elligator: kem encaps and decaps

author: Pedram Fardzadeh <p.fardzadeh@protonmail.com> 2024-03-04 01:26:31 +0100
committer: Martin Schanzenbach <schanzen@gnunet.org> 2024-03-06 11:23:56 +0100
commit: fbdeca81292cd3a00af9a336fd52079e41fe8879 (patch)
tree: bc0f9b580ada93189c531e0c15c96800e68439f3 /src
parent: ae50b256e873150251d9a621715e55809457579d (diff)
download: gnunet-fbdeca81292cd3a00af9a336fd52079e41fe8879.tar.gz
gnunet-fbdeca81292cd3a00af9a336fd52079e41fe8879.zip
3 files changed, 103 insertions, 0 deletions
diff --git a/src/include/gnunet_crypto_lib.h b/src/include/gnunet_crypto_lib.h
index 7b7d559cc..4af95af0f 100644
--- a/src/include/gnunet_crypto_lib.h
+++ b/src/include/gnunet_crypto_lib.h
@@ -2747,6 +2747,42 @@ GNUNET_CRYPTO_ecdhe_elligator_key_create (
  struct GNUNET_CRYPTO_ElligatorRepresentative *repr,
  struct GNUNET_CRYPTO_EcdhePrivateKey *pk);
+/**
+ * @ingroup crypto
+ * Carries out ecdh encapsulation with given public key and a freshly created ephemeral key pair. Ephemeral public key is given as a representative.
+ *
+ * Following the terminology in https://eprint.iacr.org/2021/509.pdf
+ * @param pub receivers edwards curve public key (X)
+ * @param r representative of ephemeral public key A to use for the ECDH (direct_map(r)=A=aG)
+ * @param key_material where to write the key material H(aX)=H(x(aG))
+ * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_eddsa_elligator_kem_encaps (const struct
+                                          GNUNET_CRYPTO_EddsaPublicKey *pub,
+                                          struct
+                                          GNUNET_CRYPTO_ElligatorRepresentative
+                                          *r,
+                                          struct GNUNET_HashCode *key_material);
+/**
+ * @ingroup crypto
+ * Carries out ecdh decapsulation with given private key and the representative of received public key.
+ *
+ * Following the terminology in https://eprint.iacr.org/2021/509.pdf
+ * @param priv own private key (x)
+ * @param r received representative (direct_map(r)=A=aG)
+ * @param key_material where to write the key material H(xA)=H(a(xG))
+ * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
+ */
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_eddsa_elligator_kem_decaps (const struct
+                                          GNUNET_CRYPTO_EddsaPrivateKey *priv,
+                                          struct
+                                          GNUNET_CRYPTO_ElligatorRepresentative
+                                          *r,
+                                          struct GNUNET_HashCode *key_material);
 /**
 * Output the given MPI value to the given buffer in network
diff --git a/src/lib/util/crypto_elligator.c b/src/lib/util/crypto_elligator.c
index 7ff37be46..d7f4bb1dd 100644
--- a/src/lib/util/crypto_elligator.c
+++ b/src/lib/util/crypto_elligator.c
@@ -620,3 +620,36 @@ GNUNET_CRYPTO_ecdhe_elligator_key_create (
    repr->r[31] |= 64;
  }
 }
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_eddsa_elligator_kem_encaps (const struct
+                                          GNUNET_CRYPTO_EddsaPublicKey *pub,
+                                          struct
+                                          GNUNET_CRYPTO_ElligatorRepresentative
+                                          *r,
+                                          struct GNUNET_HashCode *key_material)
+{
+  struct GNUNET_CRYPTO_EcdhePrivateKey sk_eph;
+  struct GNUNET_CRYPTO_EcdhePublicKey pub_eph;
+  GNUNET_CRYPTO_ecdhe_elligator_key_create (r, &sk_eph);
+  // TODO: probably makes more sense if key_create outputs ecdhe pub instead of repr because ecdhe pub is needed for ecdh on senders side.
+  GNUNET_CRYPTO_ecdhe_elligator_decoding (&pub_eph, NULL, r);
+  return GNUNET_CRYPTO_ecdh_eddsa (&sk_eph, pub, key_material);
+}
+enum GNUNET_GenericReturnValue
+GNUNET_CRYPTO_eddsa_elligator_kem_decaps (const struct
+                                          GNUNET_CRYPTO_EddsaPrivateKey *priv,
+                                          struct
+                                          GNUNET_CRYPTO_ElligatorRepresentative
+                                          *r,
+                                          struct GNUNET_HashCode *key_material)
+{
+  struct GNUNET_CRYPTO_EcdhePublicKey pub;
+  GNUNET_CRYPTO_ecdhe_elligator_decoding (&pub, NULL, r);
+  return GNUNET_CRYPTO_eddsa_ecdh (priv, &pub, key_material);
+}
+\ No newline at end of file
diff --git a/src/lib/util/test_crypto_elligator.c b/src/lib/util/test_crypto_elligator.c
index 463cb0a0c..c42e1de3a 100644
--- a/src/lib/util/test_crypto_elligator.c
+++ b/src/lib/util/test_crypto_elligator.c
@@ -223,6 +223,34 @@ testTimeDecoding (void)
 }
+static int
+elligatorKEM ()
+{
+  struct GNUNET_CRYPTO_EddsaPrivateKey pk;
+  struct GNUNET_CRYPTO_EddsaPublicKey pub;
+  GNUNET_CRYPTO_eddsa_key_create (&pk);
+  GNUNET_CRYPTO_eddsa_key_get_public (&pk,&pub);
+  struct GNUNET_CRYPTO_ElligatorRepresentative r;
+  // Sender side
+  struct GNUNET_HashCode key_material_encaps;
+  GNUNET_CRYPTO_eddsa_elligator_kem_encaps (&pub, &r, &key_material_encaps);
+  // Receiving side
+  struct GNUNET_HashCode key_material_decaps;
+  GNUNET_CRYPTO_eddsa_elligator_kem_decaps (&pk,&r,&key_material_decaps);
+  if (memcmp (&(key_material_encaps.bits),&(key_material_decaps.bits),
+              sizeof(key_material_encaps.bits)) != 0)
+  {
+    return GNUNET_SYSERR;
+  }
+  return GNUNET_OK;
+}
 /*
 *More tests to implement:
 * Adding more test vectors from different sources for inverse and direct map
@@ -268,6 +296,12 @@ main (int argc, char *argv[])
    failure_count++;
  }
+  if (GNUNET_OK != elligatorKEM ())
+  {
+    printf ("Elligator KEM failed!");
+    failure_count++;
+  }
  if (0 != failure_count)
  {
    fprintf (stderr,
author	Pedram Fardzadeh <p.fardzadeh@protonmail.com>	2024-03-04 01:26:31 +0100
committer	Martin Schanzenbach <schanzen@gnunet.org>	2024-03-06 11:23:56 +0100
commit	fbdeca81292cd3a00af9a336fd52079e41fe8879 (patch)
tree	bc0f9b580ada93189c531e0c15c96800e68439f3 /src
parent	ae50b256e873150251d9a621715e55809457579d (diff)
download	gnunet-fbdeca81292cd3a00af9a336fd52079e41fe8879.tar.gz gnunet-fbdeca81292cd3a00af9a336fd52079e41fe8879.zip

diff --git a/src/include/gnunet_crypto_lib.h b/src/include/gnunet_crypto_lib.h index 7b7d559cc..4af95af0f 100644 --- a/src/include/gnunet_crypto_lib.h +++ b/src/include/gnunet_crypto_lib.h
@@ -2747,6 +2747,42 @@ GNUNET_CRYPTO_ecdhe_elligator_key_create (
2747	struct GNUNET_CRYPTO_ElligatorRepresentative *repr,	2747	struct GNUNET_CRYPTO_ElligatorRepresentative *repr,
2748	struct GNUNET_CRYPTO_EcdhePrivateKey *pk);	2748	struct GNUNET_CRYPTO_EcdhePrivateKey *pk);
2749		2749
		2750	/**
		2751	* @ingroup crypto
		2752	* Carries out ecdh encapsulation with given public key and a freshly created ephemeral key pair. Ephemeral public key is given as a representative.
		2753	*
		2754	* Following the terminology in https://eprint.iacr.org/2021/509.pdf
		2755	* @param pub receivers edwards curve public key (X)
		2756	* @param r representative of ephemeral public key A to use for the ECDH (direct_map(r)=A=aG)
		2757	* @param key_material where to write the key material H(aX)=H(x(aG))
		2758	* @return #GNUNET_SYSERR on error, #GNUNET_OK on success
		2759	*/
		2760	enum GNUNET_GenericReturnValue
		2761	GNUNET_CRYPTO_eddsa_elligator_kem_encaps (const struct
		2762	GNUNET_CRYPTO_EddsaPublicKey *pub,
		2763	struct
		2764	GNUNET_CRYPTO_ElligatorRepresentative
		2765	*r,
		2766	struct GNUNET_HashCode *key_material);
		2767
		2768	/**
		2769	* @ingroup crypto
		2770	* Carries out ecdh decapsulation with given private key and the representative of received public key.
		2771	*
		2772	* Following the terminology in https://eprint.iacr.org/2021/509.pdf
		2773	* @param priv own private key (x)
		2774	* @param r received representative (direct_map(r)=A=aG)
		2775	* @param key_material where to write the key material H(xA)=H(a(xG))
		2776	* @return #GNUNET_SYSERR on error, #GNUNET_OK on success
		2777	*/
		2778	enum GNUNET_GenericReturnValue
		2779	GNUNET_CRYPTO_eddsa_elligator_kem_decaps (const struct
		2780	GNUNET_CRYPTO_EddsaPrivateKey *priv,
		2781	struct
		2782	GNUNET_CRYPTO_ElligatorRepresentative
		2783	*r,
		2784	struct GNUNET_HashCode *key_material);
		2785
2750		2786
2751	/**	2787	/**
2752	* Output the given MPI value to the given buffer in network	2788	* Output the given MPI value to the given buffer in network


diff --git a/src/lib/util/crypto_elligator.c b/src/lib/util/crypto_elligator.c index 7ff37be46..d7f4bb1dd 100644 --- a/src/lib/util/crypto_elligator.c +++ b/src/lib/util/crypto_elligator.c
@@ -620,3 +620,36 @@ GNUNET_CRYPTO_ecdhe_elligator_key_create (
620	repr->r[31] \|= 64;	620	repr->r[31] \|= 64;
621	}	621	}
622	}	622	}
		623
		624
		625	enum GNUNET_GenericReturnValue
		626	GNUNET_CRYPTO_eddsa_elligator_kem_encaps (const struct
		627	GNUNET_CRYPTO_EddsaPublicKey *pub,
		628	struct
		629	GNUNET_CRYPTO_ElligatorRepresentative
		630	*r,
		631	struct GNUNET_HashCode *key_material)
		632	{
		633	struct GNUNET_CRYPTO_EcdhePrivateKey sk_eph;
		634	struct GNUNET_CRYPTO_EcdhePublicKey pub_eph;
		635
		636	GNUNET_CRYPTO_ecdhe_elligator_key_create (r, &sk_eph);
		637	// TODO: probably makes more sense if key_create outputs ecdhe pub instead of repr because ecdhe pub is needed for ecdh on senders side.
		638	GNUNET_CRYPTO_ecdhe_elligator_decoding (&pub_eph, NULL, r);
		639
		640	return GNUNET_CRYPTO_ecdh_eddsa (&sk_eph, pub, key_material);
		641	}
		642
		643
		644	enum GNUNET_GenericReturnValue
		645	GNUNET_CRYPTO_eddsa_elligator_kem_decaps (const struct
		646	GNUNET_CRYPTO_EddsaPrivateKey *priv,
		647	struct
		648	GNUNET_CRYPTO_ElligatorRepresentative
		649	*r,
		650	struct GNUNET_HashCode *key_material)
		651	{
		652	struct GNUNET_CRYPTO_EcdhePublicKey pub;
		653	GNUNET_CRYPTO_ecdhe_elligator_decoding (&pub, NULL, r);
		654	return GNUNET_CRYPTO_eddsa_ecdh (priv, &pub, key_material);
		655	} \ No newline at end of file


diff --git a/src/lib/util/test_crypto_elligator.c b/src/lib/util/test_crypto_elligator.c index 463cb0a0c..c42e1de3a 100644 --- a/src/lib/util/test_crypto_elligator.c +++ b/src/lib/util/test_crypto_elligator.c
@@ -223,6 +223,34 @@ testTimeDecoding (void)
223	}	223	}
224		224
225		225
		226	static int
		227	elligatorKEM ()
		228	{
		229	struct GNUNET_CRYPTO_EddsaPrivateKey pk;
		230	struct GNUNET_CRYPTO_EddsaPublicKey pub;
		231	GNUNET_CRYPTO_eddsa_key_create (&pk);
		232	GNUNET_CRYPTO_eddsa_key_get_public (&pk,&pub);
		233
		234	struct GNUNET_CRYPTO_ElligatorRepresentative r;
		235
		236	// Sender side
		237	struct GNUNET_HashCode key_material_encaps;
		238	GNUNET_CRYPTO_eddsa_elligator_kem_encaps (&pub, &r, &key_material_encaps);
		239
		240	// Receiving side
		241	struct GNUNET_HashCode key_material_decaps;
		242	GNUNET_CRYPTO_eddsa_elligator_kem_decaps (&pk,&r,&key_material_decaps);
		243
		244	if (memcmp (&(key_material_encaps.bits),&(key_material_decaps.bits),
		245	sizeof(key_material_encaps.bits)) != 0)
		246	{
		247	return GNUNET_SYSERR;
		248	}
		249
		250	return GNUNET_OK;
		251	}
		252
		253
226	/*	254	/*
227	*More tests to implement:	255	*More tests to implement:
228	* Adding more test vectors from different sources for inverse and direct map	256	* Adding more test vectors from different sources for inverse and direct map
@@ -268,6 +296,12 @@ main (int argc, char *argv[])
268	failure_count++;	296	failure_count++;
269	}	297	}
270		298
		299	if (GNUNET_OK != elligatorKEM ())
		300	{
		301	printf ("Elligator KEM failed!");
		302	failure_count++;
		303	}
		304
271	if (0 != failure_count)	305	if (0 != failure_count)
272	{	306	{
273	fprintf (stderr,	307	fprintf (stderr,