESS); + ck_assert(chunk_equals(i_shared_secret, r_shared_secret)); - chunk_clear(&i_shared_secret); - chunk_clear(&r_shared_secret); - chunk_free(&pub_key); - chunk_free(&cipher_text); - i_ntru->destroy(i_ntru); - r_ntru->destroy(r_ntru); - } + chunk_clear(&i_shared_secret); + chunk_clear(&r_shared_secret); + chunk_free(&pub_key); + chunk_free(&cipher_text); + i_ntru->destroy(i_ntru); + r_ntru->destroy(r_ntru); } END_TEST @@ -1015,8 +1310,17 @@ Suite *ntru_suite_create() tcase_add_loop_test(tc, test_ntru_array, 0, countof(array_tests)); suite_add_tcase(s, tc); + tc = tcase_create("param_set"); + tcase_add_test(tc, test_ntru_param_set); + suite_add_tcase(s, tc); + + tc = tcase_create("privkey"); + tcase_add_loop_test(tc, test_ntru_privkey, 0, countof(privkey_tests)); + suite_add_tcase(s, tc); + tc = tcase_create("ke"); - tcase_add_loop_test(tc, test_ntru_ke, 0, countof(params)); + tcase_add_loop_test(tc, test_ntru_ke, 0, + countof(params) * countof(parameter_sets)); suite_add_tcase(s, tc); tc = tcase_create("retransmission");