25536515957

Committed 07 May 2026 01:38AM UTC coverage: 89.328% (-0.003%) from 89.331%

Build # 25536515957

Build Type

push

github

Committed by

randombit

Commit Message

Update for 3.12.0 release

Coverage Stats

107571 of 120422 relevant lines covered (89.33%)

11317668.92 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

81.59

/src/lib/pubkey/mce/mceliece_key.cpp

/*
 * (C) Copyright Projet SECRET, INRIA, Rocquencourt
 * (C) Bhaskar Biswas and  Nicolas Sendrier
 *
 * (C) 2014 cryptosource GmbH
 * (C) 2014 Falko Strenzke fstrenzke@cryptosource.de
 * (C) 2015 Jack Lloyd
 *
 * Botan is released under the Simplified BSD License (see license.txt)
 *
 */

#include <botan/mceliece.h>

#include <botan/ber_dec.h>
#include <botan/der_enc.h>
#include <botan/rng.h>
#include <botan/internal/bit_ops.h>
#include <botan/internal/buffer_stuffer.h>
#include <botan/internal/code_based_util.h>
#include <botan/internal/loadstor.h>
#include <botan/internal/mce_internal.h>
#include <botan/internal/pk_ops_impl.h>
#include <botan/internal/polyn_gf2m.h>

namespace Botan {

McEliece_PrivateKey::McEliece_PrivateKey(const McEliece_PrivateKey&) = default;
McEliece_PrivateKey::McEliece_PrivateKey(McEliece_PrivateKey&&) noexcept = default;
McEliece_PrivateKey& McEliece_PrivateKey::operator=(const McEliece_PrivateKey&) = default;
McEliece_PrivateKey& McEliece_PrivateKey::operator=(McEliece_PrivateKey&&) noexcept = default;
McEliece_PrivateKey::~McEliece_PrivateKey() = default;

McEliece_PrivateKey::McEliece_PrivateKey(const polyn_gf2m& goppa_polyn,
                                         const std::vector<uint32_t>& parity_check_matrix_coeffs,
                                         const std::vector<polyn_gf2m>& square_root_matrix,
                                         const std::vector<gf2m>& inverse_support,
                                         const std::vector<uint8_t>& public_matrix) :
      McEliece_PublicKey(public_matrix, goppa_polyn.get_degree(), inverse_support.size()),
      m_g{goppa_polyn},
      m_sqrtmod(square_root_matrix),
      m_Linv(inverse_support),
      m_coeffs(parity_check_matrix_coeffs),
      m_codimension(static_cast<size_t>(ceil_log2(inverse_support.size())) * goppa_polyn.get_degree()),
      m_dimension(inverse_support.size() - m_codimension) {}

// NOLINTNEXTLINE(*-member-init)
McEliece_PrivateKey::McEliece_PrivateKey(RandomNumberGenerator& rng, size_t code_length, size_t t) {
   const uint32_t ext_deg = ceil_log2(code_length);
   *this = generate_mceliece_key(rng, ext_deg, code_length, t);
}

const polyn_gf2m& McEliece_PrivateKey::get_goppa_polyn() const {
   return m_g[0];
}

size_t McEliece_PublicKey::get_message_word_bit_length() const {
   const size_t codimension = ceil_log2(m_code_length) * m_t;
   return m_code_length - codimension;
}

secure_vector<uint8_t> McEliece_PublicKey::random_plaintext_element(RandomNumberGenerator& rng) const {
   const size_t bits = get_message_word_bit_length();

   secure_vector<uint8_t> plaintext((bits + 7) / 8);
   rng.randomize(plaintext.data(), plaintext.size());

   // unset unused bits in the last plaintext byte
   if(const uint32_t used = bits % 8) {
      const uint8_t mask = (1 << used) - 1;
      plaintext[plaintext.size() - 1] &= mask;
   }

   return plaintext;
}

AlgorithmIdentifier McEliece_PublicKey::algorithm_identifier() const {
   return AlgorithmIdentifier(object_identifier(), AlgorithmIdentifier::USE_EMPTY_PARAM);
}

std::vector<uint8_t> McEliece_PublicKey::raw_public_key_bits() const {
   return m_public_matrix;
}

std::vector<uint8_t> McEliece_PublicKey::public_key_bits() const {
   std::vector<uint8_t> output;
   DER_Encoder(output)
      .start_sequence()
      .start_sequence()
      .encode(get_code_length())
      .encode(get_t())
      .end_cons()
      .encode(m_public_matrix, ASN1_Type::OctetString)
      .end_cons();
   return output;
}

size_t McEliece_PublicKey::key_length() const {
   return m_code_length;
}

size_t McEliece_PublicKey::estimated_strength() const {
   return mceliece_work_factor(m_code_length, m_t);
}

McEliece_PublicKey::McEliece_PublicKey(std::span<const uint8_t> key_bits) {
   BER_Decoder dec(key_bits, BER_Decoder::Limits::DER());
   size_t n = 0;
   size_t t = 0;
   dec.start_sequence()
      .start_sequence()
      .decode(n)
      .decode(t)
      .end_cons()
      .decode(m_public_matrix, ASN1_Type::OctetString)
      .end_cons()
      .verify_end();

   if(n == 0 || t == 0) {
      throw Decoding_Error("Invalid McEliece parameters");
   }

   // GF(2^m) field requires extension degree in [2, 16]
   const size_t ext_deg = ceil_log2(n);
   if(ext_deg < 2 || ext_deg > 16) {
      throw Decoding_Error("McEliece code length out of supported range");
   }

   // Since ext_deg >= 2, t >= n already implies ext_deg * t > n
   if(t >= n) {
      throw Decoding_Error("McEliece parameters are inconsistent");
   }

   const size_t codimension = ext_deg * t;

   // codimension must be strictly less than n, otherwise the code has no message bits
   if(codimension >= n) {
      throw Decoding_Error("McEliece parameters are inconsistent");
   }

   const size_t dimension = n - codimension;

   // public matrix is a dimension x codimension binary matrix stored as uint32_t rows
   const size_t expected_pubmat_size = dimension * bit_size_to_32bit_size(codimension) * sizeof(uint32_t);
   if(m_public_matrix.size() != expected_pubmat_size) {
      throw Decoding_Error("McEliece public matrix size does not match parameters");
   }

   m_t = t;
   m_code_length = n;
}

secure_vector<uint8_t> McEliece_PrivateKey::private_key_bits() const {
   DER_Encoder enc;
   enc.start_sequence()
      .start_sequence()
      .encode(get_code_length())
      .encode(get_t())
      .end_cons()
      .encode(m_public_matrix, ASN1_Type::OctetString)
      .encode(m_g[0].encode(), ASN1_Type::OctetString);  // g as octet string
   enc.start_sequence();
   for(const auto& x : m_sqrtmod) {
      enc.encode(x.encode(), ASN1_Type::OctetString);
   }
   enc.end_cons();
   secure_vector<uint8_t> enc_support;

   for(const uint16_t Linv : m_Linv) {
      enc_support.push_back(get_byte<0>(Linv));
      enc_support.push_back(get_byte<1>(Linv));
   }
   enc.encode(enc_support, ASN1_Type::OctetString);
   secure_vector<uint8_t> enc_H;
   for(const uint32_t coef : m_coeffs) {
      enc_H.push_back(get_byte<0>(coef));
      enc_H.push_back(get_byte<1>(coef));
      enc_H.push_back(get_byte<2>(coef));
      enc_H.push_back(get_byte<3>(coef));
   }
   enc.encode(enc_H, ASN1_Type::OctetString);
   enc.end_cons();
   return enc.get_contents();
}

bool McEliece_PrivateKey::check_key(RandomNumberGenerator& rng, bool /*unused*/) const {
   const secure_vector<uint8_t> plaintext = this->random_plaintext_element(rng);

   secure_vector<uint8_t> ciphertext;
   secure_vector<uint8_t> errors;
   mceliece_encrypt(ciphertext, errors, plaintext, *this, rng);

   secure_vector<uint8_t> plaintext_out;
   secure_vector<uint8_t> errors_out;
   mceliece_decrypt(plaintext_out, errors_out, ciphertext, *this);

   if(errors != errors_out || plaintext != plaintext_out) {
      return false;
   }

   return true;
}

McEliece_PrivateKey::McEliece_PrivateKey(std::span<const uint8_t> key_bits) {
   size_t n = 0;
   size_t t = 0;
   secure_vector<uint8_t> enc_g;
   BER_Decoder dec_base(key_bits, BER_Decoder::Limits::DER());
   BER_Decoder dec = dec_base.start_sequence();
   dec.start_sequence().decode(n).decode(t).end_cons();
   dec.decode(m_public_matrix, ASN1_Type::OctetString).decode(enc_g, ASN1_Type::OctetString);

   if(t == 0 || n == 0) {
      throw Decoding_Error("invalid McEliece parameters");
   }

   const uint32_t ext_deg = ceil_log2(n);

   if(ext_deg < 2 || ext_deg > 16) {
      throw Decoding_Error("McEliece code length out of supported range");
   }

   // Since ext_deg >= 2, t >= n already implies ext_deg * t > n
   if(t >= n) {
      throw Decoding_Error("McEliece parameters are inconsistent");
   }

   const size_t codimension = ext_deg * t;

   if(codimension >= n) {
      throw Decoding_Error("McEliece parameters are inconsistent");
   }

   const size_t dimension = n - codimension;
   const size_t expected_pubmat_size = dimension * bit_size_to_32bit_size(codimension) * sizeof(uint32_t);
   if(m_public_matrix.size() != expected_pubmat_size) {
      throw Decoding_Error("McEliece public matrix size does not match parameters");
   }

   m_code_length = n;
   m_t = t;
   m_codimension = codimension;
   m_dimension = dimension;

   auto sp_field = std::make_shared<GF2m_Field>(ext_deg);
   m_g = {polyn_gf2m(enc_g, sp_field)};
   if(m_g[0].get_degree() != static_cast<int>(t)) {
      throw Decoding_Error("degree of decoded Goppa polynomial is incorrect");
   }
   BER_Decoder dec2 = dec.start_sequence();
   for(uint32_t i = 0; i < t / 2; i++) {
      secure_vector<uint8_t> sqrt_enc;
      dec2.decode(sqrt_enc, ASN1_Type::OctetString);
      while(sqrt_enc.size() < (t * 2)) {
         // ensure that the length is always t
         sqrt_enc.push_back(0);
         sqrt_enc.push_back(0);
      }
      if(sqrt_enc.size() != t * 2) {
         throw Decoding_Error("length of square root polynomial entry is too large");
      }
      m_sqrtmod.push_back(polyn_gf2m(sqrt_enc, sp_field));
   }
   secure_vector<uint8_t> enc_support;
   dec2.end_cons();
   dec.decode(enc_support, ASN1_Type::OctetString);
   if(enc_support.size() % 2 != 0) {
      throw Decoding_Error("encoded support has odd length");
   }
   if(enc_support.size() / 2 != n) {
      throw Decoding_Error("encoded support has length different from code length");
   }
   for(uint32_t i = 0; i < n * 2; i += 2) {
      const gf2m el = (enc_support[i] << 8) | enc_support[i + 1];
      m_Linv.push_back(el);
   }
   secure_vector<uint8_t> enc_H;
   dec.decode(enc_H, ASN1_Type::OctetString).end_cons().verify_end();
   if(enc_H.size() % 4 != 0) {
      throw Decoding_Error("encoded parity check matrix has length which is not a multiple of four");
   }
   if(enc_H.size() / 4 != bit_size_to_32bit_size(m_codimension) * m_code_length) {
      throw Decoding_Error("encoded parity check matrix has wrong length");
   }

   for(uint32_t i = 0; i < enc_H.size(); i += 4) {
      const uint32_t coeff = (enc_H[i] << 24) | (enc_H[i + 1] << 16) | (enc_H[i + 2] << 8) | enc_H[i + 3];
      m_coeffs.push_back(coeff);
   }
}

bool McEliece_PrivateKey::operator==(const McEliece_PrivateKey& other) const {
   if(*static_cast<const McEliece_PublicKey*>(this) != *static_cast<const McEliece_PublicKey*>(&other)) {
      return false;
   }
   if(m_g != other.m_g) {
      return false;
   }

   if(m_sqrtmod != other.m_sqrtmod) {
      return false;
   }
   if(m_Linv != other.m_Linv) {
      return false;
   }
   if(m_coeffs != other.m_coeffs) {
      return false;
   }

   if(m_codimension != other.m_codimension || m_dimension != other.m_dimension) {
      return false;
   }

   return true;
}

std::unique_ptr<Public_Key> McEliece_PrivateKey::public_key() const {
   return std::make_unique<McEliece_PublicKey>(get_public_matrix(), get_t(), get_code_length());
}

bool McEliece_PublicKey::operator==(const McEliece_PublicKey& other) const {
   if(m_public_matrix != other.m_public_matrix) {
      return false;
   }
   if(m_t != other.m_t) {
      return false;
   }
   if(m_code_length != other.m_code_length) {
      return false;
   }
   return true;
}

namespace {

class MCE_KEM_Encryptor final : public PK_Ops::KEM_Encryption_with_KDF {
   public:
      MCE_KEM_Encryptor(const McEliece_PublicKey& key, std::string_view kdf) :
            KEM_Encryption_with_KDF(kdf), m_key(key) {}

   private:
      size_t raw_kem_shared_key_length() const override {
         const size_t err_sz = (m_key.get_code_length() + 7) / 8;
         const size_t ptext_sz = (m_key.get_message_word_bit_length() + 7) / 8;
         return ptext_sz + err_sz;
      }

      size_t encapsulated_key_length() const override { return (m_key.get_code_length() + 7) / 8; }

      void raw_kem_encrypt(std::span<uint8_t> out_encapsulated_key,
                           std::span<uint8_t> raw_shared_key,
                           RandomNumberGenerator& rng) override {
         secure_vector<uint8_t> plaintext = m_key.random_plaintext_element(rng);

         secure_vector<uint8_t> ciphertext;
         secure_vector<uint8_t> error_mask;
         mceliece_encrypt(ciphertext, error_mask, plaintext, m_key, rng);

         // TODO: Perhaps avoid the copies below
         BOTAN_ASSERT_NOMSG(out_encapsulated_key.size() == ciphertext.size());
         std::copy(ciphertext.begin(), ciphertext.end(), out_encapsulated_key.begin());

         BOTAN_ASSERT_NOMSG(raw_shared_key.size() == plaintext.size() + error_mask.size());
         BufferStuffer bs(raw_shared_key);
         bs.append(plaintext);
         bs.append(error_mask);
      }

      const McEliece_PublicKey& m_key;
};

class MCE_KEM_Decryptor final : public PK_Ops::KEM_Decryption_with_KDF {
   public:
      MCE_KEM_Decryptor(const McEliece_PrivateKey& key, std::string_view kdf) :
            KEM_Decryption_with_KDF(kdf), m_key(key) {}

   private:
      size_t raw_kem_shared_key_length() const override {
         const size_t err_sz = (m_key.get_code_length() + 7) / 8;
         const size_t ptext_sz = (m_key.get_message_word_bit_length() + 7) / 8;
         return ptext_sz + err_sz;
      }

      size_t encapsulated_key_length() const override { return (m_key.get_code_length() + 7) / 8; }

      void raw_kem_decrypt(std::span<uint8_t> out_shared_key, std::span<const uint8_t> encapsulated_key) override {
         secure_vector<uint8_t> plaintext;
         secure_vector<uint8_t> error_mask;
         mceliece_decrypt(plaintext, error_mask, encapsulated_key.data(), encapsulated_key.size(), m_key);

         // TODO: perhaps avoid the copies below
         BOTAN_ASSERT_NOMSG(out_shared_key.size() == plaintext.size() + error_mask.size());
         BufferStuffer bs(out_shared_key);
         bs.append(plaintext);
         bs.append(error_mask);
      }

      const McEliece_PrivateKey& m_key;
};

}  // namespace

std::unique_ptr<Private_Key> McEliece_PublicKey::generate_another(RandomNumberGenerator& rng) const {
   return std::make_unique<McEliece_PrivateKey>(rng, get_code_length(), get_t());
}

std::unique_ptr<PK_Ops::KEM_Encryption> McEliece_PublicKey::create_kem_encryption_op(std::string_view params,
                                                                                     std::string_view provider) const {
   if(provider == "base" || provider.empty()) {
      return std::make_unique<MCE_KEM_Encryptor>(*this, params);
   }
   throw Provider_Not_Found(algo_name(), provider);
}

std::unique_ptr<PK_Ops::KEM_Decryption> McEliece_PrivateKey::create_kem_decryption_op(RandomNumberGenerator& /*rng*/,
                                                                                      std::string_view params,
                                                                                      std::string_view provider) const {
   if(provider == "base" || provider.empty()) {
      return std::make_unique<MCE_KEM_Decryptor>(*this, params);
   }
   throw Provider_Not_Found(algo_name(), provider);
}

}  // namespace Botan

1	/*
2	* (C) Copyright Projet SECRET, INRIA, Rocquencourt
3	* (C) Bhaskar Biswas and Nicolas Sendrier
4	*
5	* (C) 2014 cryptosource GmbH
6	* (C) 2014 Falko Strenzke fstrenzke@cryptosource.de
7	* (C) 2015 Jack Lloyd
8	*
9	* Botan is released under the Simplified BSD License (see license.txt)
10	*
11	*/
12
13	#include <botan/mceliece.h>
14
15	#include <botan/ber_dec.h>
16	#include <botan/der_enc.h>
17	#include <botan/rng.h>
18	#include <botan/internal/bit_ops.h>
19	#include <botan/internal/buffer_stuffer.h>
20	#include <botan/internal/code_based_util.h>
21	#include <botan/internal/loadstor.h>
22	#include <botan/internal/mce_internal.h>
23	#include <botan/internal/pk_ops_impl.h>
24	#include <botan/internal/polyn_gf2m.h>
25
26	namespace Botan {
27
28	McEliece_PrivateKey::McEliece_PrivateKey(const McEliece_PrivateKey&) = default;	×
29	McEliece_PrivateKey::McEliece_PrivateKey(McEliece_PrivateKey&&) noexcept = default;	×
30	McEliece_PrivateKey& McEliece_PrivateKey::operator=(const McEliece_PrivateKey&) = default;	×
31	McEliece_PrivateKey& McEliece_PrivateKey::operator=(McEliece_PrivateKey&&) noexcept = default;	94✔
32	McEliece_PrivateKey::~McEliece_PrivateKey() = default;	650✔
33
34	McEliece_PrivateKey::McEliece_PrivateKey(const polyn_gf2m& goppa_polyn,	94✔
35	const std::vector<uint32_t>& parity_check_matrix_coeffs,
36	const std::vector<polyn_gf2m>& square_root_matrix,
37	const std::vector<gf2m>& inverse_support,
38	const std::vector<uint8_t>& public_matrix) :	94✔
39	McEliece_PublicKey(public_matrix, goppa_polyn.get_degree(), inverse_support.size()),	94✔
40	m_g{goppa_polyn},	188✔
41	m_sqrtmod(square_root_matrix),	94✔
42	m_Linv(inverse_support),	94✔
43	m_coeffs(parity_check_matrix_coeffs),	94✔
44	m_codimension(static_cast<size_t>(ceil_log2(inverse_support.size())) * goppa_polyn.get_degree()),	188✔
45	m_dimension(inverse_support.size() - m_codimension) {}	188✔
46
47	// NOLINTNEXTLINE(*-member-init)
48	McEliece_PrivateKey::McEliece_PrivateKey(RandomNumberGenerator& rng, size_t code_length, size_t t) {	94✔
49	const uint32_t ext_deg = ceil_log2(code_length);	94✔
50	*this = generate_mceliece_key(rng, ext_deg, code_length, t);	94✔
51	}	94✔
52
53	const polyn_gf2m& McEliece_PrivateKey::get_goppa_polyn() const {	10,644✔
54	return m_g[0];	10,644✔
55	}
56
57	size_t McEliece_PublicKey::get_message_word_bit_length() const {	10,518✔
58	const size_t codimension = ceil_log2(m_code_length) * m_t;	10,518✔
59	return m_code_length - codimension;	10,518✔
60	}
61
62	secure_vector<uint8_t> McEliece_PublicKey::random_plaintext_element(RandomNumberGenerator& rng) const {	2,652✔
63	const size_t bits = get_message_word_bit_length();	2,652✔
64
65	secure_vector<uint8_t> plaintext((bits + 7) / 8);	2,652✔
66	rng.randomize(plaintext.data(), plaintext.size());	2,652✔
67
68	// unset unused bits in the last plaintext byte
69	if(const uint32_t used = bits % 8) {	2,652✔
70	const uint8_t mask = (1 << used) - 1;	1,939✔
71	plaintext[plaintext.size() - 1] &= mask;	1,939✔
72	}
73
74	return plaintext;	2,652✔
75	}	×
76
77	AlgorithmIdentifier McEliece_PublicKey::algorithm_identifier() const {	13✔
78	return AlgorithmIdentifier(object_identifier(), AlgorithmIdentifier::USE_EMPTY_PARAM);	13✔
79	}
80
81	std::vector<uint8_t> McEliece_PublicKey::raw_public_key_bits() const {	×
82	return m_public_matrix;	×
83	}
84
85	std::vector<uint8_t> McEliece_PublicKey::public_key_bits() const {	267✔
86	std::vector<uint8_t> output;	267✔
87	DER_Encoder(output)	534✔
88	.start_sequence()	267✔
89	.start_sequence()	267✔
90	.encode(get_code_length())	267✔
91	.encode(get_t())	267✔
92	.end_cons()	267✔
93	.encode(m_public_matrix, ASN1_Type::OctetString)	267✔
94	.end_cons();	267✔
95	return output;	267✔
96	}	×
97
98	size_t McEliece_PublicKey::key_length() const {	×
99	return m_code_length;	×
100	}
101
102	size_t McEliece_PublicKey::estimated_strength() const {	2✔
103	return mceliece_work_factor(m_code_length, m_t);	2✔
104	}
105
106	McEliece_PublicKey::McEliece_PublicKey(std::span<const uint8_t> key_bits) {	86✔
107	BER_Decoder dec(key_bits, BER_Decoder::Limits::DER());	86✔
108	size_t n = 0;	86✔
109	size_t t = 0;	86✔
110	dec.start_sequence()	172✔
111	.start_sequence()	172✔
112	.decode(n)	86✔
113	.decode(t)	86✔
114	.end_cons()	86✔
115	.decode(m_public_matrix, ASN1_Type::OctetString)	86✔
116	.end_cons()	86✔
117	.verify_end();	86✔
118
119	if(n == 0 \|\| t == 0) {	86✔
120	throw Decoding_Error("Invalid McEliece parameters");	×
121	}
122
123	// GF(2^m) field requires extension degree in [2, 16]
124	const size_t ext_deg = ceil_log2(n);	86✔
125	if(ext_deg < 2 \|\| ext_deg > 16) {	86✔
126	throw Decoding_Error("McEliece code length out of supported range");	×
127	}
128
129	// Since ext_deg >= 2, t >= n already implies ext_deg * t > n
130	if(t >= n) {	86✔
131	throw Decoding_Error("McEliece parameters are inconsistent");	×
132	}
133
134	const size_t codimension = ext_deg * t;	86✔
135
136	// codimension must be strictly less than n, otherwise the code has no message bits
137	if(codimension >= n) {	86✔
138	throw Decoding_Error("McEliece parameters are inconsistent");	×
139	}
140
141	const size_t dimension = n - codimension;	86✔
142
143	// public matrix is a dimension x codimension binary matrix stored as uint32_t rows
144	const size_t expected_pubmat_size = dimension * bit_size_to_32bit_size(codimension) * sizeof(uint32_t);	86✔
145	if(m_public_matrix.size() != expected_pubmat_size) {	86✔
146	throw Decoding_Error("McEliece public matrix size does not match parameters");	×
147	}
148
149	m_t = t;	86✔
150	m_code_length = n;	86✔
151	}	86✔
152
153	secure_vector<uint8_t> McEliece_PrivateKey::private_key_bits() const {	270✔
154	DER_Encoder enc;	270✔
155	enc.start_sequence()	270✔
156	.start_sequence()	270✔
157	.encode(get_code_length())	270✔
158	.encode(get_t())	270✔
159	.end_cons()	270✔
160	.encode(m_public_matrix, ASN1_Type::OctetString)	270✔
161	.encode(m_g[0].encode(), ASN1_Type::OctetString); // g as octet string	540✔
162	enc.start_sequence();	270✔
163	for(const auto& x : m_sqrtmod) {	4,544✔
164	enc.encode(x.encode(), ASN1_Type::OctetString);	12,822✔
165	}
166	enc.end_cons();	270✔
167	secure_vector<uint8_t> enc_support;	270✔
168
169	for(const uint16_t Linv : m_Linv) {	387,758✔
170	enc_support.push_back(get_byte<0>(Linv));	387,488✔
171	enc_support.push_back(get_byte<1>(Linv));	387,488✔
172	}
173	enc.encode(enc_support, ASN1_Type::OctetString);	270✔
174	secure_vector<uint8_t> enc_H;	270✔
175	for(const uint32_t coef : m_coeffs) {	8,999,790✔
176	enc_H.push_back(get_byte<0>(coef));	8,999,520✔
177	enc_H.push_back(get_byte<1>(coef));	8,999,520✔
178	enc_H.push_back(get_byte<2>(coef));	8,999,520✔
179	enc_H.push_back(get_byte<3>(coef));	8,999,520✔
180	}
181	enc.encode(enc_H, ASN1_Type::OctetString);	270✔
182	enc.end_cons();	270✔
183	return enc.get_contents();	540✔
184	}	540✔
185
186	bool McEliece_PrivateKey::check_key(RandomNumberGenerator& rng, bool /unused/) const {	85✔
187	const secure_vector<uint8_t> plaintext = this->random_plaintext_element(rng);	85✔
188
189	secure_vector<uint8_t> ciphertext;	85✔
190	secure_vector<uint8_t> errors;	85✔
191	mceliece_encrypt(ciphertext, errors, plaintext, *this, rng);	85✔
192
193	secure_vector<uint8_t> plaintext_out;	85✔
194	secure_vector<uint8_t> errors_out;	85✔
195	mceliece_decrypt(plaintext_out, errors_out, ciphertext, *this);	85✔
196
197	if(errors != errors_out \|\| plaintext != plaintext_out) {	85✔
198	return false;
199	}
200
201	return true;
202	}	425✔
203
204	McEliece_PrivateKey::McEliece_PrivateKey(std::span<const uint8_t> key_bits) {	89✔
205	size_t n = 0;	89✔
206	size_t t = 0;	89✔
207	secure_vector<uint8_t> enc_g;	89✔
208	BER_Decoder dec_base(key_bits, BER_Decoder::Limits::DER());	89✔
209	BER_Decoder dec = dec_base.start_sequence();	89✔
210	dec.start_sequence().decode(n).decode(t).end_cons();	89✔
211	dec.decode(m_public_matrix, ASN1_Type::OctetString).decode(enc_g, ASN1_Type::OctetString);	89✔
212
213	if(t == 0 \|\| n == 0) {	89✔
214	throw Decoding_Error("invalid McEliece parameters");	×
215	}
216
217	const uint32_t ext_deg = ceil_log2(n);	89✔
218
219	if(ext_deg < 2 \|\| ext_deg > 16) {	89✔
220	throw Decoding_Error("McEliece code length out of supported range");	×
221	}
222
223	// Since ext_deg >= 2, t >= n already implies ext_deg * t > n
224	if(t >= n) {	89✔
225	throw Decoding_Error("McEliece parameters are inconsistent");	×
226	}
227
228	const size_t codimension = ext_deg * t;	89✔
229
230	if(codimension >= n) {	89✔
231	throw Decoding_Error("McEliece parameters are inconsistent");	×
232	}
233
234	const size_t dimension = n - codimension;	89✔
235	const size_t expected_pubmat_size = dimension * bit_size_to_32bit_size(codimension) * sizeof(uint32_t);	89✔
236	if(m_public_matrix.size() != expected_pubmat_size) {	89✔
237	throw Decoding_Error("McEliece public matrix size does not match parameters");	×
238	}
239
240	m_code_length = n;	89✔
241	m_t = t;	89✔
242	m_codimension = codimension;	89✔
243	m_dimension = dimension;	89✔
244
245	auto sp_field = std::make_shared<GF2m_Field>(ext_deg);	89✔
246	m_g = {polyn_gf2m(enc_g, sp_field)};	267✔
247	if(m_g[0].get_degree() != static_cast<int>(t)) {	89✔
248	throw Decoding_Error("degree of decoded Goppa polynomial is incorrect");	×
249	}
250	BER_Decoder dec2 = dec.start_sequence();	89✔
251	for(uint32_t i = 0; i < t / 2; i++) {	1,471✔
252	secure_vector<uint8_t> sqrt_enc;	1,382✔
253	dec2.decode(sqrt_enc, ASN1_Type::OctetString);	1,382✔
254	while(sqrt_enc.size() < (t * 2)) {	1,382✔
255	// ensure that the length is always t
256	sqrt_enc.push_back(0);	×
257	sqrt_enc.push_back(0);	×
258	}
259	if(sqrt_enc.size() != t * 2) {	1,382✔
260	throw Decoding_Error("length of square root polynomial entry is too large");	×
261	}
262	m_sqrtmod.push_back(polyn_gf2m(sqrt_enc, sp_field));	2,764✔
263	}	1,382✔
264	secure_vector<uint8_t> enc_support;	89✔
265	dec2.end_cons();	89✔
266	dec.decode(enc_support, ASN1_Type::OctetString);	89✔
267	if(enc_support.size() % 2 != 0) {	89✔
268	throw Decoding_Error("encoded support has odd length");	×
269	}
270	if(enc_support.size() / 2 != n) {	89✔
271	throw Decoding_Error("encoded support has length different from code length");	×
272	}
273	for(uint32_t i = 0; i < n * 2; i += 2) {	124,057✔
274	const gf2m el = (enc_support[i] << 8) \| enc_support[i + 1];	123,968✔
275	m_Linv.push_back(el);	123,968✔
276	}
277	secure_vector<uint8_t> enc_H;	89✔
278	dec.decode(enc_H, ASN1_Type::OctetString).end_cons().verify_end();	89✔
279	if(enc_H.size() % 4 != 0) {	89✔
280	throw Decoding_Error("encoded parity check matrix has length which is not a multiple of four");	×
281	}
282	if(enc_H.size() / 4 != bit_size_to_32bit_size(m_codimension) * m_code_length) {	89✔
283	throw Decoding_Error("encoded parity check matrix has wrong length");	×
284	}
285
286	for(uint32_t i = 0; i < enc_H.size(); i += 4) {	2,801,081✔
287	const uint32_t coeff = (enc_H[i] << 24) \| (enc_H[i + 1] << 16) \| (enc_H[i + 2] << 8) \| enc_H[i + 3];	2,800,992✔
288	m_coeffs.push_back(coeff);	2,800,992✔
289	}
290	}	445✔
291
292	bool McEliece_PrivateKey::operator==(const McEliece_PrivateKey& other) const {	×
293	if(static_cast<const McEliece_PublicKey>(this) != static_cast<const McEliece_PublicKey>(&other)) {	×
294	return false;
295	}
296	if(m_g != other.m_g) {	×
297	return false;
298	}
299
300	if(m_sqrtmod != other.m_sqrtmod) {	×
301	return false;
302	}
303	if(m_Linv != other.m_Linv) {	×
304	return false;
305	}
306	if(m_coeffs != other.m_coeffs) {	×
307	return false;
308	}
309
310	if(m_codimension != other.m_codimension \|\| m_dimension != other.m_dimension) {	×
311	return false;
312	}
313
314	return true;
315	}
316
317	std::unique_ptr<Public_Key> McEliece_PrivateKey::public_key() const {	3✔
318	return std::make_unique<McEliece_PublicKey>(get_public_matrix(), get_t(), get_code_length());	3✔
319	}
320
321	bool McEliece_PublicKey::operator==(const McEliece_PublicKey& other) const {	×
322	if(m_public_matrix != other.m_public_matrix) {	×
323	return false;
324	}
325	if(m_t != other.m_t) {	×
326	return false;
327	}
328	if(m_code_length != other.m_code_length) {	×
329	return false;	×
330	}
331	return true;
332	}
333
334	namespace {
335
336	class MCE_KEM_Encryptor final : public PK_Ops::KEM_Encryption_with_KDF {
337	public:
338	MCE_KEM_Encryptor(const McEliece_PublicKey& key, std::string_view kdf) :	102✔
339	KEM_Encryption_with_KDF(kdf), m_key(key) {}	102✔
340
341	private:
342	size_t raw_kem_shared_key_length() const override {	2,589✔
343	const size_t err_sz = (m_key.get_code_length() + 7) / 8;	2,589✔
344	const size_t ptext_sz = (m_key.get_message_word_bit_length() + 7) / 8;	2,589✔
345	return ptext_sz + err_sz;	2,589✔
346	}
347
348	size_t encapsulated_key_length() const override { return (m_key.get_code_length() + 7) / 8; }	7,701✔
349
350	void raw_kem_encrypt(std::span<uint8_t> out_encapsulated_key,	2,567✔
351	std::span<uint8_t> raw_shared_key,
352	RandomNumberGenerator& rng) override {
353	secure_vector<uint8_t> plaintext = m_key.random_plaintext_element(rng);	2,567✔
354
355	secure_vector<uint8_t> ciphertext;	2,567✔
356	secure_vector<uint8_t> error_mask;	2,567✔
357	mceliece_encrypt(ciphertext, error_mask, plaintext, m_key, rng);	2,567✔
358
359	// TODO: Perhaps avoid the copies below
360	BOTAN_ASSERT_NOMSG(out_encapsulated_key.size() == ciphertext.size());	2,567✔
361	std::copy(ciphertext.begin(), ciphertext.end(), out_encapsulated_key.begin());	2,567✔
362
363	BOTAN_ASSERT_NOMSG(raw_shared_key.size() == plaintext.size() + error_mask.size());	2,567✔
364	BufferStuffer bs(raw_shared_key);	2,567✔
365	bs.append(plaintext);	2,567✔
366	bs.append(error_mask);	2,567✔
367	}	7,701✔
368
369	const McEliece_PublicKey& m_key;
370	};
371
372	class MCE_KEM_Decryptor final : public PK_Ops::KEM_Decryption_with_KDF {
373	public:
374	MCE_KEM_Decryptor(const McEliece_PrivateKey& key, std::string_view kdf) :	102✔
375	KEM_Decryption_with_KDF(kdf), m_key(key) {}	102✔
376
377	private:
378	size_t raw_kem_shared_key_length() const override {	2,616✔
379	const size_t err_sz = (m_key.get_code_length() + 7) / 8;	2,616✔
380	const size_t ptext_sz = (m_key.get_message_word_bit_length() + 7) / 8;	2,616✔
381	return ptext_sz + err_sz;	2,616✔
382	}
383
384	size_t encapsulated_key_length() const override { return (m_key.get_code_length() + 7) / 8; }	×
385
386	void raw_kem_decrypt(std::span<uint8_t> out_shared_key, std::span<const uint8_t> encapsulated_key) override {	2,576✔
387	secure_vector<uint8_t> plaintext;	2,576✔
388	secure_vector<uint8_t> error_mask;	2,576✔
389	mceliece_decrypt(plaintext, error_mask, encapsulated_key.data(), encapsulated_key.size(), m_key);	2,576✔
390
391	// TODO: perhaps avoid the copies below
392	BOTAN_ASSERT_NOMSG(out_shared_key.size() == plaintext.size() + error_mask.size());	2,576✔
393	BufferStuffer bs(out_shared_key);	2,576✔
394	bs.append(plaintext);	2,576✔
395	bs.append(error_mask);	2,576✔
396	}	5,152✔
397
398	const McEliece_PrivateKey& m_key;
399	};
400
401	} // namespace
402
403	std::unique_ptr<Private_Key> McEliece_PublicKey::generate_another(RandomNumberGenerator& rng) const {	×
404	return std::make_unique<McEliece_PrivateKey>(rng, get_code_length(), get_t());	×
405	}
406
407	std::unique_ptr<PK_Ops::KEM_Encryption> McEliece_PublicKey::create_kem_encryption_op(std::string_view params,	102✔
408	std::string_view provider) const {
409	if(provider == "base" \|\| provider.empty()) {	102✔
410	return std::make_unique<MCE_KEM_Encryptor>(*this, params);	102✔
411	}
412	throw Provider_Not_Found(algo_name(), provider);	×
413	}
414
415	std::unique_ptr<PK_Ops::KEM_Decryption> McEliece_PrivateKey::create_kem_decryption_op(RandomNumberGenerator& /rng/,	102✔
416	std::string_view params,
417	std::string_view provider) const {
418	if(provider == "base" \|\| provider.empty()) {	102✔
419	return std::make_unique<MCE_KEM_Decryptor>(*this, params);	102✔
420	}
421	throw Provider_Not_Found(algo_name(), provider);	×
422	}
423
424	} // namespace Botan

randombit / botan / 25536515957

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous