|
| 1 | +//! Checking that our NTRU-Prime is generating same output when compared to nist submission |
| 2 | +
|
| 3 | +use std::{ |
| 4 | + fs::File, |
| 5 | + io::{BufRead, BufReader}, |
| 6 | +}; |
| 7 | + |
| 8 | +use aes::{ |
| 9 | + cipher::{generic_array::GenericArray, BlockEncrypt, KeyInit}, |
| 10 | + Aes256, |
| 11 | +}; |
| 12 | +use hybrid_array::sizes::{U1013, U1277, U16, U32, U653, U761, U857, U953}; |
| 13 | +use itertools::{izip, Itertools}; |
| 14 | +use ntru::{ |
| 15 | + encoded::AsymEnc, |
| 16 | + hashes::HashOps, |
| 17 | + kem::{decap, encap, key_gen}, |
| 18 | + params::{NtruCommonUtils, Streamlined}, |
| 19 | +}; |
| 20 | +use rand_core::{CryptoRng, RngCore, SeedableRng}; |
| 21 | + |
| 22 | +fn aes256_ecb( |
| 23 | + key: &GenericArray<u8, U32>, |
| 24 | + crt: &GenericArray<u8, U16>, |
| 25 | + buffer: &mut GenericArray<u8, U16>, |
| 26 | +) { |
| 27 | + let cipher = Aes256::new(key); |
| 28 | + cipher.encrypt_block_b2b(crt, buffer); |
| 29 | +} |
| 30 | +struct AesDrbg { |
| 31 | + key: GenericArray<u8, U32>, |
| 32 | + v: GenericArray<u8, U16>, |
| 33 | +} |
| 34 | +impl AesDrbg { |
| 35 | + fn update(&mut self, seed_material: Option<&[u8; 48]>) { |
| 36 | + let mut tmp: [GenericArray<u8, U16>; 3] = Default::default(); |
| 37 | + for i in 0..3 { |
| 38 | + for j in (1..=15).rev() { |
| 39 | + if self.v[j] == 0xff { |
| 40 | + self.v[j] = 0x00; |
| 41 | + } else { |
| 42 | + self.v[j] += 1; |
| 43 | + break; |
| 44 | + } |
| 45 | + } |
| 46 | + aes256_ecb(&self.key, &self.v, &mut tmp[i]); |
| 47 | + } |
| 48 | + if let Some(seed) = seed_material { |
| 49 | + for i in 0..48 { |
| 50 | + tmp[i / 16][i % 16] ^= seed[i]; |
| 51 | + } |
| 52 | + } |
| 53 | + self.key[..16].copy_from_slice(&tmp[0]); |
| 54 | + self.key[16..].copy_from_slice(&tmp[1]); |
| 55 | + self.v.copy_from_slice(&tmp[2]); |
| 56 | + } |
| 57 | +} |
| 58 | +impl CryptoRng for AesDrbg {} |
| 59 | + |
| 60 | +struct U8L48([u8; 48]); |
| 61 | + |
| 62 | +impl Default for U8L48 { |
| 63 | + fn default() -> Self { |
| 64 | + U8L48([0; 48]) |
| 65 | + } |
| 66 | +} |
| 67 | + |
| 68 | +impl AsMut<[u8]> for U8L48 { |
| 69 | + fn as_mut(&mut self) -> &mut [u8] { |
| 70 | + &mut self.0 |
| 71 | + } |
| 72 | +} |
| 73 | +impl AsRef<[u8]> for U8L48 { |
| 74 | + fn as_ref(&self) -> &[u8] { |
| 75 | + &self.0 |
| 76 | + } |
| 77 | +} |
| 78 | + |
| 79 | +impl SeedableRng for AesDrbg { |
| 80 | + type Seed = U8L48; |
| 81 | + |
| 82 | + fn from_seed(seed: Self::Seed) -> Self { |
| 83 | + let entropy_input = seed.0; |
| 84 | + let mut drbg = AesDrbg { |
| 85 | + key: GenericArray::default(), |
| 86 | + v: GenericArray::default(), |
| 87 | + }; |
| 88 | + drbg.update(Some(&entropy_input)); |
| 89 | + drbg |
| 90 | + } |
| 91 | +} |
| 92 | + |
| 93 | +impl RngCore for AesDrbg { |
| 94 | + fn next_u32(&mut self) -> u32 { |
| 95 | + let mut bytes = [0u8; 4]; |
| 96 | + self.fill_bytes(&mut bytes); |
| 97 | + u32::from_le_bytes(bytes) |
| 98 | + } |
| 99 | + |
| 100 | + fn next_u64(&mut self) -> u64 { |
| 101 | + unimplemented!() |
| 102 | + } |
| 103 | + |
| 104 | + fn fill_bytes(&mut self, dest: &mut [u8]) { |
| 105 | + let mut block = GenericArray::<u8, U16>::default(); |
| 106 | + let mut i = 0; |
| 107 | + let mut xlen = dest.len(); |
| 108 | + while xlen > 0 { |
| 109 | + for j in (1..=15).rev() { |
| 110 | + if self.v[j] == 0xff { |
| 111 | + self.v[j] = 0x00; |
| 112 | + } else { |
| 113 | + self.v[j] += 1; |
| 114 | + break; |
| 115 | + } |
| 116 | + } |
| 117 | + aes256_ecb(&self.key, &self.v, &mut block); |
| 118 | + if xlen > 15 { |
| 119 | + dest[i..i + 16].copy_from_slice(&block); |
| 120 | + i += 16; |
| 121 | + xlen -= 16; |
| 122 | + } else { |
| 123 | + dest[i..i + xlen].copy_from_slice(&block[..xlen]); |
| 124 | + xlen = 0; |
| 125 | + } |
| 126 | + } |
| 127 | + self.update(None) |
| 128 | + } |
| 129 | + fn try_fill_bytes(&mut self, dest: &mut [u8]) -> Result<(), rand_core::Error> { |
| 130 | + self.fill_bytes(dest); |
| 131 | + Ok(()) |
| 132 | + } |
| 133 | +} |
| 134 | + |
| 135 | +fn seed_builder(max: usize) -> Vec<U8L48> { |
| 136 | + let mut seeds = Vec::with_capacity(100); |
| 137 | + let mut entropy = [0u8; 48]; |
| 138 | + for i in 0u8..48 { |
| 139 | + entropy[i as usize] = i; |
| 140 | + } |
| 141 | + let mut rng = AesDrbg::from_seed(U8L48(entropy)); |
| 142 | + for _ in 0..max { |
| 143 | + let mut s = U8L48::default(); |
| 144 | + rng.fill_bytes(&mut s.0); |
| 145 | + seeds.push(s) |
| 146 | + } |
| 147 | + seeds |
| 148 | +} |
| 149 | + |
| 150 | +struct TestEntry { |
| 151 | + seed: Vec<u8>, |
| 152 | + pk: Vec<u8>, |
| 153 | + sk: Vec<u8>, |
| 154 | + ct: Vec<u8>, |
| 155 | + ss: Vec<u8>, |
| 156 | +} |
| 157 | + |
| 158 | +impl TestEntry { |
| 159 | + fn from_file(path: &str) -> Vec<TestEntry> { |
| 160 | + let file = File::open(path).unwrap(); |
| 161 | + let mut ret = Vec::with_capacity(100); |
| 162 | + for mut lines in &BufReader::new(file) |
| 163 | + .lines() |
| 164 | + .flatten() |
| 165 | + .filter(|x| !(x.is_empty() || x.starts_with('#'))) |
| 166 | + .chunks(6) |
| 167 | + { |
| 168 | + lines.next(); // we ignore the count line |
| 169 | + let seed = hex::decode(lines.next().unwrap().split(" ").last().unwrap()).unwrap(); |
| 170 | + let pk = hex::decode(lines.next().unwrap().split(" ").last().unwrap()).unwrap(); |
| 171 | + let sk = hex::decode(lines.next().unwrap().split(" ").last().unwrap()).unwrap(); |
| 172 | + let ct = hex::decode(lines.next().unwrap().split(" ").last().unwrap()).unwrap(); |
| 173 | + let ss = hex::decode(lines.next().unwrap().split(" ").last().unwrap()).unwrap(); |
| 174 | + ret.push(TestEntry { |
| 175 | + seed, |
| 176 | + pk, |
| 177 | + sk, |
| 178 | + ct, |
| 179 | + ss, |
| 180 | + }); |
| 181 | + } |
| 182 | + assert_eq!(ret.len(), 100); |
| 183 | + ret |
| 184 | + } |
| 185 | +} |
| 186 | + |
| 187 | +#[test] |
| 188 | +fn test_rng() { |
| 189 | + let seeds = seed_builder(100); |
| 190 | + let tests = TestEntry::from_file("test_data/ntrulpr653.rsp"); |
| 191 | + for i in 0..100 { |
| 192 | + assert_eq!(seeds[i].as_ref(), &tests[i].seed) |
| 193 | + } |
| 194 | +} |
| 195 | + |
| 196 | +fn test_config<T: NtruCommonUtils + AsymEnc + HashOps>(config: &str) { |
| 197 | + let seeds = seed_builder(100); |
| 198 | + let path = format!("test_data/{config}.rsp"); |
| 199 | + let tests = TestEntry::from_file(&path); |
| 200 | + for (seed, test) in izip!(seeds, tests) { |
| 201 | + let mut rng = AesDrbg::from_seed(seed); |
| 202 | + let (sk, pk) = key_gen::<T>(&mut rng); |
| 203 | + assert_eq!(&pk.0 as &[u8], &test.pk); |
| 204 | + assert_eq!(sk.to_bytes(), test.sk); |
| 205 | + let (ct, ss) = encap(&mut rng, &pk); |
| 206 | + assert_eq!(ct.to_bytes(), test.ct); |
| 207 | + assert_eq!(&ss as &[u8], &test.ss); |
| 208 | + //let ss2: [u8; 32] = decap(&ct, &sk); |
| 209 | + //assert_eq!(&ss2 as &[u8], &test.ss); |
| 210 | + } |
| 211 | +} |
| 212 | + |
| 213 | +#[test] |
| 214 | +fn test_sntrup1013() { |
| 215 | + test_config::<Streamlined<U1013>>("sntrup1013"); |
| 216 | +} |
| 217 | +#[test] |
| 218 | +fn test_sntrup1277() { |
| 219 | + test_config::<Streamlined<U1277>>("sntrup1277"); |
| 220 | +} |
| 221 | +#[test] |
| 222 | +fn test_sntrup653() { |
| 223 | + test_config::<Streamlined<U653>>("sntrup653"); |
| 224 | +} |
| 225 | +#[test] |
| 226 | +fn test_sntrup761() { |
| 227 | + test_config::<Streamlined<U761>>("sntrup761"); |
| 228 | +} |
| 229 | +#[test] |
| 230 | +fn test_sntrup857() { |
| 231 | + test_config::<Streamlined<U857>>("sntrup857"); |
| 232 | +} |
| 233 | +#[test] |
| 234 | +fn test_sntrup953() { |
| 235 | + test_config::<Streamlined<U953>>("sntrup953"); |
| 236 | +} |
0 commit comments