decapsulation.c 3.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135
  1. /*
  2. * decapsulation.c
  3. *
  4. * Created on: May 4, 2018
  5. * Author: vader
  6. */
  7. #include "../include/decapsulation.h"
  8. /*
  9. * Decapsulation:
  10. * This function can be used to decrypt the cipher_text.
  11. * The secret_key is used to obtain both v and y for the decrypt function
  12. *
  13. * Param:
  14. * secret_shard: Provide the shared secret
  15. * cipher_text: Provide the cipher text
  16. * secret_key: Provide the secret key
  17. * Returns: the results from decrypt() based on provided input
  18. */
  19. int decapsulation(unsigned char *secret_shared,
  20. const unsigned char *cipher_text, const unsigned char *secret_key) {
  21. gf v[code_length] = { 0 };
  22. gf y[code_length] = { 0 };
  23. set_vy_from_sk(v, y, secret_key);
  24. return decrypt(secret_shared, cipher_text, v, y);
  25. }
  26. int decrypt(unsigned char *secret_shared, const unsigned char *cipher_text,
  27. const gf *v, const gf *y) {
  28. int i, decode_value;
  29. unsigned char word[code_length] = { 0 };
  30. unsigned char m1[k_prime] = { 0 };
  31. unsigned char rho1[k_sec] = { 0 };
  32. unsigned char r1[code_dimension] = { 0 };
  33. unsigned char d1[k_prime] = { 0 };
  34. unsigned char rho2[k_sec] = { 0 };
  35. unsigned char sigma[code_dimension] = { 0 };
  36. unsigned char e2[code_length] = { 0 };
  37. unsigned char hash_sigma[code_length] = { 0 };
  38. unsigned char e_prime[code_length] = { 0 };
  39. /*
  40. * Step_1 of the decapsulation : Decode the noisy codeword C received as
  41. * part of the ciphertext ct = (c||d) with d is “ a plaintext confirmation”.
  42. * We obtain codeword mot = u1G and error e
  43. */
  44. PRINT_DEBUG_DECAP("Starting decoding...\n");
  45. decode_value = decoding(v, y, cipher_text, e_prime, word);
  46. /*
  47. * Step_2 of the decapsulation : Output ⊥ if decoding fails or wt(e) != n0_w
  48. */
  49. if (decode_value == EXIT_FAILURE || compute_weight(e_prime, code_length) != weight) {
  50. return -1;
  51. }
  52. /*
  53. * Step_3 of the decapsulation : Recover u_prime = word and parse it as (rho1||m1)
  54. */
  55. // Optimize modulo and removed copy to u1
  56. memcpy(rho1, word, k_sec);
  57. memcpy(m1, word + k_sec, code_dimension - k_sec);
  58. /*
  59. * Step_4 of the decapsulation : Compute r1 = G(m1) and d1 = H(m1)
  60. */
  61. shake128(r1, code_dimension, m1, k_prime);
  62. // Compute d1 = H(m1) where H is sponge SHA-512 function
  63. shake128(d1, k_prime, m1, k_prime);
  64. for (i = 0; i < k_prime; i++) {
  65. d1[i] = d1[i] & (F_q_size - 1);
  66. }
  67. // Return -1 if d distinct d1.
  68. // d starts at ct+code_length.
  69. if (memcmp(cipher_text + code_length, d1, k_prime) != 0) {
  70. return EXIT_FAILURE;
  71. }
  72. /*
  73. * Step_5 of the decapsulation: Parse r1 as (rho2||sigma1)
  74. */
  75. for (i = 0; i < code_dimension; i++) {
  76. if (i < k_sec) {
  77. // Optimize modulo
  78. rho2[i] = r1[i] & (F_q_size - 1); //rho2 recovery
  79. } else {
  80. // Optimize modulo
  81. sigma[i - k_sec] = r1[i] & (F_q_size - 1); // sigma1 recovery
  82. }
  83. }
  84. //Return ⊥ if rho1 distinct rho2
  85. if (memcmp(rho1, rho2, k_sec) != 0) {
  86. return -1;
  87. }
  88. /*
  89. * Step_6 of the decapsulation: Generate error vector e2 of length n and
  90. * weight n0_w from sigma1
  91. */
  92. //test = KangarooTwelve(sigma, k_prime, hash_sigma, code_length, K12_custom, K12_custom_len);
  93. //SHAKE256(hash_sigma, code_length, sigma, k_prime);
  94. shake128(hash_sigma, code_length, sigma, k_prime);
  95. //Generate error vector e2 of length code_length and weight n0_w from
  96. //hash_sigma1 by using random_e function.
  97. random_e(hash_sigma, e2);
  98. /*
  99. * Step_7 of the decapsulation: Return ⊥ if e_prime distinct e.
  100. */
  101. if (memcmp(e_prime, e2, code_length) != 0) {
  102. return -1;
  103. }
  104. /*
  105. * Step_7 of the decapsulation: If the previous condition is not satisfied,
  106. * compute the shared secret ss by using KangarooTwelve
  107. */
  108. //test = KangarooTwelve(m1, k_prime, ss, ss_length, K12_custom, K12_custom_len);
  109. //SHAKE256(secret_shared, ss_length, m1, k_prime);
  110. shake128(secret_shared, ss_length, m1, k_prime);
  111. return 0;
  112. }