1 // Copyright 2020 Google LLC 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 // 15 /////////////////////////////////////////////////////////////////////////////// 16 17 #ifndef TINK_EXPERIMENTAL_PQCRYPTO_KEM_SUBTLE_CECPQ2_HKDF_RECIPIENT_KEM_BORINGSSL_H_ 18 #define TINK_EXPERIMENTAL_PQCRYPTO_KEM_SUBTLE_CECPQ2_HKDF_RECIPIENT_KEM_BORINGSSL_H_ 19 20 #include <memory> 21 #include <utility> 22 23 #include "absl/strings/string_view.h" 24 #include "openssl/curve25519.h" 25 #include "openssl/ec.h" 26 #include "openssl/hrss.h" 27 #include "tink/internal/fips_utils.h" 28 #include "tink/subtle/common_enums.h" 29 #include "tink/util/secret_data.h" 30 #include "tink/util/statusor.h" 31 32 namespace crypto { 33 namespace tink { 34 namespace subtle { 35 36 // This class implements the CECPQ2 hybrid KEM from the recipient's perspective, 37 // using Boring SSL for the underlying cryptographic operations. 38 // This class is made generic enough so that extending the ECC algorithm to 39 // support other curves is trivial. As of now, the only supported curve is 40 // Curve25519. 41 // 42 // CECPQ2 combines both X25519 KEM and NTRU-HRSS KEM into a single hybrid KEM. 43 // The NTRU-HRSS is a structured lattice-based key encapsulation mechanism. It 44 // was originally proposed in [1] and submitted to the NIST Post-Quantum 45 // Cryptography standardization process [2]. 46 // 47 // During the course of the NIST PQC standardization process, the NTRU-HRSS 48 // proposal merged with another proposal (NTRUEncrypt). The resulting scheme, 49 // simply called NTRU [3], is a 3rd round finalist of the NIST PQC 50 // standardization process. 51 // 52 // The implementation available in BoringSSL is based on [1] but it 53 // uses a different KEM construction based on [4]. Similar path has been taken 54 // by the NTRU team in the NIST competition which later adopted [4] as their 55 // QROM security proof approach. Note that the BoringSSL implementation is *not* 56 // compatible with the 3rd Round finalist NTRU running in the NIST Post-Quantum 57 // Cryptography standardization process [5]. 58 // 59 // References: 60 // [1]: https://eprint.iacr.org/2017/667.pdf 61 // [2]: https://csrc.nist.gov/Projects/post-quantum-cryptography/ 62 // [3]: https://ntru.org/ 63 // [4]: https://eprint.iacr.org/2017/1005.pdf 64 // [5]: https://ntru.org/release/NIST-PQ-Submission-NTRU-20201016.tar.gz 65 class Cecpq2HkdfRecipientKemBoringSsl { 66 public: 67 // Constructs a recipient KEM for the specified curve, recipient's ECC 68 // private key, which must be a big-endian byte array, and recipient's HRSS 69 // private key. This method is made generic enough so that extending the ECC 70 // algorithm to support other curves is trivial. 71 static crypto::tink::util::StatusOr< 72 std::unique_ptr<Cecpq2HkdfRecipientKemBoringSsl>> 73 New(EllipticCurveType curve, util::SecretData ec_private_key, 74 util::SecretData hrss_private_key_seed); 75 76 virtual ~Cecpq2HkdfRecipientKemBoringSsl() = default; 77 78 // Computes the shared secret from the ECC private key and peer's ECC encoded 79 // public key, and the shared secret from the HRSS private key, then uses a 80 // hkdf to derive the symmetric key from the two shared secrets, hkdf info and 81 // hkdf salt. This method is made generic enough so that extending the ECC 82 // algorithm to support other curves is trivial. 83 virtual crypto::tink::util::StatusOr<util::SecretData> GenerateKey( 84 absl::string_view kem_bytes, HashType hash, absl::string_view hkdf_salt, 85 absl::string_view hkdf_info, uint32_t key_size_in_bytes, 86 EcPointFormat point_format) const = 0; 87 }; 88 89 // Implementation of Cecpq2HkdfRecipientKemBoringSsl for Curve25519. 90 class Cecpq2HkdfX25519RecipientKemBoringSsl 91 : public Cecpq2HkdfRecipientKemBoringSsl { 92 public: 93 static constexpr crypto::tink::internal::FipsCompatibility kFipsStatus = 94 crypto::tink::internal::FipsCompatibility::kNotFips; 95 96 // Constructs a recipient CECPQ2 KEM for recipient's X25519 private key, 97 // which must be a big-endian byte array, and recipient's HRSS private key. 98 static crypto::tink::util::StatusOr< 99 std::unique_ptr<Cecpq2HkdfRecipientKemBoringSsl>> 100 New(EllipticCurveType curve, util::SecretData ec_private_key, 101 util::SecretData hrss_private_key_seed); 102 103 // Computes the shared secret from X25519 private key and peer's X25519 104 // encoded public key, and the shared secret from the HRSS private key, then 105 // uses a hkdf to derive the symmetric key from the two shared secrets, hkdf 106 // info and hkdf salt. 107 crypto::tink::util::StatusOr<util::SecretData> GenerateKey( 108 absl::string_view kem_bytes, HashType hash, absl::string_view hkdf_salt, 109 absl::string_view hkdf_info, uint32_t key_size_in_bytes, 110 EcPointFormat point_format) const override; 111 112 private: 113 // The private constructor only takes the X25519 and HRSS private keys and 114 // assign them to the class private members. Cecpq2HkdfX25519RecipientKemBoringSsl(util::SecretData ec_private_key,util::SecretData hrss_private_key_seed)115 explicit Cecpq2HkdfX25519RecipientKemBoringSsl( 116 util::SecretData ec_private_key, util::SecretData hrss_private_key_seed) 117 : private_key_x25519_(std::move(ec_private_key)), 118 private_key_hrss_seed_(std::move(hrss_private_key_seed)) {} 119 120 // X25519 and HRSS private key containers 121 util::SecretData private_key_x25519_; 122 util::SecretData private_key_hrss_seed_; 123 }; 124 125 } // namespace subtle 126 } // namespace tink 127 } // namespace crypto 128 129 #endif // TINK_EXPERIMENTAL_PQCRYPTO_KEM_SUBTLE_CECPQ2_HKDF_RECIPIENT_KEM_BORINGSSL_H_ 130