Browse Source

Changed the return value of all De-encapsulation routines.

https://github.com/pq-crystals/kyber/commit/bfa9a78bbe177cd937f7fe8214a0a15c2a04c15a
Yawning Angel 1 year ago
parent
commit
a270899bd2
6 changed files with 41 additions and 73 deletions
  1. 5 20
      doc_test.go
  2. 5 6
      kem.go
  3. 4 10
      kem_test.go
  4. 2 4
      kem_vectors_test.go
  5. 21 25
      kex.go
  6. 4 8
      kex_test.go

+ 5 - 20
doc_test.go

@@ -38,10 +38,7 @@ func Example_keyEncapsulationMechanism() {
 	// Bob, step 3: Send the cipher text to Alice (Not shown).
 
 	// Alice, step 3: Decrypt the KEM cipher text.
-	aliceSharedSecret, fail := alicePrivateKey.KEMDecrypt(cipherText)
-	if fail != 0 {
-		panic("Alice: KEMDecrypt failed")
-	}
+	aliceSharedSecret := alicePrivateKey.KEMDecrypt(cipherText)
 
 	// Alice and Bob have identical values for the shared secrets.
 	if bytes.Equal(aliceSharedSecret, bobSharedSecret) {
@@ -71,18 +68,12 @@ func Example_keyExchangeUnilateralAuth() {
 	// Bob, step 2: Send the key exchange message to Alice (Not shown).
 
 	// Alice, step 1: Generates a responder message and shared secret.
-	aliceMessage, aliceSharedSecret, fail := aliceStaticPrivateKey.UAKEResponderShared(rand.Reader, bobState.Message)
-	if fail != 0 {
-		panic("Alice: privKey.UAKEResponderShared failed")
-	}
+	aliceMessage, aliceSharedSecret := aliceStaticPrivateKey.UAKEResponderShared(rand.Reader, bobState.Message)
 
 	// Alice, step 2: Send the responder message to Bob (Not shown).
 
 	// Bob, step 3: Generate the shared secret.
-	bobSharedSecret, fail := bobState.Shared(aliceMessage)
-	if fail != 0 {
-		panic("Bob: UAKEInitiatorState.Shared failed")
-	}
+	bobSharedSecret := bobState.Shared(aliceMessage)
 
 	// Alice and Bob have identical values for the shared secrets, and Bob is
 	// certain that the peer posesses aliceStaticPrivateKey.
@@ -118,18 +109,12 @@ func Example_keyExchangeMutualAuth() {
 	// Bob, step 2: Send the key exchange message to Alice (Not shown).
 
 	// Alice, step 1: Generates a responder message and shared secret.
-	aliceMessage, aliceSharedSecret, fail := aliceStaticPrivateKey.AKEResponderShared(rand.Reader, bobState.Message, bobStaticPublicKey)
-	if fail != 0 {
-		panic("Alice: privKey.AKEResponderShared failed")
-	}
+	aliceMessage, aliceSharedSecret := aliceStaticPrivateKey.AKEResponderShared(rand.Reader, bobState.Message, bobStaticPublicKey)
 
 	// Alice, step 2: Send the responder message to Bob (Not shown).
 
 	// Bob, step 3: Generate the shared secret.
-	bobSharedSecret, fail := bobState.Shared(aliceMessage, bobStaticPrivateKey)
-	if fail != 0 {
-		panic("Bob: AKEInitiatorState.Shared failed")
-	}
+	bobSharedSecret := bobState.Shared(aliceMessage, bobStaticPrivateKey)
 
 	// Alice and Bob have identical values for the shared secrets, and each
 	// party is certain that the peer posesses the appropriate long-term

+ 5 - 6
kem.go

@@ -155,10 +155,10 @@ func (pk *PublicKey) KEMEncrypt(rng io.Reader) (cipherText []byte, sharedSecret
 // KEMDecrypt generates shared secret for given cipher text via the CCA-secure
 // Kyber key encapsulation mechanism.
 //
-// On success fail will be 0, otherwise fail will be set to -1 and
-// sharedSecret will contain a randomized value.  Providing a cipher text
-// that is obviously malformed (too large/small) will result in a panic.
-func (sk *PrivateKey) KEMDecrypt(cipherText []byte) (sharedSecret []byte, fail int) {
+// On failures, sharedSecret will contain a randomized value.  Providing a
+// cipher text that is obviously malformed (too large/small) will result in a
+// panic.
+func (sk *PrivateKey) KEMDecrypt(cipherText []byte) (sharedSecret []byte) {
 	var buf [2 * SymSize]byte
 
 	p := sk.PublicKey.p
@@ -176,9 +176,8 @@ func (sk *PrivateKey) KEMDecrypt(cipherText []byte) (sharedSecret []byte, fail i
 	hc := sha3.Sum256(cipherText)
 	copy(kr[SymSize:], hc[:]) // overwrite coins in kr with H(c)
 
-	fail = subtle.ConstantTimeSelect(subtle.ConstantTimeCompare(cipherText, cmp), 0, 1)
+	fail := subtle.ConstantTimeSelect(subtle.ConstantTimeCompare(cipherText, cmp), 0, 1)
 	subtle.ConstantTimeCopy(fail, kr[SymSize:], sk.z) // Overwrite pre-k with z on re-encryption failure
-	fail = -fail
 
 	h := sha3.New256()
 	h.Write(kr[:])

+ 4 - 10
kem_test.go

@@ -86,8 +86,7 @@ func doTestKEMKeys(t *testing.T, p *ParameterSet) {
 		require.Len(ct, p.CipherTextSize(), "KEMEncrypt(): ct Length")
 		require.Len(ss, SymSize, "KEMEncrypt(): ss Length")
 
-		ss2, fail := sk.KEMDecrypt(ct)
-		require.Equal(0, fail, "KEMDecrypt(): fail")
+		ss2 := sk.KEMDecrypt(ct)
 		require.Equal(ss, ss2, "KEMDecrypt(): ss")
 	}
 }
@@ -109,8 +108,7 @@ func doTestKEMInvalidSkA(t *testing.T, p *ParameterSet) {
 		require.NoError(err, "rand.Read()")
 
 		// Alice uses Bob's response to get her secret key.
-		keyA, fail := skA.KEMDecrypt(sendB)
-		require.Equal(-1, fail, "KEMDecrypt(): fail")
+		keyA := skA.KEMDecrypt(sendB)
 		require.NotEqual(keyA, keyB, "KEMDecrypt(): ss")
 	}
 }
@@ -138,8 +136,7 @@ func doTestKEMInvalidCipherText(t *testing.T, p *ParameterSet) {
 		sendB[pos%ciphertextSize] ^= 23
 
 		// Alice uses Bob's response to get her secret key.
-		keyA, fail := skA.KEMDecrypt(sendB)
-		require.Equal(-1, fail, "KEMDecrypt(): fail")
+		keyA := skA.KEMDecrypt(sendB)
 		require.NotEqual(keyA, keyB, "KEMDecrypt(): ss")
 	}
 }
@@ -207,14 +204,11 @@ func doBenchKEMEncDec(b *testing.B, p *ParameterSet, isEnc bool) {
 			b.StartTimer()
 		}
 
-		keyA, fail := skA.KEMDecrypt(sendB)
+		keyA := skA.KEMDecrypt(sendB)
 		if !isEnc {
 			b.StopTimer()
 		}
 
-		if fail != 0 {
-			b.Fatalf("KEMDecrypt(): fail %v", fail)
-		}
 		if !bytes.Equal(keyA, keyB) {
 			b.Fatalf("KEMDecrypt(): key mismatch")
 		}

+ 2 - 4
kem_vectors_test.go

@@ -81,8 +81,7 @@ func doTestKEMVectorsFull(require *require.Assertions, p *ParameterSet, vecs []*
 		require.Equal(vec.sendB, sendB, "sendB: %v", idx)
 		require.Equal(vec.keyB, keyB, "keyB: %v", idx)
 
-		keyA, fail := sk.KEMDecrypt(sendB)
-		require.Equal(0, fail, "fail: %v", idx)
+		keyA := sk.KEMDecrypt(sendB)
 		require.Equal(vec.keyA, keyA, "keyA: %v", idx)
 	}
 }
@@ -105,8 +104,7 @@ func doTestKEMVectorsCompact(require *require.Assertions, p *ParameterSet) {
 		h.Write([]byte(hex.EncodeToString(sendB) + "\n"))
 		h.Write([]byte(hex.EncodeToString(keyB) + "\n"))
 
-		keyA, fail := sk.KEMDecrypt(sendB)
-		require.Equal(0, fail, "fail: %v", idx)
+		keyA := sk.KEMDecrypt(sendB)
 		h.Write([]byte(hex.EncodeToString(keyA) + "\n"))
 	}
 

+ 21 - 25
kex.go

@@ -49,14 +49,14 @@ type UAKEInitiatorState struct {
 // Shared generates a shared secret for the given UAKE instance and responder
 // message.
 //
-// On success fail will be 0, otherwise fail will be set to -1 and
-// sharedSecret will contain a randomized value.  Providing a malformed
-// responder message will result in a panic.
-func (s *UAKEInitiatorState) Shared(recv []byte) (sharedSecret []byte, fail int) {
+// On failures, sharedSecret will contain a randomized value.  Providing a
+// cipher text that is obviously malformed (too large/small) will result in a
+// panic.
+func (s *UAKEInitiatorState) Shared(recv []byte) (sharedSecret []byte) {
 	xof := sha3.NewShake256()
 	var tk []byte
 
-	tk, fail = s.eSk.KEMDecrypt(recv)
+	tk = s.eSk.KEMDecrypt(recv)
 	xof.Write(tk)
 	xof.Write(s.tk)
 	sharedSecret = make([]byte, SymSize)
@@ -91,10 +91,10 @@ func (pk *PublicKey) NewUAKEInitiatorState(rng io.Reader) (*UAKEInitiatorState,
 // UAKEResponderShared generates a responder message and shared secret given
 // a initiator UAKE message.
 //
-// On success fail will be 0, otherwise fail will be set to -1 and
-// sharedSecret will contain a randomized value.  Providing a malformed
-// initator message will result in a panic.
-func (sk *PrivateKey) UAKEResponderShared(rng io.Reader, recv []byte) (message, sharedSecret []byte, fail int) {
+// On failures, sharedSecret will contain a randomized value.  Providing a
+// cipher text that is obviously malformed (too large/small) will result in a
+// panic.
+func (sk *PrivateKey) UAKEResponderShared(rng io.Reader, recv []byte) (message, sharedSecret []byte) {
 	p := sk.PublicKey.p
 	pkLen := p.PublicKeySize()
 
@@ -117,7 +117,7 @@ func (sk *PrivateKey) UAKEResponderShared(rng io.Reader, recv []byte) (message,
 	}
 	xof.Write(tk)
 
-	tk, fail = sk.KEMDecrypt(ct)
+	tk = sk.KEMDecrypt(ct)
 	xof.Write(tk)
 	sharedSecret = make([]byte, SymSize)
 	xof.Read(sharedSecret)
@@ -150,11 +150,10 @@ type AKEInitiatorState struct {
 // Shared generates a shared secret for the given AKE instance, responder
 // message, and long term initiator private key.
 //
-// On success fail will be 0, otherwise fail will be set to -1 and
-// sharedSecret will contain a randomized value.   Providing a malformed
-// responder message, or a private key that uses a different ParamterSet
-// than the AKEInitiatorState will result in a panic.
-func (s *AKEInitiatorState) Shared(recv []byte, initiatorPrivateKey *PrivateKey) (sharedSecret []byte, fail int) {
+// On failures sharedSecret will contain a randomized value.   Providing a
+// malformed responder message, or a private key that uses a different
+// ParamterSet than the AKEInitiatorState will result in a panic.
+func (s *AKEInitiatorState) Shared(recv []byte, initiatorPrivateKey *PrivateKey) (sharedSecret []byte) {
 	p := s.eSk.PublicKey.p
 
 	if initiatorPrivateKey.PublicKey.p != p {
@@ -168,13 +167,11 @@ func (s *AKEInitiatorState) Shared(recv []byte, initiatorPrivateKey *PrivateKey)
 	xof := sha3.NewShake256()
 	var tk []byte
 
-	tk, fail = s.eSk.KEMDecrypt(recv[:ctLen])
+	tk = s.eSk.KEMDecrypt(recv[:ctLen])
 	xof.Write(tk)
 
-	var fail2 int
-	tk, fail2 = initiatorPrivateKey.KEMDecrypt(recv[ctLen:])
+	tk = initiatorPrivateKey.KEMDecrypt(recv[ctLen:])
 	xof.Write(tk)
-	fail |= fail2
 
 	xof.Write(s.tk)
 	sharedSecret = make([]byte, SymSize)
@@ -203,11 +200,10 @@ func (pk *PublicKey) NewAKEInitiatorState(rng io.Reader) (*AKEInitiatorState, er
 // AKEResponderShared generates a responder message and shared secret given
 // a initiator AKE message and long term initiator public key.
 //
-// On success fail will be 0, otherwise fail will be set to -1 and
-// sharedSecret will contain a randomized value.  Providing a malformed
-// initiator message, or a public key that uses a different ParamterSet
-// than the PrivateKey will result in a panic.
-func (sk *PrivateKey) AKEResponderShared(rng io.Reader, recv []byte, peerPublicKey *PublicKey) (message, sharedSecret []byte, fail int) {
+// On failures sharedSecret will contain a randomized value.   Providing a
+// malformed responder message, or a private key that uses a different
+// ParamterSet than the AKEInitiatorState will result in a panic.
+func (sk *PrivateKey) AKEResponderShared(rng io.Reader, recv []byte, peerPublicKey *PublicKey) (message, sharedSecret []byte) {
 	p := sk.PublicKey.p
 	pkLen := p.PublicKeySize()
 
@@ -244,7 +240,7 @@ func (sk *PrivateKey) AKEResponderShared(rng io.Reader, recv []byte, peerPublicK
 	xof.Write(tk)
 	message = append(message, tmp...)
 
-	tk, fail = sk.KEMDecrypt(ct)
+	tk = sk.KEMDecrypt(ct)
 	xof.Write(tk)
 	sharedSecret = make([]byte, SymSize)
 	xof.Read(sharedSecret)

+ 4 - 8
kex_test.go

@@ -51,14 +51,12 @@ func doTestUAKE(t *testing.T, p *ParameterSet) {
 		require.Len(stateA.Message, p.UAKEInitiatorMessageSize(), "stateA.Message: Length")
 
 		// Create the responder message and shared secret.
-		msgB, ssB, fail := skB.UAKEResponderShared(rand.Reader, stateA.Message)
-		require.Equal(0, fail, "UAKEResponderShared(): fail")
+		msgB, ssB := skB.UAKEResponderShared(rand.Reader, stateA.Message)
 		require.Len(msgB, p.UAKEResponderMessageSize(), "UAKEResponderShared(): msgB Length")
 		require.Len(ssB, SymSize, "UAKEResponderShared(): ssB Length")
 
 		// Create the initiator shared secret.
-		ssA, fail := stateA.Shared(msgB)
-		require.Equal(0, fail, "stateA.Shared(): fail")
+		ssA := stateA.Shared(msgB)
 		require.Equal(ssA, ssB, "Shared secret mismatch")
 	}
 }
@@ -83,14 +81,12 @@ func doTestAKE(t *testing.T, p *ParameterSet) {
 		require.Len(stateA.Message, p.AKEInitiatorMessageSize(), "stateA.Message: Length")
 
 		// Create the responder message and shared secret.
-		msgB, ssB, fail := skB.AKEResponderShared(rand.Reader, stateA.Message, pkA)
-		require.Equal(0, fail, "AKEResponderShared(): fail")
+		msgB, ssB := skB.AKEResponderShared(rand.Reader, stateA.Message, pkA)
 		require.Len(msgB, p.AKEResponderMessageSize(), "AKEResponderShared(): msgB Length")
 		require.Len(ssB, SymSize, "AKEResponderShared(): ssB Length")
 
 		// Create the initiator shared secret.
-		ssA, fail := stateA.Shared(msgB, skA)
-		require.Equal(0, fail, "stateA.Shared(): fail")
+		ssA := stateA.Shared(msgB, skA)
 		require.Equal(ssA, ssB, "Shared secret mismatch")
 	}
 }