From 2c71cec020219d69df84055c59eba5799a1233ec Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Tue, 29 Dec 2020 00:59:15 +0000 Subject: [PATCH] upstream: Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519). The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761. The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html). Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself (note this both the updated method and the one that it replaced are disabled by default) OpenBSD-Commit-ID: 2bf582b772d81ee24e911bb6f4b2aecfd39338ae --- .depend | 7 +- Makefile.in | 2 +- crypto_api.h | 16 +- kex.c | 4 +- kex.h | 14 +- kexgen.c | 18 +- ...rup4591761x25519.c => kexsntrup761x25519.c | 0 monitor.c | 4 +- sntrup4591761.c | 1083 ------------- sntrup4591761.sh | 57 - sntrup761.c | 1364 +++++++++++++++++ sntrup761.sh | 65 + ssh-keyscan.c | 4 +- ssh_api.c | 6 +- sshconnect2.c | 4 +- sshd.c | 4 +- sshd_config.5 | 6 +- 17 files changed, 1474 insertions(+), 1184 deletions(-) rename kexsntrup4591761x25519.c => kexsntrup761x25519.c (100%) delete mode 100644 sntrup4591761.c delete mode 100644 sntrup4591761.sh create mode 100644 sntrup761.c create mode 100644 sntrup761.sh diff --git a/.depend b/.depend index 03b73ea68..233380972 100644 --- a/.depend +++ b/.depend @@ -70,7 +70,7 @@ kexgen.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat kexgex.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h kexgexc.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h kexgexs.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h -kexsntrup4591761x25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sshkey.h kex.h mac.h crypto_api.h sshbuf.h digest.h ./ssherr.h +kexsntrup761x25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h sshkey.h kex.h mac.h crypto_api.h sshbuf.h digest.h ./ssherr.h krl.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ./openbsd-compat/sys-tree.h openbsd-compat/sys-queue.h sshbuf.h ./ssherr.h sshkey.h authfile.h misc.h log.h digest.h bitmap.h utf8.h krl.h log.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h ./ssherr.h match.h loginrec.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h sshkey.h hostfile.h ssh.h loginrec.h log.h ./ssherr.h atomicio.h packet.h openbsd-compat/sys-queue.h dispatch.h canohost.h auth.h auth-pam.h audit.h sshbuf.h @@ -124,7 +124,7 @@ sftp-server-main.o: includes.h config.h defines.h platform.h openbsd-compat/open sftp-server.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h sshbuf.h ./ssherr.h log.h misc.h match.h uidswap.h sftp.h sftp-common.h sftp.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h log.h ./ssherr.h pathnames.h misc.h utf8.h sftp.h sshbuf.h sftp-common.h sftp-client.h openbsd-compat/glob.h sk-usbhid.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h -sntrup4591761.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h crypto_api.h +sntrup761.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h crypto_api.h ssh-add.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h log.h ./ssherr.h sshkey.h sshbuf.h authfd.h authfile.h pathnames.h misc.h digest.h ssh-sk.h sk-api.h ssh-agent.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h sshbuf.h sshkey.h authfd.h compat.h log.h ./ssherr.h misc.h digest.h match.h msg.h pathnames.h ssh-pkcs11.h sk-api.h ssh-dss.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h @@ -132,7 +132,8 @@ ssh-ecdsa-sk.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd- ssh-ecdsa.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssh-ed25519-sk.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h crypto_api.h log.h ./ssherr.h sshbuf.h sshkey.h ssh.h digest.h ssh-ed25519.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h crypto_api.h log.h ./ssherr.h sshbuf.h sshkey.h ssh.h -ssh-keygen.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h sshkey.h authfile.h sshbuf.h pathnames.h log.h ./ssherr.h misc.h match.h hostfile.h dns.h ssh.h ssh2.h ssh-pkcs11.h atomicio.h krl.h digest.h utf8.h authfd.h sshsig.h ssh-sk.h sk-api.h +ssh-keygen.o: cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h +ssh-keygen.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h sshkey.h authfile.h sshbuf.h pathnames.h log.h ./ssherr.h misc.h match.h hostfile.h dns.h ssh.h ssh2.h ssh-pkcs11.h atomicio.h krl.h digest.h utf8.h authfd.h sshsig.h ssh-sk.h sk-api.h cipher.h ssh-keyscan.o: ./ssherr.h atomicio.h misc.h hostfile.h ssh_api.h ssh2.h dns.h ssh-keyscan.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h sshbuf.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h kex.h mac.h crypto_api.h compat.h myproposal.h packet.h dispatch.h log.h ssh-keysign.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h log.h ./ssherr.h sshkey.h ssh.h ssh2.h misc.h sshbuf.h authfile.h msg.h canohost.h pathnames.h readconf.h uidswap.h diff --git a/Makefile.in b/Makefile.in index acfb919da..dd3869812 100644 --- a/Makefile.in +++ b/Makefile.in @@ -106,7 +106,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ hmac.o sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o \ kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \ kexgexc.o kexgexs.o \ - sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \ + kexsntrup761x25519.o sntrup761.o kexgen.o \ sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \ sshbuf-io.o diff --git a/crypto_api.h b/crypto_api.h index eb05251ff..1827003e0 100644 --- a/crypto_api.h +++ b/crypto_api.h @@ -1,4 +1,4 @@ -/* $OpenBSD: crypto_api.h,v 1.5 2019/01/21 10:20:12 djm Exp $ */ +/* $OpenBSD: crypto_api.h,v 1.6 2020/12/29 00:59:15 djm Exp $ */ /* * Assembled from generated headers and source files by Markus Friedl. @@ -42,15 +42,15 @@ int crypto_sign_ed25519_open(unsigned char *, unsigned long long *, const unsigned char *, unsigned long long, const unsigned char *); int crypto_sign_ed25519_keypair(unsigned char *, unsigned char *); -#define crypto_kem_sntrup4591761_PUBLICKEYBYTES 1218 -#define crypto_kem_sntrup4591761_SECRETKEYBYTES 1600 -#define crypto_kem_sntrup4591761_CIPHERTEXTBYTES 1047 -#define crypto_kem_sntrup4591761_BYTES 32 +#define crypto_kem_sntrup761_PUBLICKEYBYTES 1158 +#define crypto_kem_sntrup761_SECRETKEYBYTES 1763 +#define crypto_kem_sntrup761_CIPHERTEXTBYTES 1039 +#define crypto_kem_sntrup761_BYTES 32 -int crypto_kem_sntrup4591761_enc(unsigned char *cstr, unsigned char *k, +int crypto_kem_sntrup761_enc(unsigned char *cstr, unsigned char *k, const unsigned char *pk); -int crypto_kem_sntrup4591761_dec(unsigned char *k, +int crypto_kem_sntrup761_dec(unsigned char *k, const unsigned char *cstr, const unsigned char *sk); -int crypto_kem_sntrup4591761_keypair(unsigned char *pk, unsigned char *sk); +int crypto_kem_sntrup761_keypair(unsigned char *pk, unsigned char *sk); #endif /* crypto_api_h */ diff --git a/kex.c b/kex.c index 4a36310a3..f08143a5d 100644 --- a/kex.c +++ b/kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.c,v 1.162 2020/12/04 02:27:57 djm Exp $ */ +/* $OpenBSD: kex.c,v 1.163 2020/12/29 00:59:15 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * @@ -110,7 +110,7 @@ static const struct kexalg kexalgs[] = { #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL) { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, { KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, - { KEX_SNTRUP4591761X25519_SHA512, KEX_KEM_SNTRUP4591761X25519_SHA512, 0, + { KEX_SNTRUP761X25519_SHA512, KEX_KEM_SNTRUP761X25519_SHA512, 0, SSH_DIGEST_SHA512 }, #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ { NULL, 0, -1, -1}, diff --git a/kex.h b/kex.h index 0c405e33c..5f59166a0 100644 --- a/kex.h +++ b/kex.h @@ -1,4 +1,4 @@ -/* $OpenBSD: kex.h,v 1.111 2020/10/07 02:22:23 djm Exp $ */ +/* $OpenBSD: kex.h,v 1.112 2020/12/29 00:59:15 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -62,7 +62,7 @@ #define KEX_ECDH_SHA2_NISTP521 "ecdh-sha2-nistp521" #define KEX_CURVE25519_SHA256 "curve25519-sha256" #define KEX_CURVE25519_SHA256_OLD "curve25519-sha256@libssh.org" -#define KEX_SNTRUP4591761X25519_SHA512 "sntrup4591761x25519-sha512@tinyssh.org" +#define KEX_SNTRUP761X25519_SHA512 "sntrup761x25519-sha512@openssh.com" #define COMP_NONE 0 /* pre-auth compression (COMP_ZLIB) is only supported in the client */ @@ -101,7 +101,7 @@ enum kex_exchange { KEX_DH_GEX_SHA256, KEX_ECDH_SHA2, KEX_C25519_SHA256, - KEX_KEM_SNTRUP4591761X25519_SHA512, + KEX_KEM_SNTRUP761X25519_SHA512, KEX_MAX }; @@ -168,7 +168,7 @@ struct kex { const EC_GROUP *ec_group; /* ECDH */ u_char c25519_client_key[CURVE25519_SIZE]; /* 25519 + KEM */ u_char c25519_client_pubkey[CURVE25519_SIZE]; /* 25519 */ - u_char sntrup4591761_client_key[crypto_kem_sntrup4591761_SECRETKEYBYTES]; /* KEM */ + u_char sntrup761_client_key[crypto_kem_sntrup761_SECRETKEYBYTES]; /* KEM */ struct sshbuf *client_pub; }; @@ -218,10 +218,10 @@ int kex_c25519_enc(struct kex *, const struct sshbuf *, struct sshbuf **, struct sshbuf **); int kex_c25519_dec(struct kex *, const struct sshbuf *, struct sshbuf **); -int kex_kem_sntrup4591761x25519_keypair(struct kex *); -int kex_kem_sntrup4591761x25519_enc(struct kex *, const struct sshbuf *, +int kex_kem_sntrup761x25519_keypair(struct kex *); +int kex_kem_sntrup761x25519_enc(struct kex *, const struct sshbuf *, struct sshbuf **, struct sshbuf **); -int kex_kem_sntrup4591761x25519_dec(struct kex *, const struct sshbuf *, +int kex_kem_sntrup761x25519_dec(struct kex *, const struct sshbuf *, struct sshbuf **); int kex_dh_keygen(struct kex *); diff --git a/kexgen.c b/kexgen.c index 69348b964..39a848f25 100644 --- a/kexgen.c +++ b/kexgen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexgen.c,v 1.4 2019/11/25 00:51:37 djm Exp $ */ +/* $OpenBSD: kexgen.c,v 1.5 2020/12/29 00:59:15 djm Exp $ */ /* * Copyright (c) 2019 Markus Friedl. All rights reserved. * @@ -117,8 +117,8 @@ kex_gen_client(struct ssh *ssh) case KEX_C25519_SHA256: r = kex_c25519_keypair(kex); break; - case KEX_KEM_SNTRUP4591761X25519_SHA512: - r = kex_kem_sntrup4591761x25519_keypair(kex); + case KEX_KEM_SNTRUP761X25519_SHA512: + r = kex_kem_sntrup761x25519_keypair(kex); break; default: r = SSH_ERR_INVALID_ARGUMENT; @@ -185,8 +185,8 @@ input_kex_gen_reply(int type, u_int32_t seq, struct ssh *ssh) case KEX_C25519_SHA256: r = kex_c25519_dec(kex, server_blob, &shared_secret); break; - case KEX_KEM_SNTRUP4591761X25519_SHA512: - r = kex_kem_sntrup4591761x25519_dec(kex, server_blob, + case KEX_KEM_SNTRUP761X25519_SHA512: + r = kex_kem_sntrup761x25519_dec(kex, server_blob, &shared_secret); break; default: @@ -220,8 +220,8 @@ input_kex_gen_reply(int type, u_int32_t seq, struct ssh *ssh) out: explicit_bzero(hash, sizeof(hash)); explicit_bzero(kex->c25519_client_key, sizeof(kex->c25519_client_key)); - explicit_bzero(kex->sntrup4591761_client_key, - sizeof(kex->sntrup4591761_client_key)); + explicit_bzero(kex->sntrup761_client_key, + sizeof(kex->sntrup761_client_key)); sshbuf_free(server_host_key_blob); free(signature); sshbuf_free(tmp); @@ -282,8 +282,8 @@ input_kex_gen_init(int type, u_int32_t seq, struct ssh *ssh) r = kex_c25519_enc(kex, client_pubkey, &server_pubkey, &shared_secret); break; - case KEX_KEM_SNTRUP4591761X25519_SHA512: - r = kex_kem_sntrup4591761x25519_enc(kex, client_pubkey, + case KEX_KEM_SNTRUP761X25519_SHA512: + r = kex_kem_sntrup761x25519_enc(kex, client_pubkey, &server_pubkey, &shared_secret); break; default: diff --git a/kexsntrup4591761x25519.c b/kexsntrup761x25519.c similarity index 100% rename from kexsntrup4591761x25519.c rename to kexsntrup761x25519.c diff --git a/monitor.c b/monitor.c index 64a837f48..79d003ae9 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.218 2020/11/27 00:37:10 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.219 2020/12/29 00:59:15 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -1732,7 +1732,7 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor) # endif #endif /* WITH_OPENSSL */ kex->kex[KEX_C25519_SHA256] = kex_gen_server; - kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server; + kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server; kex->load_host_public_key=&get_hostkey_public_by_type; kex->load_host_private_key=&get_hostkey_private_by_type; kex->host_key_index=&get_hostkey_index; diff --git a/sntrup4591761.c b/sntrup4591761.c deleted file mode 100644 index 61fe2483f..000000000 --- a/sntrup4591761.c +++ /dev/null @@ -1,1083 +0,0 @@ -/* $OpenBSD: sntrup4591761.c,v 1.3 2019/01/30 19:51:15 markus Exp $ */ - -/* - * Public Domain, Authors: - * - Daniel J. Bernstein - * - Chitchanok Chuengsatiansup - * - Tanja Lange - * - Christine van Vredendaal - */ - -#include "includes.h" - -#include -#include "crypto_api.h" - -/* from libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/int32_sort.h */ -#ifndef int32_sort_h -#define int32_sort_h - - -static void int32_sort(crypto_int32 *,int); - -#endif - -/* from libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/int32_sort.c */ -/* See https://ntruprime.cr.yp.to/software.html for detailed documentation. */ - - -static void minmax(crypto_int32 *x,crypto_int32 *y) -{ - crypto_uint32 xi = *x; - crypto_uint32 yi = *y; - crypto_uint32 xy = xi ^ yi; - crypto_uint32 c = yi - xi; - c ^= xy & (c ^ yi); - c >>= 31; - c = -c; - c &= xy; - *x = xi ^ c; - *y = yi ^ c; -} - -static void int32_sort(crypto_int32 *x,int n) -{ - int top,p,q,i; - - if (n < 2) return; - top = 1; - while (top < n - top) top += top; - - for (p = top;p > 0;p >>= 1) { - for (i = 0;i < n - p;++i) - if (!(i & p)) - minmax(x + i,x + i + p); - for (q = top;q > p;q >>= 1) - for (i = 0;i < n - q;++i) - if (!(i & p)) - minmax(x + i + p,x + i + q); - } -} - -/* from libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/small.h */ -#ifndef small_h -#define small_h - - -typedef crypto_int8 small; - -static void small_encode(unsigned char *,const small *); - -static void small_decode(small *,const unsigned char *); - - -static void small_random(small *); - -static void small_random_weightw(small *); - -#endif - -/* from libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/mod3.h */ -#ifndef mod3_h -#define mod3_h - - -/* -1 if x is nonzero, 0 otherwise */ -static inline int mod3_nonzero_mask(small x) -{ - return -x*x; -} - -/* input between -100000 and 100000 */ -/* output between -1 and 1 */ -static inline small mod3_freeze(crypto_int32 a) -{ - a -= 3 * ((10923 * a) >> 15); - a -= 3 * ((89478485 * a + 134217728) >> 28); - return a; -} - -static inline small mod3_minusproduct(small a,small b,small c) -{ - crypto_int32 A = a; - crypto_int32 B = b; - crypto_int32 C = c; - return mod3_freeze(A - B * C); -} - -static inline small mod3_plusproduct(small a,small b,small c) -{ - crypto_int32 A = a; - crypto_int32 B = b; - crypto_int32 C = c; - return mod3_freeze(A + B * C); -} - -static inline small mod3_product(small a,small b) -{ - return a * b; -} - -static inline small mod3_sum(small a,small b) -{ - crypto_int32 A = a; - crypto_int32 B = b; - return mod3_freeze(A + B); -} - -static inline small mod3_reciprocal(small a1) -{ - return a1; -} - -static inline small mod3_quotient(small num,small den) -{ - return mod3_product(num,mod3_reciprocal(den)); -} - -#endif - -/* from libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/modq.h */ -#ifndef modq_h -#define modq_h - - -typedef crypto_int16 modq; - -/* -1 if x is nonzero, 0 otherwise */ -static inline int modq_nonzero_mask(modq x) -{ - crypto_int32 r = (crypto_uint16) x; - r = -r; - r >>= 30; - return r; -} - -/* input between -9000000 and 9000000 */ -/* output between -2295 and 2295 */ -static inline modq modq_freeze(crypto_int32 a) -{ - a -= 4591 * ((228 * a) >> 20); - a -= 4591 * ((58470 * a + 134217728) >> 28); - return a; -} - -static inline modq modq_minusproduct(modq a,modq b,modq c) -{ - crypto_int32 A = a; - crypto_int32 B = b; - crypto_int32 C = c; - return modq_freeze(A - B * C); -} - -static inline modq modq_plusproduct(modq a,modq b,modq c) -{ - crypto_int32 A = a; - crypto_int32 B = b; - crypto_int32 C = c; - return modq_freeze(A + B * C); -} - -static inline modq modq_product(modq a,modq b) -{ - crypto_int32 A = a; - crypto_int32 B = b; - return modq_freeze(A * B); -} - -static inline modq modq_square(modq a) -{ - crypto_int32 A = a; - return modq_freeze(A * A); -} - -static inline modq modq_sum(modq a,modq b) -{ - crypto_int32 A = a; - crypto_int32 B = b; - return modq_freeze(A + B); -} - -static inline modq modq_reciprocal(modq a1) -{ - modq a2 = modq_square(a1); - modq a3 = modq_product(a2,a1); - modq a4 = modq_square(a2); - modq a8 = modq_square(a4); - modq a16 = modq_square(a8); - modq a32 = modq_square(a16); - modq a35 = modq_product(a32,a3); - modq a70 = modq_square(a35); - modq a140 = modq_square(a70); - modq a143 = modq_product(a140,a3); - modq a286 = modq_square(a143); - modq a572 = modq_square(a286); - modq a1144 = modq_square(a572); - modq a1147 = modq_product(a1144,a3); - modq a2294 = modq_square(a1147); - modq a4588 = modq_square(a2294); - modq a4589 = modq_product(a4588,a1); - return a4589; -} - -static inline modq modq_quotient(modq num,modq den) -{ - return modq_product(num,modq_reciprocal(den)); -} - -#endif - -/* from libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/params.h */ -#ifndef params_h -#define params_h - -#define q 4591 -/* XXX: also built into modq in various ways */ - -#define qshift 2295 -#define p 761 -#define w 286 - -#define rq_encode_len 1218 -#define small_encode_len 191 - -#endif - -/* from libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/r3.h */ -#ifndef r3_h -#define r3_h - - -static void r3_mult(small *,const small *,const small *); - -extern int r3_recip(small *,const small *); - -#endif - -/* from libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/rq.h */ -#ifndef rq_h -#define rq_h - - -static void rq_encode(unsigned char *,const modq *); - -static void rq_decode(modq *,const unsigned char *); - -static void rq_encoderounded(unsigned char *,const modq *); - -static void rq_decoderounded(modq *,const unsigned char *); - -static void rq_round3(modq *,const modq *); - -static void rq_mult(modq *,const modq *,const small *); - -int rq_recip3(modq *,const small *); - -#endif - -/* from libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/swap.h */ -#ifndef swap_h -#define swap_h - -static void swap(void *,void *,int,int); - -#endif - -/* from libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/dec.c */ -/* See https://ntruprime.cr.yp.to/software.html for detailed documentation. */ - -#ifdef KAT -#endif - - -int crypto_kem_sntrup4591761_dec( - unsigned char *k, - const unsigned char *cstr, - const unsigned char *sk -) -{ - small f[p]; - modq h[p]; - small grecip[p]; - modq c[p]; - modq t[p]; - small t3[p]; - small r[p]; - modq hr[p]; - unsigned char rstr[small_encode_len]; - unsigned char hash[64]; - int i; - int result = 0; - int weight; - - small_decode(f,sk); - small_decode(grecip,sk + small_encode_len); - rq_decode(h,sk + 2 * small_encode_len); - - rq_decoderounded(c,cstr + 32); - - rq_mult(t,c,f); - for (i = 0;i < p;++i) t3[i] = mod3_freeze(modq_freeze(3*t[i])); - - r3_mult(r,t3,grecip); - -#ifdef KAT - { - int j; - printf("decrypt r:"); - for (j = 0;j < p;++j) - if (r[j] == 1) printf(" +%d",j); - else if (r[j] == -1) printf(" -%d",j); - printf("\n"); - } -#endif - - weight = 0; - for (i = 0;i < p;++i) weight += (1 & r[i]); - weight -= w; - result |= modq_nonzero_mask(weight); /* XXX: puts limit on p */ - - rq_mult(hr,h,r); - rq_round3(hr,hr); - for (i = 0;i < p;++i) result |= modq_nonzero_mask(hr[i] - c[i]); - - small_encode(rstr,r); - crypto_hash_sha512(hash,rstr,sizeof rstr); - result |= crypto_verify_32(hash,cstr); - - for (i = 0;i < 32;++i) k[i] = (hash[32 + i] & ~result); - return result; -} - -/* from libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/enc.c */ -/* See https://ntruprime.cr.yp.to/software.html for detailed documentation. */ - -#ifdef KAT -#endif - - -int crypto_kem_sntrup4591761_enc( - unsigned char *cstr, - unsigned char *k, - const unsigned char *pk -) -{ - small r[p]; - modq h[p]; - modq c[p]; - unsigned char rstr[small_encode_len]; - unsigned char hash[64]; - - small_random_weightw(r); - -#ifdef KAT - { - int i; - printf("encrypt r:"); - for (i = 0;i < p;++i) - if (r[i] == 1) printf(" +%d",i); - else if (r[i] == -1) printf(" -%d",i); - printf("\n"); - } -#endif - - small_encode(rstr,r); - crypto_hash_sha512(hash,rstr,sizeof rstr); - - rq_decode(h,pk); - rq_mult(c,h,r); - rq_round3(c,c); - - memcpy(k,hash + 32,32); - memcpy(cstr,hash,32); - rq_encoderounded(cstr + 32,c); - - return 0; -} - -/* from libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/keypair.c */ -/* See https://ntruprime.cr.yp.to/software.html for detailed documentation. */ - - -#if crypto_kem_sntrup4591761_PUBLICKEYBYTES != rq_encode_len -#error "crypto_kem_sntrup4591761_PUBLICKEYBYTES must match rq_encode_len" -#endif -#if crypto_kem_sntrup4591761_SECRETKEYBYTES != rq_encode_len + 2 * small_encode_len -#error "crypto_kem_sntrup4591761_SECRETKEYBYTES must match rq_encode_len + 2 * small_encode_len" -#endif - -int crypto_kem_sntrup4591761_keypair(unsigned char *pk,unsigned char *sk) -{ - small g[p]; - small grecip[p]; - small f[p]; - modq f3recip[p]; - modq h[p]; - - do - small_random(g); - while (r3_recip(grecip,g) != 0); - - small_random_weightw(f); - rq_recip3(f3recip,f); - - rq_mult(h,f3recip,g); - - rq_encode(pk,h); - small_encode(sk,f); - small_encode(sk + small_encode_len,grecip); - memcpy(sk + 2 * small_encode_len,pk,rq_encode_len); - - return 0; -} - -/* from libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/r3_mult.c */ -/* See https://ntruprime.cr.yp.to/software.html for detailed documentation. */ - - -static void r3_mult(small *h,const small *f,const small *g) -{ - small fg[p + p - 1]; - small result; - int i, j; - - for (i = 0;i < p;++i) { - result = 0; - for (j = 0;j <= i;++j) - result = mod3_plusproduct(result,f[j],g[i - j]); - fg[i] = result; - } - for (i = p;i < p + p - 1;++i) { - result = 0; - for (j = i - p + 1;j < p;++j) - result = mod3_plusproduct(result,f[j],g[i - j]); - fg[i] = result; - } - - for (i = p + p - 2;i >= p;--i) { - fg[i - p] = mod3_sum(fg[i - p],fg[i]); - fg[i - p + 1] = mod3_sum(fg[i - p + 1],fg[i]); - } - - for (i = 0;i < p;++i) - h[i] = fg[i]; -} - -/* from libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/r3_recip.c */ -/* See https://ntruprime.cr.yp.to/software.html for detailed documentation. */ - - -/* caller must ensure that x-y does not overflow */ -static int smaller_mask_r3_recip(int x,int y) -{ - return (x - y) >> 31; -} - -static void vectormod3_product(small *z,int len,const small *x,const small c) -{ - int i; - for (i = 0;i < len;++i) z[i] = mod3_product(x[i],c); -} - -static void vectormod3_minusproduct(small *z,int len,const small *x,const small *y,const small c) -{ - int i; - for (i = 0;i < len;++i) z[i] = mod3_minusproduct(x[i],y[i],c); -} - -static void vectormod3_shift(small *z,int len) -{ - int i; - for (i = len - 1;i > 0;--i) z[i] = z[i - 1]; - z[0] = 0; -} - -/* -r = s^(-1) mod m, returning 0, if s is invertible mod m -or returning -1 if s is not invertible mod m -r,s are polys of degree

= loops) break; - - c = mod3_quotient(g[p],f[p]); - - vectormod3_minusproduct(g,p + 1,g,f,c); - vectormod3_shift(g,p + 1); - -#ifdef SIMPLER - vectormod3_minusproduct(v,loops + 1,v,u,c); - vectormod3_shift(v,loops + 1); -#else - if (loop < p) { - vectormod3_minusproduct(v,loop + 1,v,u,c); - vectormod3_shift(v,loop + 2); - } else { - vectormod3_minusproduct(v + loop - p,p + 1,v + loop - p,u + loop - p,c); - vectormod3_shift(v + loop - p,p + 2); - } -#endif - - e -= 1; - - ++loop; - - swapmask = smaller_mask_r3_recip(e,d) & mod3_nonzero_mask(g[p]); - swap(&e,&d,sizeof e,swapmask); - swap(f,g,(p + 1) * sizeof(small),swapmask); - -#ifdef SIMPLER - swap(u,v,(loops + 1) * sizeof(small),swapmask); -#else - if (loop < p) { - swap(u,v,(loop + 1) * sizeof(small),swapmask); - } else { - swap(u + loop - p,v + loop - p,(p + 1) * sizeof(small),swapmask); - } -#endif - } - - c = mod3_reciprocal(f[p]); - vectormod3_product(r,p,u + p,c); - return smaller_mask_r3_recip(0,d); -} - -/* from libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/randomsmall.c */ -/* See https://ntruprime.cr.yp.to/software.html for detailed documentation. */ - - -static void small_random(small *g) -{ - int i; - - for (i = 0;i < p;++i) { - crypto_uint32 r = small_random32(); - g[i] = (small) (((1073741823 & r) * 3) >> 30) - 1; - } -} - -/* from libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/randomweightw.c */ -/* See https://ntruprime.cr.yp.to/software.html for detailed documentation. */ - - -static void small_random_weightw(small *f) -{ - crypto_int32 r[p]; - int i; - - for (i = 0;i < p;++i) r[i] = small_random32(); - for (i = 0;i < w;++i) r[i] &= -2; - for (i = w;i < p;++i) r[i] = (r[i] & -3) | 1; - int32_sort(r,p); - for (i = 0;i < p;++i) f[i] = ((small) (r[i] & 3)) - 1; -} - -/* from libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/rq.c */ -/* See https://ntruprime.cr.yp.to/software.html for detailed documentation. */ - - -static void rq_encode(unsigned char *c,const modq *f) -{ - crypto_int32 f0, f1, f2, f3, f4; - int i; - - for (i = 0;i < p/5;++i) { - f0 = *f++ + qshift; - f1 = *f++ + qshift; - f2 = *f++ + qshift; - f3 = *f++ + qshift; - f4 = *f++ + qshift; - /* now want f0 + 6144*f1 + ... as a 64-bit integer */ - f1 *= 3; - f2 *= 9; - f3 *= 27; - f4 *= 81; - /* now want f0 + f1<<11 + f2<<22 + f3<<33 + f4<<44 */ - f0 += f1 << 11; - *c++ = f0; f0 >>= 8; - *c++ = f0; f0 >>= 8; - f0 += f2 << 6; - *c++ = f0; f0 >>= 8; - *c++ = f0; f0 >>= 8; - f0 += f3 << 1; - *c++ = f0; f0 >>= 8; - f0 += f4 << 4; - *c++ = f0; f0 >>= 8; - *c++ = f0; f0 >>= 8; - *c++ = f0; - } - /* XXX: using p mod 5 = 1 */ - f0 = *f++ + qshift; - *c++ = f0; f0 >>= 8; - *c++ = f0; -} - -static void rq_decode(modq *f,const unsigned char *c) -{ - crypto_uint32 c0, c1, c2, c3, c4, c5, c6, c7; - crypto_uint32 f0, f1, f2, f3, f4; - int i; - - for (i = 0;i < p/5;++i) { - c0 = *c++; - c1 = *c++; - c2 = *c++; - c3 = *c++; - c4 = *c++; - c5 = *c++; - c6 = *c++; - c7 = *c++; - - /* f0 + f1*6144 + f2*6144^2 + f3*6144^3 + f4*6144^4 */ - /* = c0 + c1*256 + ... + c6*256^6 + c7*256^7 */ - /* with each f between 0 and 4590 */ - - c6 += c7 << 8; - /* c6 <= 23241 = floor(4591*6144^4/2^48) */ - /* f4 = (16/81)c6 + (1/1296)(c5+[0,1]) - [0,0.75] */ - /* claim: 2^19 f4 < x < 2^19(f4+1) */ - /* where x = 103564 c6 + 405(c5+1) */ - /* proof: x - 2^19 f4 = (76/81)c6 + (37/81)c5 + 405 - (32768/81)[0,1] + 2^19[0,0.75] */ - /* at least 405 - 32768/81 > 0 */ - /* at most (76/81)23241 + (37/81)255 + 405 + 2^19 0.75 < 2^19 */ - f4 = (103564*c6 + 405*(c5+1)) >> 19; - - c5 += c6 << 8; - c5 -= (f4 * 81) << 4; - c4 += c5 << 8; - - /* f0 + f1*6144 + f2*6144^2 + f3*6144^3 */ - /* = c0 + c1*256 + c2*256^2 + c3*256^3 + c4*256^4 */ - /* c4 <= 247914 = floor(4591*6144^3/2^32) */ - /* f3 = (1/54)(c4+[0,1]) - [0,0.75] */ - /* claim: 2^19 f3 < x < 2^19(f3+1) */ - /* where x = 9709(c4+2) */ - /* proof: x - 2^19 f3 = 19418 - (1/27)c4 - (262144/27)[0,1] + 2^19[0,0.75] */ - /* at least 19418 - 247914/27 - 262144/27 > 0 */ - /* at most 19418 + 2^19 0.75 < 2^19 */ - f3 = (9709*(c4+2)) >> 19; - - c4 -= (f3 * 27) << 1; - c3 += c4 << 8; - /* f0 + f1*6144 + f2*6144^2 */ - /* = c0 + c1*256 + c2*256^2 + c3*256^3 */ - /* c3 <= 10329 = floor(4591*6144^2/2^24) */ - /* f2 = (4/9)c3 + (1/576)c2 + (1/147456)c1 + (1/37748736)c0 - [0,0.75] */ - /* claim: 2^19 f2 < x < 2^19(f2+1) */ - /* where x = 233017 c3 + 910(c2+2) */ - /* proof: x - 2^19 f2 = 1820 + (1/9)c3 - (2/9)c2 - (32/9)c1 - (1/72)c0 + 2^19[0,0.75] */ - /* at least 1820 - (2/9)255 - (32/9)255 - (1/72)255 > 0 */ - /* at most 1820 + (1/9)10329 + 2^19 0.75 < 2^19 */ - f2 = (233017*c3 + 910*(c2+2)) >> 19; - - c2 += c3 << 8; - c2 -= (f2 * 9) << 6; - c1 += c2 << 8; - /* f0 + f1*6144 */ - /* = c0 + c1*256 */ - /* c1 <= 110184 = floor(4591*6144/2^8) */ - /* f1 = (1/24)c1 + (1/6144)c0 - (1/6144)f0 */ - /* claim: 2^19 f1 < x < 2^19(f1+1) */ - /* where x = 21845(c1+2) + 85 c0 */ - /* proof: x - 2^19 f1 = 43690 - (1/3)c1 - (1/3)c0 + 2^19 [0,0.75] */ - /* at least 43690 - (1/3)110184 - (1/3)255 > 0 */ - /* at most 43690 + 2^19 0.75 < 2^19 */ - f1 = (21845*(c1+2) + 85*c0) >> 19; - - c1 -= (f1 * 3) << 3; - c0 += c1 << 8; - f0 = c0; - - *f++ = modq_freeze(f0 + q - qshift); - *f++ = modq_freeze(f1 + q - qshift); - *f++ = modq_freeze(f2 + q - qshift); - *f++ = modq_freeze(f3 + q - qshift); - *f++ = modq_freeze(f4 + q - qshift); - } - - c0 = *c++; - c1 = *c++; - c0 += c1 << 8; - *f++ = modq_freeze(c0 + q - qshift); -} - -/* from libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/rq_mult.c */ -/* See https://ntruprime.cr.yp.to/software.html for detailed documentation. */ - - -static void rq_mult(modq *h,const modq *f,const small *g) -{ - modq fg[p + p - 1]; - modq result; - int i, j; - - for (i = 0;i < p;++i) { - result = 0; - for (j = 0;j <= i;++j) - result = modq_plusproduct(result,f[j],g[i - j]); - fg[i] = result; - } - for (i = p;i < p + p - 1;++i) { - result = 0; - for (j = i - p + 1;j < p;++j) - result = modq_plusproduct(result,f[j],g[i - j]); - fg[i] = result; - } - - for (i = p + p - 2;i >= p;--i) { - fg[i - p] = modq_sum(fg[i - p],fg[i]); - fg[i - p + 1] = modq_sum(fg[i - p + 1],fg[i]); - } - - for (i = 0;i < p;++i) - h[i] = fg[i]; -} - -/* from libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/rq_recip3.c */ -/* See https://ntruprime.cr.yp.to/software.html for detailed documentation. */ - - -/* caller must ensure that x-y does not overflow */ -static int smaller_mask_rq_recip3(int x,int y) -{ - return (x - y) >> 31; -} - -static void vectormodq_product(modq *z,int len,const modq *x,const modq c) -{ - int i; - for (i = 0;i < len;++i) z[i] = modq_product(x[i],c); -} - -static void vectormodq_minusproduct(modq *z,int len,const modq *x,const modq *y,const modq c) -{ - int i; - for (i = 0;i < len;++i) z[i] = modq_minusproduct(x[i],y[i],c); -} - -static void vectormodq_shift(modq *z,int len) -{ - int i; - for (i = len - 1;i > 0;--i) z[i] = z[i - 1]; - z[0] = 0; -} - -/* -r = (3s)^(-1) mod m, returning 0, if s is invertible mod m -or returning -1 if s is not invertible mod m -r,s are polys of degree

= loops) break; - - c = modq_quotient(g[p],f[p]); - - vectormodq_minusproduct(g,p + 1,g,f,c); - vectormodq_shift(g,p + 1); - -#ifdef SIMPLER - vectormodq_minusproduct(v,loops + 1,v,u,c); - vectormodq_shift(v,loops + 1); -#else - if (loop < p) { - vectormodq_minusproduct(v,loop + 1,v,u,c); - vectormodq_shift(v,loop + 2); - } else { - vectormodq_minusproduct(v + loop - p,p + 1,v + loop - p,u + loop - p,c); - vectormodq_shift(v + loop - p,p + 2); - } -#endif - - e -= 1; - - ++loop; - - swapmask = smaller_mask_rq_recip3(e,d) & modq_nonzero_mask(g[p]); - swap(&e,&d,sizeof e,swapmask); - swap(f,g,(p + 1) * sizeof(modq),swapmask); - -#ifdef SIMPLER - swap(u,v,(loops + 1) * sizeof(modq),swapmask); -#else - if (loop < p) { - swap(u,v,(loop + 1) * sizeof(modq),swapmask); - } else { - swap(u + loop - p,v + loop - p,(p + 1) * sizeof(modq),swapmask); - } -#endif - } - - c = modq_reciprocal(f[p]); - vectormodq_product(r,p,u + p,c); - return smaller_mask_rq_recip3(0,d); -} - -/* from libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/rq_round3.c */ -/* See https://ntruprime.cr.yp.to/software.html for detailed documentation. */ - - -static void rq_round3(modq *h,const modq *f) -{ - int i; - - for (i = 0;i < p;++i) - h[i] = ((21846 * (f[i] + 2295) + 32768) >> 16) * 3 - 2295; -} - -/* from libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/rq_rounded.c */ -/* See https://ntruprime.cr.yp.to/software.html for detailed documentation. */ - - -static void rq_encoderounded(unsigned char *c,const modq *f) -{ - crypto_int32 f0, f1, f2; - int i; - - for (i = 0;i < p/3;++i) { - f0 = *f++ + qshift; - f1 = *f++ + qshift; - f2 = *f++ + qshift; - f0 = (21846 * f0) >> 16; - f1 = (21846 * f1) >> 16; - f2 = (21846 * f2) >> 16; - /* now want f0 + f1*1536 + f2*1536^2 as a 32-bit integer */ - f2 *= 3; - f1 += f2 << 9; - f1 *= 3; - f0 += f1 << 9; - *c++ = f0; f0 >>= 8; - *c++ = f0; f0 >>= 8; - *c++ = f0; f0 >>= 8; - *c++ = f0; - } - /* XXX: using p mod 3 = 2 */ - f0 = *f++ + qshift; - f1 = *f++ + qshift; - f0 = (21846 * f0) >> 16; - f1 = (21846 * f1) >> 16; - f1 *= 3; - f0 += f1 << 9; - *c++ = f0; f0 >>= 8; - *c++ = f0; f0 >>= 8; - *c++ = f0; -} - -static void rq_decoderounded(modq *f,const unsigned char *c) -{ - crypto_uint32 c0, c1, c2, c3; - crypto_uint32 f0, f1, f2; - int i; - - for (i = 0;i < p/3;++i) { - c0 = *c++; - c1 = *c++; - c2 = *c++; - c3 = *c++; - - /* f0 + f1*1536 + f2*1536^2 */ - /* = c0 + c1*256 + c2*256^2 + c3*256^3 */ - /* with each f between 0 and 1530 */ - - /* f2 = (64/9)c3 + (1/36)c2 + (1/9216)c1 + (1/2359296)c0 - [0,0.99675] */ - /* claim: 2^21 f2 < x < 2^21(f2+1) */ - /* where x = 14913081*c3 + 58254*c2 + 228*(c1+2) */ - /* proof: x - 2^21 f2 = 456 - (8/9)c0 + (4/9)c1 - (2/9)c2 + (1/9)c3 + 2^21 [0,0.99675] */ - /* at least 456 - (8/9)255 - (2/9)255 > 0 */ - /* at most 456 + (4/9)255 + (1/9)255 + 2^21 0.99675 < 2^21 */ - f2 = (14913081*c3 + 58254*c2 + 228*(c1+2)) >> 21; - - c2 += c3 << 8; - c2 -= (f2 * 9) << 2; - /* f0 + f1*1536 */ - /* = c0 + c1*256 + c2*256^2 */ - /* c2 <= 35 = floor((1530+1530*1536)/256^2) */ - /* f1 = (128/3)c2 + (1/6)c1 + (1/1536)c0 - (1/1536)f0 */ - /* claim: 2^21 f1 < x < 2^21(f1+1) */ - /* where x = 89478485*c2 + 349525*c1 + 1365*(c0+1) */ - /* proof: x - 2^21 f1 = 1365 - (1/3)c2 - (1/3)c1 - (1/3)c0 + (4096/3)f0 */ - /* at least 1365 - (1/3)35 - (1/3)255 - (1/3)255 > 0 */ - /* at most 1365 + (4096/3)1530 < 2^21 */ - f1 = (89478485*c2 + 349525*c1 + 1365*(c0+1)) >> 21; - - c1 += c2 << 8; - c1 -= (f1 * 3) << 1; - - c0 += c1 << 8; - f0 = c0; - - *f++ = modq_freeze(f0 * 3 + q - qshift); - *f++ = modq_freeze(f1 * 3 + q - qshift); - *f++ = modq_freeze(f2 * 3 + q - qshift); - } - - c0 = *c++; - c1 = *c++; - c2 = *c++; - - f1 = (89478485*c2 + 349525*c1 + 1365*(c0+1)) >> 21; - - c1 += c2 << 8; - c1 -= (f1 * 3) << 1; - - c0 += c1 << 8; - f0 = c0; - - *f++ = modq_freeze(f0 * 3 + q - qshift); - *f++ = modq_freeze(f1 * 3 + q - qshift); -} - -/* from libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/small.c */ -/* See https://ntruprime.cr.yp.to/software.html for detailed documentation. */ - - -/* XXX: these functions rely on p mod 4 = 1 */ - -/* all coefficients in -1, 0, 1 */ -static void small_encode(unsigned char *c,const small *f) -{ - small c0; - int i; - - for (i = 0;i < p/4;++i) { - c0 = *f++ + 1; - c0 += (*f++ + 1) << 2; - c0 += (*f++ + 1) << 4; - c0 += (*f++ + 1) << 6; - *c++ = c0; - } - c0 = *f++ + 1; - *c++ = c0; -} - -static void small_decode(small *f,const unsigned char *c) -{ - unsigned char c0; - int i; - - for (i = 0;i < p/4;++i) { - c0 = *c++; - *f++ = ((small) (c0 & 3)) - 1; c0 >>= 2; - *f++ = ((small) (c0 & 3)) - 1; c0 >>= 2; - *f++ = ((small) (c0 & 3)) - 1; c0 >>= 2; - *f++ = ((small) (c0 & 3)) - 1; - } - c0 = *c++; - *f++ = ((small) (c0 & 3)) - 1; -} - -/* from libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/swap.c */ -/* See https://ntruprime.cr.yp.to/software.html for detailed documentation. */ - - -static void swap(void *x,void *y,int bytes,int mask) -{ - int i; - char xi, yi, c, t; - - c = mask; - - for (i = 0;i < bytes;++i) { - xi = i[(char *) x]; - yi = i[(char *) y]; - t = c & (xi ^ yi); - xi ^= t; - yi ^= t; - i[(char *) x] = xi; - i[(char *) y] = yi; - } -} - diff --git a/sntrup4591761.sh b/sntrup4591761.sh deleted file mode 100644 index e684c3329..000000000 --- a/sntrup4591761.sh +++ /dev/null @@ -1,57 +0,0 @@ -#!/bin/sh -# $OpenBSD: sntrup4591761.sh,v 1.3 2019/01/30 19:51:15 markus Exp $ -# Placed in the Public Domain. -# -AUTHOR="libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/implementors" -FILES=" - libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/int32_sort.h - libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/int32_sort.c - libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/small.h - libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/mod3.h - libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/modq.h - libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/params.h - libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/r3.h - libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/rq.h - libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/swap.h - libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/dec.c - libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/enc.c - libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/keypair.c - libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/r3_mult.c - libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/r3_recip.c - libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/randomsmall.c - libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/randomweightw.c - libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/rq.c - libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/rq_mult.c - libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/rq_recip3.c - libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/rq_round3.c - libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/rq_rounded.c - libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/small.c - libpqcrypto-20180314/crypto_kem/sntrup4591761/ref/swap.c -" -### - -set -e -cd $1 -echo -n '/* $' -echo 'OpenBSD: $ */' -echo -echo '/*' -echo ' * Public Domain, Authors:' -sed -e '/Alphabetical order:/d' -e 's/^/ * - /' < $AUTHOR -echo ' */' -echo -echo '#include ' -echo '#include "crypto_api.h"' -echo -for i in $FILES; do - echo "/* from $i */" - b=$(basename $i .c) - grep \ - -v '#include' $i | \ - grep -v "extern crypto_int32 small_random32" | - sed -e "s/crypto_kem_/crypto_kem_sntrup4591761_/g" \ - -e "s/smaller_mask/smaller_mask_${b}/g" \ - -e "s/^extern void /static void /" \ - -e "s/^void /static void /" - echo -done diff --git a/sntrup761.c b/sntrup761.c new file mode 100644 index 000000000..21b59bd4b --- /dev/null +++ b/sntrup761.c @@ -0,0 +1,1364 @@ +/* $OpenBSD: sntrup761.c,v 1.1 2020/12/29 00:59:15 djm Exp $ */ + +/* + * Public Domain, Authors: + * - Daniel J. Bernstein + * - Chitchanok Chuengsatiansup + * - Tanja Lange + * - Christine van Vredendaal + */ + +#include "includes.h" + +#include +#include "crypto_api.h" + +#define CRYPTO_NAMESPACE(s) s + +/* from supercop-20201130/crypto_sort/int32/portable4/int32_minmax.inc */ +#define int32_MINMAX(a,b) \ +do { \ + int32 ab = b ^ a; \ + int32 c = b - a; \ + c ^= ab & (c ^ b); \ + c >>= 31; \ + c &= ab; \ + a ^= c; \ + b ^= c; \ +} while(0) + +/* from supercop-20201130/crypto_sort/int32/portable4/sort.c */ +#define int32 crypto_int32 + + +static void crypto_sort_int32(void *array,long long n) +{ + long long top,p,q,r,i,j; + int32 *x = array; + + if (n < 2) return; + top = 1; + while (top < n - top) top += top; + + for (p = top;p >= 1;p >>= 1) { + i = 0; + while (i + 2 * p <= n) { + for (j = i;j < i + p;++j) + int32_MINMAX(x[j],x[j+p]); + i += 2 * p; + } + for (j = i;j < n - p;++j) + int32_MINMAX(x[j],x[j+p]); + + i = 0; + j = 0; + for (q = top;q > p;q >>= 1) { + if (j != i) for (;;) { + if (j == n - q) goto done; + int32 a = x[j + p]; + for (r = q;r > p;r >>= 1) + int32_MINMAX(a,x[j + r]); + x[j + p] = a; + ++j; + if (j == i + p) { + i += 2 * p; + break; + } + } + while (i + p <= n - q) { + for (j = i;j < i + p;++j) { + int32 a = x[j + p]; + for (r = q;r > p;r >>= 1) + int32_MINMAX(a,x[j+r]); + x[j + p] = a; + } + i += 2 * p; + } + /* now i + p > n - q */ + j = i; + while (j < n - q) { + int32 a = x[j + p]; + for (r = q;r > p;r >>= 1) + int32_MINMAX(a,x[j+r]); + x[j + p] = a; + ++j; + } + + done: ; + } + } +} + +/* from supercop-20201130/crypto_sort/uint32/useint32/sort.c */ + +/* can save time by vectorizing xor loops */ +/* can save time by integrating xor loops with int32_sort */ + +static void crypto_sort_uint32(void *array,long long n) +{ + crypto_uint32 *x = array; + long long j; + for (j = 0;j < n;++j) x[j] ^= 0x80000000; + crypto_sort_int32(array,n); + for (j = 0;j < n;++j) x[j] ^= 0x80000000; +} + +/* from supercop-20201130/crypto_kem/sntrup761/ref/uint64.h */ +#ifndef UINT64_H +#define UINT64_H + + +typedef uint64_t uint64; + +#endif + +/* from supercop-20201130/crypto_kem/sntrup761/ref/uint16.h */ +#ifndef UINT16_H +#define UINT16_H + +typedef uint16_t uint16; + +#endif + +/* from supercop-20201130/crypto_kem/sntrup761/ref/uint32.h */ +#ifndef UINT32_H +#define UINT32_H + +#define uint32_div_uint14 CRYPTO_NAMESPACE(uint32_div_uint14) +#define uint32_mod_uint14 CRYPTO_NAMESPACE(uint32_mod_uint14) +#define uint32_divmod_uint14 CRYPTO_NAMESPACE(uint32_divmod_uint14) + + +typedef uint32_t uint32; + +/* +assuming 1 <= m < 16384: +q = uint32_div_uint14(x,m) means q = x/m +r = uint32_mod_uint14(x,m) means r = x/m +uint32_moddiv_uint14(&q,&r,x,m) means q = x/m, r = x%m +*/ + +extern uint32 uint32_div_uint14(uint32,uint16); +extern uint16 uint32_mod_uint14(uint32,uint16); +static void uint32_divmod_uint14(uint32 *,uint16 *,uint32,uint16); + +#endif + +/* from supercop-20201130/crypto_kem/sntrup761/ref/int8.h */ +#ifndef INT8_H +#define INT8_H + +typedef int8_t int8; + +#endif + +/* from supercop-20201130/crypto_kem/sntrup761/ref/int16.h */ +#ifndef INT16_H +#define INT16_H + +typedef int16_t int16; + +#endif + +/* from supercop-20201130/crypto_kem/sntrup761/ref/int32.h */ +#ifndef INT32_H +#define INT32_H + +#define int32_div_uint14 CRYPTO_NAMESPACE(int32_div_uint14) +#define int32_mod_uint14 CRYPTO_NAMESPACE(int32_mod_uint14) +#define int32_divmod_uint14 CRYPTO_NAMESPACE(int32_divmod_uint14) + + +typedef int32_t int32; + +/* +assuming 1 <= m < 16384: +q = int32_div_uint14(x,m) means q = x/m +r = int32_mod_uint14(x,m) means r = x/m +int32_moddiv_uint14(&q,&r,x,m) means q = x/m, r = x%m +*/ + +extern int32 int32_div_uint14(int32,uint16); +extern uint16 int32_mod_uint14(int32,uint16); +static void int32_divmod_uint14(int32 *,uint16 *,int32,uint16); + +#endif + +/* from supercop-20201130/crypto_kem/sntrup761/ref/uint32.c */ + +/* +CPU division instruction typically takes time depending on x. +This software is designed to take time independent of x. +Time still varies depending on m; user must ensure that m is constant. +Time also varies on CPUs where multiplication is variable-time. +There could be more CPU issues. +There could also be compiler issues. +*/ + +static void uint32_divmod_uint14(uint32 *q,uint16 *r,uint32 x,uint16 m) +{ + uint32 v = 0x80000000; + uint32 qpart; + uint32 mask; + + v /= m; + + /* caller guarantees m > 0 */ + /* caller guarantees m < 16384 */ + /* vm <= 2^31 <= vm+m-1 */ + /* xvm <= 2^31 x <= xvm+x(m-1) */ + + *q = 0; + + qpart = (x*(uint64)v)>>31; + /* 2^31 qpart <= xv <= 2^31 qpart + 2^31-1 */ + /* 2^31 qpart m <= xvm <= 2^31 qpart m + (2^31-1)m */ + /* 2^31 qpart m <= 2^31 x <= 2^31 qpart m + (2^31-1)m + x(m-1) */ + /* 0 <= 2^31 newx <= (2^31-1)m + x(m-1) */ + /* 0 <= newx <= (1-1/2^31)m + x(m-1)/2^31 */ + /* 0 <= newx <= (1-1/2^31)(2^14-1) + (2^32-1)((2^14-1)-1)/2^31 */ + + x -= qpart*m; *q += qpart; + /* x <= 49146 */ + + qpart = (x*(uint64)v)>>31; + /* 0 <= newx <= (1-1/2^31)m + x(m-1)/2^31 */ + /* 0 <= newx <= m + 49146(2^14-1)/2^31 */ + /* 0 <= newx <= m + 0.4 */ + /* 0 <= newx <= m */ + + x -= qpart*m; *q += qpart; + /* x <= m */ + + x -= m; *q += 1; + mask = -(x>>31); + x += mask&(uint32)m; *q += mask; + /* x < m */ + + *r = x; +} + +uint32 uint32_div_uint14(uint32 x,uint16 m) +{ + uint32 q; + uint16 r; + uint32_divmod_uint14(&q,&r,x,m); + return q; +} + +uint16 uint32_mod_uint14(uint32 x,uint16 m) +{ + uint32 q; + uint16 r; + uint32_divmod_uint14(&q,&r,x,m); + return r; +} + +/* from supercop-20201130/crypto_kem/sntrup761/ref/int32.c */ + +static void int32_divmod_uint14(int32 *q,uint16 *r,int32 x,uint16 m) +{ + uint32 uq,uq2; + uint16 ur,ur2; + uint32 mask; + + uint32_divmod_uint14(&uq,&ur,0x80000000+(uint32)x,m); + uint32_divmod_uint14(&uq2,&ur2,0x80000000,m); + ur -= ur2; uq -= uq2; + mask = -(uint32)(ur>>15); + ur += mask&m; uq += mask; + *r = ur; *q = uq; +} + +int32 int32_div_uint14(int32 x,uint16 m) +{ + int32 q; + uint16 r; + int32_divmod_uint14(&q,&r,x,m); + return q; +} + +uint16 int32_mod_uint14(int32 x,uint16 m) +{ + int32 q; + uint16 r; + int32_divmod_uint14(&q,&r,x,m); + return r; +} + +/* from supercop-20201130/crypto_kem/sntrup761/ref/paramsmenu.h */ +/* pick one of these three: */ +#define SIZE761 +#undef SIZE653 +#undef SIZE857 + +/* pick one of these two: */ +#define SNTRUP /* Streamlined NTRU Prime */ +#undef LPR /* NTRU LPRime */ + +/* from supercop-20201130/crypto_kem/sntrup761/ref/params.h */ +#ifndef params_H +#define params_H + +/* menu of parameter choices: */ + + +/* what the menu means: */ + +#if defined(SIZE761) +#define p 761 +#define q 4591 +#define Rounded_bytes 1007 +#ifndef LPR +#define Rq_bytes 1158 +#define w 286 +#else +#define w 250 +#define tau0 2156 +#define tau1 114 +#define tau2 2007 +#define tau3 287 +#endif + +#elif defined(SIZE653) +#define p 653 +#define q 4621 +#define Rounded_bytes 865 +#ifndef LPR +#define Rq_bytes 994 +#define w 288 +#else +#define w 252 +#define tau0 2175 +#define tau1 113 +#define tau2 2031 +#define tau3 290 +#endif + +#elif defined(SIZE857) +#define p 857 +#define q 5167 +#define Rounded_bytes 1152 +#ifndef LPR +#define Rq_bytes 1322 +#define w 322 +#else +#define w 281 +#define tau0 2433 +#define tau1 101 +#define tau2 2265 +#define tau3 324 +#endif + +#else +#error "no parameter set defined" +#endif + +#ifdef LPR +#define I 256 +#endif + +#endif + +/* from supercop-20201130/crypto_kem/sntrup761/ref/Decode.h */ +#ifndef Decode_H +#define Decode_H + +#define Decode CRYPTO_NAMESPACE(Decode) + +/* Decode(R,s,M,len) */ +/* assumes 0 < M[i] < 16384 */ +/* produces 0 <= R[i] < M[i] */ +static void Decode(uint16 *,const unsigned char *,const uint16 *,long long); + +#endif + +/* from supercop-20201130/crypto_kem/sntrup761/ref/Decode.c */ + +static void Decode(uint16 *out,const unsigned char *S,const uint16 *M,long long len) +{ + if (len == 1) { + if (M[0] == 1) + *out = 0; + else if (M[0] <= 256) + *out = uint32_mod_uint14(S[0],M[0]); + else + *out = uint32_mod_uint14(S[0]+(((uint16)S[1])<<8),M[0]); + } + if (len > 1) { + uint16 R2[(len+1)/2]; + uint16 M2[(len+1)/2]; + uint16 bottomr[len/2]; + uint32 bottomt[len/2]; + long long i; + for (i = 0;i < len-1;i += 2) { + uint32 m = M[i]*(uint32) M[i+1]; + if (m > 256*16383) { + bottomt[i/2] = 256*256; + bottomr[i/2] = S[0]+256*S[1]; + S += 2; + M2[i/2] = (((m+255)>>8)+255)>>8; + } else if (m >= 16384) { + bottomt[i/2] = 256; + bottomr[i/2] = S[0]; + S += 1; + M2[i/2] = (m+255)>>8; + } else { + bottomt[i/2] = 1; + bottomr[i/2] = 0; + M2[i/2] = m; + } + } + if (i < len) + M2[i/2] = M[i]; + Decode(R2,S,M2,(len+1)/2); + for (i = 0;i < len-1;i += 2) { + uint32 r = bottomr[i/2]; + uint32 r1; + uint16 r0; + r += bottomt[i/2]*R2[i/2]; + uint32_divmod_uint14(&r1,&r0,r,M[i]); + r1 = uint32_mod_uint14(r1,M[i+1]); /* only needed for invalid inputs */ + *out++ = r0; + *out++ = r1; + } + if (i < len) + *out++ = R2[i/2]; + } +} + +/* from supercop-20201130/crypto_kem/sntrup761/ref/Encode.h */ +#ifndef Encode_H +#define Encode_H + +#define Encode CRYPTO_NAMESPACE(Encode) + +/* Encode(s,R,M,len) */ +/* assumes 0 <= R[i] < M[i] < 16384 */ +static void Encode(unsigned char *,const uint16 *,const uint16 *,long long); + +#endif + +/* from supercop-20201130/crypto_kem/sntrup761/ref/Encode.c */ + +/* 0 <= R[i] < M[i] < 16384 */ +static void Encode(unsigned char *out,const uint16 *R,const uint16 *M,long long len) +{ + if (len == 1) { + uint16 r = R[0]; + uint16 m = M[0]; + while (m > 1) { + *out++ = r; + r >>= 8; + m = (m+255)>>8; + } + } + if (len > 1) { + uint16 R2[(len+1)/2]; + uint16 M2[(len+1)/2]; + long long i; + for (i = 0;i < len-1;i += 2) { + uint32 m0 = M[i]; + uint32 r = R[i]+R[i+1]*m0; + uint32 m = M[i+1]*m0; + while (m >= 16384) { + *out++ = r; + r >>= 8; + m = (m+255)>>8; + } + R2[i/2] = r; + M2[i/2] = m; + } + if (i < len) { + R2[i/2] = R[i]; + M2[i/2] = M[i]; + } + Encode(out,R2,M2,(len+1)/2); + } +} + +/* from supercop-20201130/crypto_kem/sntrup761/ref/kem.c */ + +#ifdef LPR +#endif + + +/* ----- masks */ + +#ifndef LPR + +/* return -1 if x!=0; else return 0 */ +static int int16_nonzero_mask(int16 x) +{ + uint16 u = x; /* 0, else 1...65535 */ + uint32 v = u; /* 0, else 1...65535 */ + v = -v; /* 0, else 2^32-65535...2^32-1 */ + v >>= 31; /* 0, else 1 */ + return -v; /* 0, else -1 */ +} + +#endif + +/* return -1 if x<0; otherwise return 0 */ +static int int16_negative_mask(int16 x) +{ + uint16 u = x; + u >>= 15; + return -(int) u; + /* alternative with gcc -fwrapv: */ + /* x>>15 compiles to CPU's arithmetic right shift */ +} + +/* ----- arithmetic mod 3 */ + +typedef int8 small; + +/* F3 is always represented as -1,0,1 */ +/* so ZZ_fromF3 is a no-op */ + +/* x must not be close to top int16 */ +static small F3_freeze(int16 x) +{ + return int32_mod_uint14(x+1,3)-1; +} + +/* ----- arithmetic mod q */ + +#define q12 ((q-1)/2) +typedef int16 Fq; +/* always represented as -q12...q12 */ +/* so ZZ_fromFq is a no-op */ + +/* x must not be close to top int32 */ +static Fq Fq_freeze(int32 x) +{ + return int32_mod_uint14(x+q12,q)-q12; +} + +#ifndef LPR + +static Fq Fq_recip(Fq a1) +{ + int i = 1; + Fq ai = a1; + + while (i < q-2) { + ai = Fq_freeze(a1*(int32)ai); + i += 1; + } + return ai; +} + +#endif + +/* ----- Top and Right */ + +#ifdef LPR +#define tau 16 + +static int8 Top(Fq C) +{ + return (tau1*(int32)(C+tau0)+16384)>>15; +} + +static Fq Right(int8 T) +{ + return Fq_freeze(tau3*(int32)T-tau2); +} +#endif + +/* ----- small polynomials */ + +#ifndef LPR + +/* 0 if Weightw_is(r), else -1 */ +static int Weightw_mask(small *r) +{ + int weight = 0; + int i; + + for (i = 0;i < p;++i) weight += r[i]&1; + return int16_nonzero_mask(weight-w); +} + +/* R3_fromR(R_fromRq(r)) */ +static void R3_fromRq(small *out,const Fq *r) +{ + int i; + for (i = 0;i < p;++i) out[i] = F3_freeze(r[i]); +} + +/* h = f*g in the ring R3 */ +static void R3_mult(small *h,const small *f,const small *g) +{ + small fg[p+p-1]; + small result; + int i,j; + + for (i = 0;i < p;++i) { + result = 0; + for (j = 0;j <= i;++j) result = F3_freeze(result+f[j]*g[i-j]); + fg[i] = result; + } + for (i = p;i < p+p-1;++i) { + result = 0; + for (j = i-p+1;j < p;++j) result = F3_freeze(result+f[j]*g[i-j]); + fg[i] = result; + } + + for (i = p+p-2;i >= p;--i) { + fg[i-p] = F3_freeze(fg[i-p]+fg[i]); + fg[i-p+1] = F3_freeze(fg[i-p+1]+fg[i]); + } + + for (i = 0;i < p;++i) h[i] = fg[i]; +} + +/* returns 0 if recip succeeded; else -1 */ +static int R3_recip(small *out,const small *in) +{ + small f[p+1],g[p+1],v[p+1],r[p+1]; + int i,loop,delta; + int sign,swap,t; + + for (i = 0;i < p+1;++i) v[i] = 0; + for (i = 0;i < p+1;++i) r[i] = 0; + r[0] = 1; + for (i = 0;i < p;++i) f[i] = 0; + f[0] = 1; f[p-1] = f[p] = -1; + for (i = 0;i < p;++i) g[p-1-i] = in[i]; + g[p] = 0; + + delta = 1; + + for (loop = 0;loop < 2*p-1;++loop) { + for (i = p;i > 0;--i) v[i] = v[i-1]; + v[0] = 0; + + sign = -g[0]*f[0]; + swap = int16_negative_mask(-delta) & int16_nonzero_mask(g[0]); + delta ^= swap&(delta^-delta); + delta += 1; + + for (i = 0;i < p+1;++i) { + t = swap&(f[i]^g[i]); f[i] ^= t; g[i] ^= t; + t = swap&(v[i]^r[i]); v[i] ^= t; r[i] ^= t; + } + + for (i = 0;i < p+1;++i) g[i] = F3_freeze(g[i]+sign*f[i]); + for (i = 0;i < p+1;++i) r[i] = F3_freeze(r[i]+sign*v[i]); + + for (i = 0;i < p;++i) g[i] = g[i+1]; + g[p] = 0; + } + + sign = f[0]; + for (i = 0;i < p;++i) out[i] = sign*v[p-1-i]; + + return int16_nonzero_mask(delta); +} + +#endif + +/* ----- polynomials mod q */ + +/* h = f*g in the ring Rq */ +static void Rq_mult_small(Fq *h,const Fq *f,const small *g) +{ + Fq fg[p+p-1]; + Fq result; + int i,j; + + for (i = 0;i < p;++i) { + result = 0; + for (j = 0;j <= i;++j) result = Fq_freeze(result+f[j]*(int32)g[i-j]); + fg[i] = result; + } + for (i = p;i < p+p-1;++i) { + result = 0; + for (j = i-p+1;j < p;++j) result = Fq_freeze(result+f[j]*(int32)g[i-j]); + fg[i] = result; + } + + for (i = p+p-2;i >= p;--i) { + fg[i-p] = Fq_freeze(fg[i-p]+fg[i]); + fg[i-p+1] = Fq_freeze(fg[i-p+1]+fg[i]); + } + + for (i = 0;i < p;++i) h[i] = fg[i]; +} + +#ifndef LPR + +/* h = 3f in Rq */ +static void Rq_mult3(Fq *h,const Fq *f) +{ + int i; + + for (i = 0;i < p;++i) h[i] = Fq_freeze(3*f[i]); +} + +/* out = 1/(3*in) in Rq */ +/* returns 0 if recip succeeded; else -1 */ +static int Rq_recip3(Fq *out,const small *in) +{ + Fq f[p+1],g[p+1],v[p+1],r[p+1]; + int i,loop,delta; + int swap,t; + int32 f0,g0; + Fq scale; + + for (i = 0;i < p+1;++i) v[i] = 0; + for (i = 0;i < p+1;++i) r[i] = 0; + r[0] = Fq_recip(3); + for (i = 0;i < p;++i) f[i] = 0; + f[0] = 1; f[p-1] = f[p] = -1; + for (i = 0;i < p;++i) g[p-1-i] = in[i]; + g[p] = 0; + + delta = 1; + + for (loop = 0;loop < 2*p-1;++loop) { + for (i = p;i > 0;--i) v[i] = v[i-1]; + v[0] = 0; + + swap = int16_negative_mask(-delta) & int16_nonzero_mask(g[0]); + delta ^= swap&(delta^-delta); + delta += 1; + + for (i = 0;i < p+1;++i) { + t = swap&(f[i]^g[i]); f[i] ^= t; g[i] ^= t; + t = swap&(v[i]^r[i]); v[i] ^= t; r[i] ^= t; + } + + f0 = f[0]; + g0 = g[0]; + for (i = 0;i < p+1;++i) g[i] = Fq_freeze(f0*g[i]-g0*f[i]); + for (i = 0;i < p+1;++i) r[i] = Fq_freeze(f0*r[i]-g0*v[i]); + + for (i = 0;i < p;++i) g[i] = g[i+1]; + g[p] = 0; + } + + scale = Fq_recip(f[0]); + for (i = 0;i < p;++i) out[i] = Fq_freeze(scale*(int32)v[p-1-i]); + + return int16_nonzero_mask(delta); +} + +#endif + +/* ----- rounded polynomials mod q */ + +static void Round(Fq *out,const Fq *a) +{ + int i; + for (i = 0;i < p;++i) out[i] = a[i]-F3_freeze(a[i]); +} + +/* ----- sorting to generate short polynomial */ + +static void Short_fromlist(small *out,const uint32 *in) +{ + uint32 L[p]; + int i; + + for (i = 0;i < w;++i) L[i] = in[i]&(uint32)-2; + for (i = w;i < p;++i) L[i] = (in[i]&(uint32)-3)|1; + crypto_sort_uint32(L,p); + for (i = 0;i < p;++i) out[i] = (L[i]&3)-1; +} + +/* ----- underlying hash function */ + +#define Hash_bytes 32 + +/* e.g., b = 0 means out = Hash0(in) */ +static void Hash_prefix(unsigned char *out,int b,const unsigned char *in,int inlen) +{ + unsigned char x[inlen+1]; + unsigned char h[64]; + int i; + + x[0] = b; + for (i = 0;i < inlen;++i) x[i+1] = in[i]; + crypto_hash_sha512(h,x,inlen+1); + for (i = 0;i < 32;++i) out[i] = h[i]; +} + +/* ----- higher-level randomness */ + +static uint32 urandom32(void) +{ + unsigned char c[4]; + uint32 out[4]; + + randombytes(c,4); + out[0] = (uint32)c[0]; + out[1] = ((uint32)c[1])<<8; + out[2] = ((uint32)c[2])<<16; + out[3] = ((uint32)c[3])<<24; + return out[0]+out[1]+out[2]+out[3]; +} + +static void Short_random(small *out) +{ + uint32 L[p]; + int i; + + for (i = 0;i < p;++i) L[i] = urandom32(); + Short_fromlist(out,L); +} + +#ifndef LPR + +static void Small_random(small *out) +{ + int i; + + for (i = 0;i < p;++i) out[i] = (((urandom32()&0x3fffffff)*3)>>30)-1; +} + +#endif + +/* ----- Streamlined NTRU Prime Core */ + +#ifndef LPR + +/* h,(f,ginv) = KeyGen() */ +static void KeyGen(Fq *h,small *f,small *ginv) +{ + small g[p]; + Fq finv[p]; + + for (;;) { + Small_random(g); + if (R3_recip(ginv,g) == 0) break; + } + Short_random(f); + Rq_recip3(finv,f); /* always works */ + Rq_mult_small(h,finv,g); +} + +/* c = Encrypt(r,h) */ +static void Encrypt(Fq *c,const small *r,const Fq *h) +{ + Fq hr[p]; + + Rq_mult_small(hr,h,r); + Round(c,hr); +} + +/* r = Decrypt(c,(f,ginv)) */ +static void Decrypt(small *r,const Fq *c,const small *f,const small *ginv) +{ + Fq cf[p]; + Fq cf3[p]; + small e[p]; + small ev[p]; + int mask; + int i; + + Rq_mult_small(cf,c,f); + Rq_mult3(cf3,cf); + R3_fromRq(e,cf3); + R3_mult(ev,e,ginv); + + mask = Weightw_mask(ev); /* 0 if weight w, else -1 */ + for (i = 0;i < w;++i) r[i] = ((ev[i]^1)&~mask)^1; + for (i = w;i < p;++i) r[i] = ev[i]&~mask; +} + +#endif + +/* ----- NTRU LPRime Core */ + +#ifdef LPR + +/* (G,A),a = KeyGen(G); leaves G unchanged */ +static void KeyGen(Fq *A,small *a,const Fq *G) +{ + Fq aG[p]; + + Short_random(a); + Rq_mult_small(aG,G,a); + Round(A,aG); +} + +/* B,T = Encrypt(r,(G,A),b) */ +static void Encrypt(Fq *B,int8 *T,const int8 *r,const Fq *G,const Fq *A,const small *b) +{ + Fq bG[p]; + Fq bA[p]; + int i; + + Rq_mult_small(bG,G,b); + Round(B,bG); + Rq_mult_small(bA,A,b); + for (i = 0;i < I;++i) T[i] = Top(Fq_freeze(bA[i]+r[i]*q12)); +} + +/* r = Decrypt((B,T),a) */ +static void Decrypt(int8 *r,const Fq *B,const int8 *T,const small *a) +{ + Fq aB[p]; + int i; + + Rq_mult_small(aB,B,a); + for (i = 0;i < I;++i) + r[i] = -int16_negative_mask(Fq_freeze(Right(T[i])-aB[i]+4*w+1)); +} + +#endif + +/* ----- encoding I-bit inputs */ + +#ifdef LPR + +#define Inputs_bytes (I/8) +typedef int8 Inputs[I]; /* passed by reference */ + +static void Inputs_encode(unsigned char *s,const Inputs r) +{ + int i; + for (i = 0;i < Inputs_bytes;++i) s[i] = 0; + for (i = 0;i < I;++i) s[i>>3] |= r[i]<<(i&7); +} + +#endif + +/* ----- Expand */ + +#ifdef LPR + +static const unsigned char aes_nonce[16] = {0}; + +static void Expand(uint32 *L,const unsigned char *k) +{ + int i; + crypto_stream_aes256ctr((unsigned char *) L,4*p,aes_nonce,k); + for (i = 0;i < p;++i) { + uint32 L0 = ((unsigned char *) L)[4*i]; + uint32 L1 = ((unsigned char *) L)[4*i+1]; + uint32 L2 = ((unsigned char *) L)[4*i+2]; + uint32 L3 = ((unsigned char *) L)[4*i+3]; + L[i] = L0+(L1<<8)+(L2<<16)+(L3<<24); + } +} + +#endif + +/* ----- Seeds */ + +#ifdef LPR + +#define Seeds_bytes 32 + +static void Seeds_random(unsigned char *s) +{ + randombytes(s,Seeds_bytes); +} + +#endif + +/* ----- Generator, HashShort */ + +#ifdef LPR + +/* G = Generator(k) */ +static void Generator(Fq *G,const unsigned char *k) +{ + uint32 L[p]; + int i; + + Expand(L,k); + for (i = 0;i < p;++i) G[i] = uint32_mod_uint14(L[i],q)-q12; +} + +/* out = HashShort(r) */ +static void HashShort(small *out,const Inputs r) +{ + unsigned char s[Inputs_bytes]; + unsigned char h[Hash_bytes]; + uint32 L[p]; + + Inputs_encode(s,r); + Hash_prefix(h,5,s,sizeof s); + Expand(L,h); + Short_fromlist(out,L); +} + +#endif + +/* ----- NTRU LPRime Expand */ + +#ifdef LPR + +/* (S,A),a = XKeyGen() */ +static void XKeyGen(unsigned char *S,Fq *A,small *a) +{ + Fq G[p]; + + Seeds_random(S); + Generator(G,S); + KeyGen(A,a,G); +} + +/* B,T = XEncrypt(r,(S,A)) */ +static void XEncrypt(Fq *B,int8 *T,const int8 *r,const unsigned char *S,const Fq *A) +{ + Fq G[p]; + small b[p]; + + Generator(G,S); + HashShort(b,r); + Encrypt(B,T,r,G,A,b); +} + +#define XDecrypt Decrypt + +#endif + +/* ----- encoding small polynomials (including short polynomials) */ + +#define Small_bytes ((p+3)/4) + +/* these are the only functions that rely on p mod 4 = 1 */ + +static void Small_encode(unsigned char *s,const small *f) +{ + small x; + int i; + + for (i = 0;i < p/4;++i) { + x = *f++ + 1; + x += (*f++ + 1)<<2; + x += (*f++ + 1)<<4; + x += (*f++ + 1)<<6; + *s++ = x; + } + x = *f++ + 1; + *s++ = x; +} + +static void Small_decode(small *f,const unsigned char *s) +{ + unsigned char x; + int i; + + for (i = 0;i < p/4;++i) { + x = *s++; + *f++ = ((small)(x&3))-1; x >>= 2; + *f++ = ((small)(x&3))-1; x >>= 2; + *f++ = ((small)(x&3))-1; x >>= 2; + *f++ = ((small)(x&3))-1; + } + x = *s++; + *f++ = ((small)(x&3))-1; +} + +/* ----- encoding general polynomials */ + +#ifndef LPR + +static void Rq_encode(unsigned char *s,const Fq *r) +{ + uint16 R[p],M[p]; + int i; + + for (i = 0;i < p;++i) R[i] = r[i]+q12; + for (i = 0;i < p;++i) M[i] = q; + Encode(s,R,M,p); +} + +static void Rq_decode(Fq *r,const unsigned char *s) +{ + uint16 R[p],M[p]; + int i; + + for (i = 0;i < p;++i) M[i] = q; + Decode(R,s,M,p); + for (i = 0;i < p;++i) r[i] = ((Fq)R[i])-q12; +} + +#endif + +/* ----- encoding rounded polynomials */ + +static void Rounded_encode(unsigned char *s,const Fq *r) +{ + uint16 R[p],M[p]; + int i; + + for (i = 0;i < p;++i) R[i] = ((r[i]+q12)*10923)>>15; + for (i = 0;i < p;++i) M[i] = (q+2)/3; + Encode(s,R,M,p); +} + +static void Rounded_decode(Fq *r,const unsigned char *s) +{ + uint16 R[p],M[p]; + int i; + + for (i = 0;i < p;++i) M[i] = (q+2)/3; + Decode(R,s,M,p); + for (i = 0;i < p;++i) r[i] = R[i]*3-q12; +} + +/* ----- encoding top polynomials */ + +#ifdef LPR + +#define Top_bytes (I/2) + +static void Top_encode(unsigned char *s,const int8 *T) +{ + int i; + for (i = 0;i < Top_bytes;++i) + s[i] = T[2*i]+(T[2*i+1]<<4); +} + +static void Top_decode(int8 *T,const unsigned char *s) +{ + int i; + for (i = 0;i < Top_bytes;++i) { + T[2*i] = s[i]&15; + T[2*i+1] = s[i]>>4; + } +} + +#endif + +/* ----- Streamlined NTRU Prime Core plus encoding */ + +#ifndef LPR + +typedef small Inputs[p]; /* passed by reference */ +#define Inputs_random Short_random +#define Inputs_encode Small_encode +#define Inputs_bytes Small_bytes + +#define Ciphertexts_bytes Rounded_bytes +#define SecretKeys_bytes (2*Small_bytes) +#define PublicKeys_bytes Rq_bytes + +/* pk,sk = ZKeyGen() */ +static void ZKeyGen(unsigned char *pk,unsigned char *sk) +{ + Fq h[p]; + small f[p],v[p]; + + KeyGen(h,f,v); + Rq_encode(pk,h); + Small_encode(sk,f); sk += Small_bytes; + Small_encode(sk,v); +} + +/* C = ZEncrypt(r,pk) */ +static void ZEncrypt(unsigned char *C,const Inputs r,const unsigned char *pk) +{ + Fq h[p]; + Fq c[p]; + Rq_decode(h,pk); + Encrypt(c,r,h); + Rounded_encode(C,c); +} + +/* r = ZDecrypt(C,sk) */ +static void ZDecrypt(Inputs r,const unsigned char *C,const unsigned char *sk) +{ + small f[p],v[p]; + Fq c[p]; + + Small_decode(f,sk); sk += Small_bytes; + Small_decode(v,sk); + Rounded_decode(c,C); + Decrypt(r,c,f,v); +} + +#endif + +/* ----- NTRU LPRime Expand plus encoding */ + +#ifdef LPR + +#define Ciphertexts_bytes (Rounded_bytes+Top_bytes) +#define SecretKeys_bytes Small_bytes +#define PublicKeys_bytes (Seeds_bytes+Rounded_bytes) + +static void Inputs_random(Inputs r) +{ + unsigned char s[Inputs_bytes]; + int i; + + randombytes(s,sizeof s); + for (i = 0;i < I;++i) r[i] = 1&(s[i>>3]>>(i&7)); +} + +/* pk,sk = ZKeyGen() */ +static void ZKeyGen(unsigned char *pk,unsigned char *sk) +{ + Fq A[p]; + small a[p]; + + XKeyGen(pk,A,a); pk += Seeds_bytes; + Rounded_encode(pk,A); + Small_encode(sk,a); +} + +/* c = ZEncrypt(r,pk) */ +static void ZEncrypt(unsigned char *c,const Inputs r,const unsigned char *pk) +{ + Fq A[p]; + Fq B[p]; + int8 T[I]; + + Rounded_decode(A,pk+Seeds_bytes); + XEncrypt(B,T,r,pk,A); + Rounded_encode(c,B); c += Rounded_bytes; + Top_encode(c,T); +} + +/* r = ZDecrypt(C,sk) */ +static void ZDecrypt(Inputs r,const unsigned char *c,const unsigned char *sk) +{ + small a[p]; + Fq B[p]; + int8 T[I]; + + Small_decode(a,sk); + Rounded_decode(B,c); + Top_decode(T,c+Rounded_bytes); + XDecrypt(r,B,T,a); +} + +#endif + +/* ----- confirmation hash */ + +#define Confirm_bytes 32 + +/* h = HashConfirm(r,pk,cache); cache is Hash4(pk) */ +static void HashConfirm(unsigned char *h,const unsigned char *r,const unsigned char *pk,const unsigned char *cache) +{ +#ifndef LPR + unsigned char x[Hash_bytes*2]; + int i; + + Hash_prefix(x,3,r,Inputs_bytes); + for (i = 0;i < Hash_bytes;++i) x[Hash_bytes+i] = cache[i]; +#else + unsigned char x[Inputs_bytes+Hash_bytes]; + int i; + + for (i = 0;i < Inputs_bytes;++i) x[i] = r[i]; + for (i = 0;i < Hash_bytes;++i) x[Inputs_bytes+i] = cache[i]; +#endif + Hash_prefix(h,2,x,sizeof x); +} + +/* ----- session-key hash */ + +/* k = HashSession(b,y,z) */ +static void HashSession(unsigned char *k,int b,const unsigned char *y,const unsigned char *z) +{ +#ifndef LPR + unsigned char x[Hash_bytes+Ciphertexts_bytes+Confirm_bytes]; + int i; + + Hash_prefix(x,3,y,Inputs_bytes); + for (i = 0;i < Ciphertexts_bytes+Confirm_bytes;++i) x[Hash_bytes+i] = z[i]; +#else + unsigned char x[Inputs_bytes+Ciphertexts_bytes+Confirm_bytes]; + int i; + + for (i = 0;i < Inputs_bytes;++i) x[i] = y[i]; + for (i = 0;i < Ciphertexts_bytes+Confirm_bytes;++i) x[Inputs_bytes+i] = z[i]; +#endif + Hash_prefix(k,b,x,sizeof x); +} + +/* ----- Streamlined NTRU Prime and NTRU LPRime */ + +/* pk,sk = KEM_KeyGen() */ +static void KEM_KeyGen(unsigned char *pk,unsigned char *sk) +{ + int i; + + ZKeyGen(pk,sk); sk += SecretKeys_bytes; + for (i = 0;i < PublicKeys_bytes;++i) *sk++ = pk[i]; + randombytes(sk,Inputs_bytes); sk += Inputs_bytes; + Hash_prefix(sk,4,pk,PublicKeys_bytes); +} + +/* c,r_enc = Hide(r,pk,cache); cache is Hash4(pk) */ +static void Hide(unsigned char *c,unsigned char *r_enc,const Inputs r,const unsigned char *pk,const unsigned char *cache) +{ + Inputs_encode(r_enc,r); + ZEncrypt(c,r,pk); c += Ciphertexts_bytes; + HashConfirm(c,r_enc,pk,cache); +} + +/* c,k = Encap(pk) */ +static void Encap(unsigned char *c,unsigned char *k,const unsigned char *pk) +{ + Inputs r; + unsigned char r_enc[Inputs_bytes]; + unsigned char cache[Hash_bytes]; + + Hash_prefix(cache,4,pk,PublicKeys_bytes); + Inputs_random(r); + Hide(c,r_enc,r,pk,cache); + HashSession(k,1,r_enc,c); +} + +/* 0 if matching ciphertext+confirm, else -1 */ +static int Ciphertexts_diff_mask(const unsigned char *c,const unsigned char *c2) +{ + uint16 differentbits = 0; + int len = Ciphertexts_bytes+Confirm_bytes; + + while (len-- > 0) differentbits |= (*c++)^(*c2++); + return (1&((differentbits-1)>>8))-1; +} + +/* k = Decap(c,sk) */ +static void Decap(unsigned char *k,const unsigned char *c,const unsigned char *sk) +{ + const unsigned char *pk = sk + SecretKeys_bytes; + const unsigned char *rho = pk + PublicKeys_bytes; + const unsigned char *cache = rho + Inputs_bytes; + Inputs r; + unsigned char r_enc[Inputs_bytes]; + unsigned char cnew[Ciphertexts_bytes+Confirm_bytes]; + int mask; + int i; + + ZDecrypt(r,c,sk); + Hide(cnew,r_enc,r,pk,cache); + mask = Ciphertexts_diff_mask(c,cnew); + for (i = 0;i < Inputs_bytes;++i) r_enc[i] ^= mask&(r_enc[i]^rho[i]); + HashSession(k,1+mask,r_enc,c); +} + +/* ----- crypto_kem API */ + + +int crypto_kem_sntrup761_keypair(unsigned char *pk,unsigned char *sk) +{ + KEM_KeyGen(pk,sk); + return 0; +} + +int crypto_kem_sntrup761_enc(unsigned char *c,unsigned char *k,const unsigned char *pk) +{ + Encap(c,k,pk); + return 0; +} + +int crypto_kem_sntrup761_dec(unsigned char *k,const unsigned char *c,const unsigned char *sk) +{ + Decap(k,c,sk); + return 0; +} + diff --git a/sntrup761.sh b/sntrup761.sh new file mode 100644 index 000000000..7fa9e3249 --- /dev/null +++ b/sntrup761.sh @@ -0,0 +1,65 @@ +#!/bin/sh +# $OpenBSD: sntrup761.sh,v 1.1 2020/12/29 00:59:15 djm Exp $ +# Placed in the Public Domain. +# +AUTHOR="supercop-20201130/crypto_kem/sntrup761/ref/implementors" +FILES=" + supercop-20201130/crypto_kem/sntrup761/ref/uint64.h + supercop-20201130/crypto_kem/sntrup761/ref/uint16.h + supercop-20201130/crypto_kem/sntrup761/ref/uint32.h + supercop-20201130/crypto_kem/sntrup761/ref/int8.h + supercop-20201130/crypto_kem/sntrup761/ref/int16.h + supercop-20201130/crypto_kem/sntrup761/ref/int32.h + supercop-20201130/crypto_kem/sntrup761/ref/uint32.c + supercop-20201130/crypto_kem/sntrup761/ref/int32.c + supercop-20201130/crypto_kem/sntrup761/ref/paramsmenu.h + supercop-20201130/crypto_kem/sntrup761/ref/params.h + supercop-20201130/crypto_kem/sntrup761/ref/Decode.h + supercop-20201130/crypto_kem/sntrup761/ref/Decode.c + supercop-20201130/crypto_kem/sntrup761/ref/Encode.h + supercop-20201130/crypto_kem/sntrup761/ref/Encode.c + supercop-20201130/crypto_kem/sntrup761/ref/kem.c +" +SORT_I32=" + supercop-20201130/crypto_sort/int32/portable4/int32_minmax.inc + supercop-20201130/crypto_sort/int32/portable4/sort.c +" +SORT_U32="supercop-20201130/crypto_sort/uint32/useint32/sort.c" +### + +set -e +cd $1 +echo -n '/* $' +echo 'OpenBSD: $ */' +echo +echo '/*' +echo ' * Public Domain, Authors:' +sed -e '/Alphabetical order:/d' -e 's/^/ * - /' < $AUTHOR +echo ' */' +echo +echo '#include ' +echo '#include "crypto_api.h"' +echo +echo '#define CRYPTO_NAMESPACE(s) s' +echo +for i in $SORT_I32; do + echo "/* from $i */" + grep \ + -v '#include' $i | \ + sed -e "s/void crypto_sort/static void crypto_sort_int32/g" + echo +done +echo "/* from $SORT_U32 */" +grep \ + -v '#include' $SORT_U32 | \ + sed -e "s/void crypto_sort/static void crypto_sort_uint32/g" +echo +for i in $FILES; do + echo "/* from $i */" + grep \ + -v '#include' $i | \ + sed -e "s/crypto_kem_/crypto_kem_sntrup761_/g" \ + -e "s/^extern void /static void /" \ + -e "s/^void /static void /" + echo +done diff --git a/ssh-keyscan.c b/ssh-keyscan.c index e01b6dd4d..ab71adf9f 100644 --- a/ssh-keyscan.c +++ b/ssh-keyscan.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keyscan.c,v 1.137 2020/10/19 08:07:08 djm Exp $ */ +/* $OpenBSD: ssh-keyscan.c,v 1.138 2020/12/29 00:59:15 djm Exp $ */ /* * Copyright 1995, 1996 by David Mazieres . * @@ -293,7 +293,7 @@ keygrab_ssh2(con *c) # endif #endif c->c_ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client; - c->c_ssh->kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_client; + c->c_ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client; ssh_set_verify_host_key_callback(c->c_ssh, key_print_wrapper); /* * do the key-exchange until an error occurs or until diff --git a/ssh_api.c b/ssh_api.c index f1fd2d77f..a65b1fa85 100644 --- a/ssh_api.c +++ b/ssh_api.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh_api.c,v 1.23 2020/12/04 02:29:56 djm Exp $ */ +/* $OpenBSD: ssh_api.c,v 1.24 2020/12/29 00:59:15 djm Exp $ */ /* * Copyright (c) 2012 Markus Friedl. All rights reserved. * @@ -122,7 +122,7 @@ ssh_init(struct ssh **sshp, int is_server, struct kex_params *kex_params) # endif #endif /* WITH_OPENSSL */ ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_server; - ssh->kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server; + ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server; ssh->kex->load_host_public_key=&_ssh_host_public_key; ssh->kex->load_host_private_key=&_ssh_host_private_key; ssh->kex->sign=&_ssh_host_key_sign; @@ -140,7 +140,7 @@ ssh_init(struct ssh **sshp, int is_server, struct kex_params *kex_params) # endif #endif /* WITH_OPENSSL */ ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client; - ssh->kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_client; + ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client; ssh->kex->verify_host_key =&_ssh_verify_host_key; } *sshp = ssh; diff --git a/sshconnect2.c b/sshconnect2.c index 95813b9b8..08e984f92 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.339 2020/12/22 00:15:23 djm Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.340 2020/12/29 00:59:15 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -287,7 +287,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, # endif #endif ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client; - ssh->kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_client; + ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client; ssh->kex->verify_host_key=&verify_host_key_callback; ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &ssh->kex->done); diff --git a/sshd.c b/sshd.c index 173fadd86..7e0087309 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.565 2020/11/08 11:46:12 dtucker Exp $ */ +/* $OpenBSD: sshd.c,v 1.566 2020/12/29 00:59:15 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -2380,7 +2380,7 @@ do_ssh2_kex(struct ssh *ssh) # endif #endif kex->kex[KEX_C25519_SHA256] = kex_gen_server; - kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server; + kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server; kex->load_host_public_key=&get_hostkey_public_by_type; kex->load_host_private_key=&get_hostkey_private_by_type; kex->host_key_index=&get_hostkey_index; diff --git a/sshd_config.5 b/sshd_config.5 index a35c8d8cd..2b872fcfa 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.318 2020/10/16 14:34:33 jmc Exp $ -.Dd $Mdocdate: October 16 2020 $ +.\" $OpenBSD: sshd_config.5,v 1.319 2020/12/29 00:59:15 djm Exp $ +.Dd $Mdocdate: December 29 2020 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -949,7 +949,7 @@ ecdh-sha2-nistp384 .It ecdh-sha2-nistp521 .It -sntrup4591761x25519-sha512@tinyssh.org +sntrup761x25519-sha512@openssh.com .El .Pp The default is: