ntru: Add encoding layer for streamlined ntru

Ahmed · Ahmed · commit dc4f868a8654 · 2024-07-08T21:27:03.000+02:00
Signed-off-by: Ahmed &lt;&gt;
diff --git a/ntru/src/encoded/encoding.rs b/ntru/src/encoded/encoding.rs
@@ -0,0 +1,104 @@
+#![allow(non_snake_case)]
+
+use crate::const_time::{u32_divmod_u14, u32_mod_u14};
+use alloc::vec;
+pub fn encode(R: &[u16], M: &[u16], out: &mut [u8]) {
+    if M.is_empty() {
+        return;
+    }
+    if M.len() == 1 {
+        let mut r = R[0];
+        let mut m = M[0];
+        let mut i = 0;
+        while m > 1 {
+            out[i] = r as u8;
+            i += 1;
+            r >>= 8;
+            m = m.wrapping_add(255) >> 8;
+        }
+        return;
+    }
+    let mut R2 = vec![0u16; (M.len() + 1) / 2];
+    let mut M2 = vec![0u16; (M.len() + 1) / 2];
+    let mut idx = 0;
+    let mut i = 0;
+    while i < M.len() - 1 {
+        let m0 = M[i] as u32;
+        let mut r = R[i] as u32 + R[i + 1] as u32 * m0;
+        let mut m = M[i + 1] as u32 * m0;
+        while m >= 16384 {
+            out[idx] = r as u8;
+            idx += 1;
+            r >>= 8;
+            m = m.wrapping_add(255) >> 8;
+        }
+        R2[i / 2] = r as u16;
+        M2[i / 2] = m as u16;
+        i += 2;
+    }
+    if i < M.len() {
+        R2[i / 2] = R[i];
+        M2[i / 2] = M[i];
+    }
+    encode(&R2, &M2, &mut out[idx..]);
+}
+
+pub fn decode(S: &[u8], M: &[u16], out: &mut [u16]) {
+    if M.is_empty() {
+        return;
+    }
+    if M.len() == 1 {
+        if M[0] == 1 {
+            out[0] = 0;
+        } else if M[0] < 256 {
+            out[0] = u32_mod_u14(S[0] as u32, M[0]);
+        } else {
+            out[0] = u32_mod_u14(S[0] as u32 + ((S[1] as u16) << 8) as u32, M[0]);
+        }
+        return;
+    }
+    let mut R2 = vec![0u16; (M.len() + 1) / 2];
+    let mut M2 = vec![0u16; (M.len() + 1) / 2];
+    let mut bottomr = vec![0u16; M.len() / 2];
+    let mut bottomt = vec![0u32; M.len() / 2];
+    let mut i = 0;
+    let mut s_idx = 0;
+    while i < M.len() - 1 {
+        let m = M[i] as u32 * M[i + 1] as u32;
+        if m > 256 * 16383 {
+            bottomt[i / 2] = 256 * 256;
+            bottomr[i / 2] = S[s_idx] as u16 + 256 * S[s_idx + 1] as u16;
+            s_idx += 2;
+            M2[i / 2] = ((((m + 255) >> 8) + 255) >> 8) as u16;
+        } else if m >= 16384 {
+            bottomt[i / 2] = 256;
+            bottomr[i / 2] = S[s_idx] as u16;
+            s_idx += 1;
+            M2[i / 2] = ((m + 255) >> 8) as u16;
+        } else {
+            bottomt[i / 2] = 1;
+            bottomr[i / 2] = 0;
+            M2[i / 2] = m as u16;
+        }
+        i += 2;
+    }
+    if i < M.len() {
+        M2[i / 2] = M[i];
+    }
+    decode(&S[s_idx..], &M2, &mut R2);
+    let mut i = 0;
+    let mut out_idx = 0;
+    while i < M.len() - 1 {
+        let mut r = bottomr[i / 2] as u32;
+        r += bottomt[i / 2] * R2[i / 2] as u32;
+        let (r1, r0) = u32_divmod_u14(r, M[i]);
+        let r1 = u32_mod_u14(r1, M[i + 1]);
+        out[out_idx] = r0;
+        out[out_idx + 1] = r1;
+        out_idx += 2;
+        i += 2;
+    }
+    if i < M.len() {
+        out[out_idx] = R2[i / 2];
+    }
+}
diff --git a/ntru/src/encoded/mod.rs b/ntru/src/encoded/mod.rs
@@ -0,0 +1,26 @@
+mod encoding;
+mod streamlined;
+
+use crate::params::NtruCommon;
+use hybrid_array::Array;
+use rand_core::CryptoRngCore;
+
+pub trait AsymEnc: NtruCommon + Sized {
+    type Inputs;
+    fn key_gen(
+        rng: &mut impl CryptoRngCore,
+    ) -> (
+        Array<u8, Self::SecretKeyBytes>,
+        Array<u8, Self::PublicKeyBytes>,
+    );
+    fn decrypt(
+        c: &Array<u8, Self::CipherTextBytes>,
+        sk: &Array<u8, Self::SecretKeyBytes>,
+    ) -> Self::Inputs;
+    fn encrypt(
+        r: &Self::Inputs,
+        pk: &Array<u8, Self::PublicKeyBytes>,
+    ) -> Array<u8, Self::CipherTextBytes>;
+    fn inputs_encode(f: &Self::Inputs, out: &mut [u8]);
+    fn inputs_random(rng: &mut impl CryptoRngCore) -> Self::Inputs;
+}
diff --git a/ntru/src/encoded/streamlined.rs b/ntru/src/encoded/streamlined.rs
@@ -0,0 +1,154 @@
+use super::{
+    encoding::{decode, encode},
+    AsymEnc,
+};
+use crate::{
+    algebra::{f3::Small, fq::Fq, r3::R3, rq::Rq},
+    core::streamlined,
+    params::{NtruCommon, Streamlined, StreamlinedNtru},
+};
+use hybrid_array::Array;
+use hybrid_array::{typenum::Unsigned, ArraySize};
+use rand_core::CryptoRngCore;
+
+#[allow(non_snake_case)]
+fn rq_encode<Params: NtruCommon>(r: &Rq<Params>, out: &mut [u8]) {
+    let mut R: Array<u16, Params::P> = Array::default();
+    let mut M: Array<u16, Params::P> = Array::default();
+    for i in 0..Params::P::USIZE {
+        R[i] = (*r.0[i] as u16).wrapping_add(Params::Q12);
+    }
+    for i in 0..Params::P::USIZE {
+        M[i] = Params::Q;
+    }
+    encode(&R, &M, out);
+}
+#[allow(non_snake_case)]
+fn rq_decode<Params: NtruCommon + StreamlinedNtru>(
+    s: &Array<u8, Params::PublicKeyBytes>,
+) -> Rq<Params> {
+    let mut R: Array<u16, Params::P> = Array::default();
+    let mut M: Array<u16, Params::P> = Array::default();
+    for i in 0..Params::P::USIZE {
+        M[i] = Params::Q;
+    }
+    decode(s, &M, &mut R);
+    let mut r = Rq::<Params>::default();
+    for i in 0..Params::P::USIZE {
+        r.0[i] = Fq::new_i16(R[i].wrapping_sub(Params::Q12) as i16);
+    }
+    r
+}
+#[allow(non_snake_case)]
+fn rounded_encode<Params: NtruCommon + StreamlinedNtru>(
+    r: &Rq<Params>,
+) -> Array<u8, Params::CipherTextBytes> {
+    let mut R: Array<u16, Params::P> = Array::default();
+    let mut M: Array<u16, Params::P> = Array::default();
+    let mut out = Array::default();
+    for i in 0..Params::P::USIZE {
+        R[i] = ((*r.0[i] as u32)
+            .wrapping_add(Params::Q12 as u32)
+            .wrapping_mul(10923)
+            >> 15) as u16;
+    }
+    for i in 0..Params::P::USIZE {
+        M[i] = (Params::Q + 2) / 3;
+    }
+    encode(&R, &M, &mut out);
+    out
+}
+#[allow(non_snake_case)]
+fn rounded_decode<Params: NtruCommon + StreamlinedNtru>(
+    s: &Array<u8, Params::CipherTextBytes>,
+) -> Rq<Params> {
+    let mut R: Array<u16, Params::P> = Array::default();
+    let mut M: Array<u16, Params::P> = Array::default();
+    for i in 0..Params::P::USIZE {
+        M[i] = (Params::Q + 2) / 3;
+    }
+    decode(s, &M, &mut R);
+    let mut r = Rq::<Params>::default();
+    for i in 0..Params::P::USIZE {
+        r.0[i] = Fq::new_i16(R[i].wrapping_mul(3).wrapping_sub(Params::Q12) as i16);
+    }
+    r
+}
+
+fn small_encode<Params: NtruCommon>(f: &R3<Params>, out: &mut [u8]) {
+    let mut i = 0;
+    let mut x;
+    for _ in 0..Params::P::USIZE / 4 {
+        x = (*f.0[i] + 1) as u8;
+        x += ((*f.0[i + 1] + 1) as u8) << 2;
+        x += ((*f.0[i + 2] + 1) as u8) << 4;
+        x += ((*f.0[i + 3] + 1) as u8) << 6;
+        out[i / 4] = x;
+        i += 4;
+    }
+    x = (*f.0[i] + 1) as u8;
+    out[i / 4] = x;
+}
+
+fn small_decode<Params: NtruCommon>(input: &[u8]) -> R3<Params> {
+    let mut r = R3::default();
+    for (i, x) in input.iter().enumerate().take(Params::P::USIZE / 4) {
+        let mut x = *x;
+        r.0[i * 4] = Small::new_i8((x & 3) as i8 - 1);
+        x >>= 2;
+        r.0[i * 4 + 1] = Small::new_i8((x & 3) as i8 - 1);
+        x >>= 2;
+        r.0[i * 4 + 2] = Small::new_i8((x & 3) as i8 - 1);
+        x >>= 2;
+        r.0[i * 4 + 3] = Small::new_i8((x & 3) as i8 - 1);
+    }
+    let x = input[Params::P::USIZE / 4];
+    r.0[Params::P::USIZE - 1] = Small::new_i8((x & 3) as i8 - 1);
+    r
+}
+
+impl<P> AsymEnc for Streamlined<P>
+where
+    P: ArraySize,
+    Streamlined<P>: NtruCommon + StreamlinedNtru + Sized,
+{
+    type Inputs = R3<Self>;
+    fn decrypt(
+        c: &Array<u8, Self::CipherTextBytes>,
+        sk: &Array<u8, Self::SecretKeyBytes>,
+    ) -> R3<Self> {
+        let f = small_decode(&sk[..Self::InputsBytes::USIZE]);
+        let v = small_decode(&sk[Self::InputsBytes::USIZE..]);
+        let c = rounded_decode(c);
+        streamlined::decrypt(&c, &f, &v)
+    }
+    fn key_gen(
+        rng: &mut impl CryptoRngCore,
+    ) -> (
+        Array<u8, Self::SecretKeyBytes>,
+        Array<u8, Self::PublicKeyBytes>,
+    ) {
+        let (h, f, v) = streamlined::key_gen::<Self>(rng);
+        let mut pk: Array<u8, Self::PublicKeyBytes> = Array::default();
+        let mut sk: Array<u8, Self::SecretKeyBytes> = Array::default();
+        rq_encode(&h, &mut pk);
+        small_encode(&f, &mut sk[..Self::InputsBytes::USIZE]);
+        small_encode(&v, &mut sk[Self::InputsBytes::USIZE..]);
+        (sk, pk)
+    }
+    fn encrypt(
+        r: &R3<Self>,
+        pk: &Array<u8, Self::PublicKeyBytes>,
+    ) -> Array<u8, Self::CipherTextBytes> {
+        let h = rq_decode(pk);
+        let c = streamlined::encrypt(r, &h);
+        rounded_encode(&c)
+    }
+    fn inputs_encode(f: &R3<Self>, out: &mut [u8]) {
+        small_encode(f, out);
+    }
+
+    fn inputs_random(rng: &mut impl CryptoRngCore) -> R3<Self> {
+        R3::short_random(rng)
+    }
+}
diff --git a/ntru/src/lib.rs b/ntru/src/lib.rs
@@ -16,12 +16,13 @@
     clippy::many_single_char_names,
     clippy::similar_names,
 )]
+extern crate alloc;
 
 mod algebra;
 pub mod const_time;
-pub mod core;
+mod core;
+pub mod encoded;
 pub mod params;
-
 use hybrid_array::sizes::{U1013, U1277, U653, U761, U857, U953};
 use params::{Lpr, Streamlined};
 
