1*8fb009dcSAndroid Build Coastguard Worker /* Copyright (c) 2018, Google Inc. 2*8fb009dcSAndroid Build Coastguard Worker * 3*8fb009dcSAndroid Build Coastguard Worker * Permission to use, copy, modify, and/or distribute this software for any 4*8fb009dcSAndroid Build Coastguard Worker * purpose with or without fee is hereby granted, provided that the above 5*8fb009dcSAndroid Build Coastguard Worker * copyright notice and this permission notice appear in all copies. 6*8fb009dcSAndroid Build Coastguard Worker * 7*8fb009dcSAndroid Build Coastguard Worker * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8*8fb009dcSAndroid Build Coastguard Worker * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9*8fb009dcSAndroid Build Coastguard Worker * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10*8fb009dcSAndroid Build Coastguard Worker * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11*8fb009dcSAndroid Build Coastguard Worker * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12*8fb009dcSAndroid Build Coastguard Worker * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13*8fb009dcSAndroid Build Coastguard Worker * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14*8fb009dcSAndroid Build Coastguard Worker 15*8fb009dcSAndroid Build Coastguard Worker #ifndef OPENSSL_HEADER_HRSS_H 16*8fb009dcSAndroid Build Coastguard Worker #define OPENSSL_HEADER_HRSS_H 17*8fb009dcSAndroid Build Coastguard Worker 18*8fb009dcSAndroid Build Coastguard Worker #include <openssl/base.h> 19*8fb009dcSAndroid Build Coastguard Worker 20*8fb009dcSAndroid Build Coastguard Worker #if defined(__cplusplus) 21*8fb009dcSAndroid Build Coastguard Worker extern "C" { 22*8fb009dcSAndroid Build Coastguard Worker #endif 23*8fb009dcSAndroid Build Coastguard Worker 24*8fb009dcSAndroid Build Coastguard Worker // HRSS 25*8fb009dcSAndroid Build Coastguard Worker // 26*8fb009dcSAndroid Build Coastguard Worker // HRSS is a structured-lattice-based post-quantum key encapsulation mechanism. 27*8fb009dcSAndroid Build Coastguard Worker // The best exposition is https://eprint.iacr.org/2017/667.pdf although this 28*8fb009dcSAndroid Build Coastguard Worker // implementation uses a different KEM construction based on 29*8fb009dcSAndroid Build Coastguard Worker // https://eprint.iacr.org/2017/1005.pdf. 30*8fb009dcSAndroid Build Coastguard Worker 31*8fb009dcSAndroid Build Coastguard Worker struct HRSS_private_key { 32*8fb009dcSAndroid Build Coastguard Worker uint8_t opaque[1808]; 33*8fb009dcSAndroid Build Coastguard Worker }; 34*8fb009dcSAndroid Build Coastguard Worker 35*8fb009dcSAndroid Build Coastguard Worker struct HRSS_public_key { 36*8fb009dcSAndroid Build Coastguard Worker uint8_t opaque[1424]; 37*8fb009dcSAndroid Build Coastguard Worker }; 38*8fb009dcSAndroid Build Coastguard Worker 39*8fb009dcSAndroid Build Coastguard Worker // HRSS_SAMPLE_BYTES is the number of bytes of entropy needed to generate a 40*8fb009dcSAndroid Build Coastguard Worker // short vector. There are 701 coefficients, but the final one is always set to 41*8fb009dcSAndroid Build Coastguard Worker // zero when sampling. Otherwise, we need one byte of input per coefficient. 42*8fb009dcSAndroid Build Coastguard Worker #define HRSS_SAMPLE_BYTES (701 - 1) 43*8fb009dcSAndroid Build Coastguard Worker // HRSS_GENERATE_KEY_BYTES is the number of bytes of entropy needed to generate 44*8fb009dcSAndroid Build Coastguard Worker // an HRSS key pair. 45*8fb009dcSAndroid Build Coastguard Worker #define HRSS_GENERATE_KEY_BYTES (HRSS_SAMPLE_BYTES + HRSS_SAMPLE_BYTES + 32) 46*8fb009dcSAndroid Build Coastguard Worker // HRSS_ENCAP_BYTES is the number of bytes of entropy needed to encapsulate a 47*8fb009dcSAndroid Build Coastguard Worker // session key. 48*8fb009dcSAndroid Build Coastguard Worker #define HRSS_ENCAP_BYTES (HRSS_SAMPLE_BYTES + HRSS_SAMPLE_BYTES) 49*8fb009dcSAndroid Build Coastguard Worker // HRSS_PUBLIC_KEY_BYTES is the number of bytes in a public key. 50*8fb009dcSAndroid Build Coastguard Worker #define HRSS_PUBLIC_KEY_BYTES 1138 51*8fb009dcSAndroid Build Coastguard Worker // HRSS_CIPHERTEXT_BYTES is the number of bytes in a ciphertext. 52*8fb009dcSAndroid Build Coastguard Worker #define HRSS_CIPHERTEXT_BYTES 1138 53*8fb009dcSAndroid Build Coastguard Worker // HRSS_KEY_BYTES is the number of bytes in a shared key. 54*8fb009dcSAndroid Build Coastguard Worker #define HRSS_KEY_BYTES 32 55*8fb009dcSAndroid Build Coastguard Worker // HRSS_POLY3_BYTES is the number of bytes needed to serialise a mod 3 56*8fb009dcSAndroid Build Coastguard Worker // polynomial. 57*8fb009dcSAndroid Build Coastguard Worker #define HRSS_POLY3_BYTES 140 58*8fb009dcSAndroid Build Coastguard Worker #define HRSS_PRIVATE_KEY_BYTES \ 59*8fb009dcSAndroid Build Coastguard Worker (HRSS_POLY3_BYTES * 2 + HRSS_PUBLIC_KEY_BYTES + 2 + 32) 60*8fb009dcSAndroid Build Coastguard Worker 61*8fb009dcSAndroid Build Coastguard Worker // HRSS_generate_key is a deterministic function that outputs a public and 62*8fb009dcSAndroid Build Coastguard Worker // private key based on the given entropy. It returns one on success or zero 63*8fb009dcSAndroid Build Coastguard Worker // on malloc failure. 64*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int HRSS_generate_key( 65*8fb009dcSAndroid Build Coastguard Worker struct HRSS_public_key *out_pub, struct HRSS_private_key *out_priv, 66*8fb009dcSAndroid Build Coastguard Worker const uint8_t input[HRSS_GENERATE_KEY_BYTES]); 67*8fb009dcSAndroid Build Coastguard Worker 68*8fb009dcSAndroid Build Coastguard Worker // HRSS_encap is a deterministic function the generates and encrypts a random 69*8fb009dcSAndroid Build Coastguard Worker // session key from the given entropy, writing those values to |out_shared_key| 70*8fb009dcSAndroid Build Coastguard Worker // and |out_ciphertext|, respectively. It returns one on success or zero on 71*8fb009dcSAndroid Build Coastguard Worker // malloc failure. 72*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int HRSS_encap(uint8_t out_ciphertext[HRSS_CIPHERTEXT_BYTES], 73*8fb009dcSAndroid Build Coastguard Worker uint8_t out_shared_key[HRSS_KEY_BYTES], 74*8fb009dcSAndroid Build Coastguard Worker const struct HRSS_public_key *in_pub, 75*8fb009dcSAndroid Build Coastguard Worker const uint8_t in[HRSS_ENCAP_BYTES]); 76*8fb009dcSAndroid Build Coastguard Worker 77*8fb009dcSAndroid Build Coastguard Worker // HRSS_decap decrypts a session key from |ciphertext_len| bytes of 78*8fb009dcSAndroid Build Coastguard Worker // |ciphertext|. If the ciphertext is valid, the decrypted key is written to 79*8fb009dcSAndroid Build Coastguard Worker // |out_shared_key|. Otherwise the HMAC of |ciphertext| under a secret key (kept 80*8fb009dcSAndroid Build Coastguard Worker // in |in_priv|) is written. If the ciphertext is the wrong length then it will 81*8fb009dcSAndroid Build Coastguard Worker // leak which was done via side-channels. Otherwise it should perform either 82*8fb009dcSAndroid Build Coastguard Worker // action in constant-time. It returns one on success (whether the ciphertext 83*8fb009dcSAndroid Build Coastguard Worker // was valid or not) and zero on malloc failure. 84*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int HRSS_decap(uint8_t out_shared_key[HRSS_KEY_BYTES], 85*8fb009dcSAndroid Build Coastguard Worker const struct HRSS_private_key *in_priv, 86*8fb009dcSAndroid Build Coastguard Worker const uint8_t *ciphertext, size_t ciphertext_len); 87*8fb009dcSAndroid Build Coastguard Worker 88*8fb009dcSAndroid Build Coastguard Worker // HRSS_marshal_public_key serialises |in_pub| to |out|. 89*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void HRSS_marshal_public_key( 90*8fb009dcSAndroid Build Coastguard Worker uint8_t out[HRSS_PUBLIC_KEY_BYTES], const struct HRSS_public_key *in_pub); 91*8fb009dcSAndroid Build Coastguard Worker 92*8fb009dcSAndroid Build Coastguard Worker // HRSS_parse_public_key sets |*out| to the public-key encoded in |in|. It 93*8fb009dcSAndroid Build Coastguard Worker // returns true on success and zero on error. 94*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int HRSS_parse_public_key( 95*8fb009dcSAndroid Build Coastguard Worker struct HRSS_public_key *out, const uint8_t in[HRSS_PUBLIC_KEY_BYTES]); 96*8fb009dcSAndroid Build Coastguard Worker 97*8fb009dcSAndroid Build Coastguard Worker 98*8fb009dcSAndroid Build Coastguard Worker #if defined(__cplusplus) 99*8fb009dcSAndroid Build Coastguard Worker } // extern C 100*8fb009dcSAndroid Build Coastguard Worker #endif 101*8fb009dcSAndroid Build Coastguard Worker 102*8fb009dcSAndroid Build Coastguard Worker #endif // OPENSSL_HEADER_HRSS_H 103