decapsulation.c 4.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145
  1. /*
  2. * decapsulation.c
  3. *
  4. * Created on: May 4, 2018
  5. * Author: vader
  6. */
  7. #include "../include/decapsulation.h"
  8. /*
  9. * Decapsulation:
  10. * This function can be used to decrypt the cipher_text.
  11. * The secret_key is used to obtain both v and y for the decrypt function
  12. *
  13. * Param:
  14. * secret_shard: Provide the shared secret
  15. * cipher_text: Provide the cipher text
  16. * secret_key: Provide the secret key
  17. * Returns: the results from decrypt() based on provided input
  18. */
  19. int decapsulation(unsigned char *secret_shared,
  20. const unsigned char *cipher_text, const unsigned char *secret_key) {
  21. gf v[code_length] = { 0 };
  22. gf y[code_length] = { 0 };
  23. //recover_sk(sk, v_sk, y_vk);
  24. recover_secret_key(secret_key, v, y);
  25. return decrypt(secret_shared, cipher_text, v, y);
  26. }
  27. int decrypt(unsigned char *secret_shared, const unsigned char *cipher_text,
  28. const gf *v, const gf *y) {
  29. int i, j, decode_value;
  30. unsigned char word[code_length] = { 0 };
  31. unsigned char m1[k_prime] = { 0 };
  32. unsigned char rho1[k_sec] = { 0 };
  33. unsigned char r1[code_dimension] = { 0 };
  34. unsigned char d1[k_prime] = { 0 };
  35. unsigned char rho2[k_sec] = { 0 };
  36. unsigned char sigma[code_dimension] = { 0 };
  37. unsigned char e2[code_length] = { 0 };
  38. unsigned char hash_sigma[code_length] = { 0 };
  39. unsigned char e_prime[code_length] = { 0 };
  40. /*
  41. * Step_1 of the decapsulation : Decode the noisy codeword C received as
  42. * part of the ciphertext ct = (c||d) with d is “ a plaintext confirmation”.
  43. * We obtain codeword mot = u1G and error e
  44. */
  45. PRINT_DEBUG_DECAP("Starting decoding...\n");
  46. decode_value = decoding(v, y, cipher_text, e_prime, word);
  47. /*
  48. * Step_2 of the decapsulation : Output ⊥ if decoding fails or wt(e) != n0_w
  49. */
  50. if (decode_value == EXIT_FAILURE
  51. || compute_weight(e_prime, code_length) != weight) {
  52. return -1;
  53. }
  54. /*
  55. * Step_3 of the decapsulation : Recover u_prime = word and parse it as (rho1||m1)
  56. */
  57. // Optimize modulo and removed copy to u1
  58. memcpy(rho1, word, k_sec);
  59. memcpy(m1, word + k_sec, code_dimension - k_sec);
  60. /*
  61. * Step_4 of the decapsulation : Compute r1 = G(m1) and d1 = H(m1)
  62. */
  63. // Compute d1 = H(m1) where H is sponge SHA-512 function
  64. //#if defined(DAGS_3) || defined(DAGS_5)
  65. shake256(r1, code_dimension, m1, k_prime);
  66. shake256(d1, k_prime, m1, k_prime);
  67. //#else
  68. //shake128(r1, code_dimension, m1, k_prime);
  69. //shake128(d1, k_prime, m1, k_prime);
  70. //#endif
  71. for (i = 0; i < k_prime; i++) {
  72. d1[i] = d1[i] & (F_q_size - 1);
  73. }
  74. // Return -1 if d distinct d1.
  75. // d starts at ct+code_length.
  76. if (memcmp(cipher_text + code_length, d1, k_prime) != 0) {
  77. return EXIT_FAILURE;
  78. }
  79. /*
  80. * Step_5 of the decapsulation: Parse r1 as (rho2||sigma1)
  81. */
  82. for (i = 0; i < k_sec; i++) {
  83. rho2[i] = r1[i] & (F_q_size - 1);
  84. }
  85. for (j = i - k_sec; i < code_dimension; i++, j++) {
  86. sigma[j] = r1[i] & (F_q_size - 1);
  87. }
  88. //Return ⊥ if rho1 distinct rho2
  89. if (memcmp(rho1, rho2, k_sec) != 0) {
  90. return -1;
  91. }
  92. /*
  93. * Step_6 of the decapsulation: Generate error vector e2 of length n and
  94. * weight n0_w from sigma1
  95. */
  96. //test = KangarooTwelve(sigma, k_prime, hash_sigma, code_length, K12_custom, K12_custom_len);
  97. //SHAKE256(hash_sigma, code_length, sigma, k_prime);
  98. //#if defined(DAGS_3) || defined(DAGS_5)
  99. shake256(hash_sigma, code_length, sigma, k_prime);
  100. //#else
  101. //shake128(hash_sigma, code_length, sigma, k_prime);
  102. //#endif
  103. //Generate error vector e2 of length code_length and weight n0_w from
  104. //hash_sigma1 by using random_e function.
  105. random_e(hash_sigma, e2);
  106. /*
  107. * Step_7 of the decapsulation: Return ⊥ if e_prime distinct e.
  108. */
  109. if (memcmp(e_prime, e2, code_length) != 0) {
  110. return -1;
  111. }
  112. /*
  113. * Step_7 of the decapsulation: If the previous condition is not satisfied,
  114. * compute the shared secret ss by using KangarooTwelve
  115. */
  116. //test = KangarooTwelve(m1, k_prime, ss, ss_length, K12_custom, K12_custom_len);
  117. //SHAKE256(secret_shared, ss_length, m1, k_prime);
  118. //#if defined(DAGS_3) || defined(DAGS_5)
  119. shake256(hash_sigma, code_length, sigma, k_prime);
  120. //#else
  121. //shake128(hash_sigma, code_length, sigma, k_prime);
  122. //#endif
  123. return 0;
  124. }