internal

package
v0.0.0-...-ac9c40d Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 24, 2024 License: BSD-3-Clause Imports: 7 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// Size of a packed polynomial of norm ≤η.
	// (Note that the  formula is not valid in general.)
	PolyLeqEtaSize = (common.N * DoubleEtaBits) / 8

	// β = τη, the maximum size of c s₂.
	Beta = Tau * Eta

	// γ₁ range of y
	Gamma1 = 1 << Gamma1Bits

	// Size of packed polynomial of norm <γ₁ such as z
	PolyLeGamma1Size = (Gamma1Bits + 1) * common.N / 8

	// α = 2γ₂ parameter for decompose
	Alpha = 2 * Gamma2

	// Size of a packed private key
	PrivateKeySize = 32 + 32 + 32 + PolyLeqEtaSize*(L+K) + common.PolyT0Size*K

	// Size of a packed public key
	PublicKeySize = 32 + common.PolyT1Size*K

	// Size of a packed signature
	SignatureSize = L*PolyLeGamma1Size + Omega + K + 32

	// Size of packed w₁
	PolyW1Size = (common.N * (common.QBits - Gamma1Bits)) / 8
)
View Source
const (
	Name          = "Dilithium2-AES"
	UseAES        = true
	K             = 4
	L             = 4
	Eta           = 2
	DoubleEtaBits = 3
	Omega         = 80
	Tau           = 39
	Gamma1Bits    = 17
	Gamma2        = 95232
)

Variables

View Source
var DeriveX4Available = keccakf1600.IsEnabledX4() && !UseAES

DeriveX4Available indicates whether the system supports the quick fourway sampling variants like PolyDeriveUniformX4.

Functions

func GenerateKey

func GenerateKey(rand io.Reader) (*PublicKey, *PrivateKey, error)

GenerateKey generates a public/private key pair using entropy from rand. If rand is nil, crypto/rand.Reader will be used.

func NewKeyFromSeed

func NewKeyFromSeed(seed *[common.SeedSize]byte) (*PublicKey, *PrivateKey)

NewKeyFromSeed derives a public/private key pair using the given seed.

func PolyDecompose

func PolyDecompose(p, p0PlusQ, p1 *common.Poly)

Splits each of the coefficients of p using decompose.

func PolyDeriveUniform

func PolyDeriveUniform(p *common.Poly, seed *[32]byte, nonce uint16)

Sample p uniformly from the given seed and nonce.

p will be normalized.

func PolyDeriveUniformBall

func PolyDeriveUniformBall(p *common.Poly, seed *[32]byte)

Samples p uniformly with τ non-zero coefficients in {q-1,1}.

The polynomial p will be normalized.

func PolyDeriveUniformBallX4

func PolyDeriveUniformBallX4(ps [4]*common.Poly, seed *[32]byte)

For each i, sample ps[i] uniformly with τ non-zero coefficients in {q-1,1} using the given seed and w1[i]. ps[i] may be nil and is ignored in that case. ps[i] will be normalized.

Can only be called when DeriveX4Available is true.

This function is currently not used (yet).

func PolyDeriveUniformLeGamma1

func PolyDeriveUniformLeGamma1(p *common.Poly, seed *[64]byte, nonce uint16)

Sample p uniformly with coefficients in (-γ₁,…,γK1s] using the given seed and nonce.

p will be normalized.

func PolyDeriveUniformLeqEta

func PolyDeriveUniformLeqEta(p *common.Poly, seed *[64]byte, nonce uint16)

Sample p uniformly with coefficients of norm less than or equal η, using the given seed and nonce.

p will not be normalized, but will have coefficients in [q-η,q+η].

func PolyDeriveUniformX4

func PolyDeriveUniformX4(ps [4]*common.Poly, seed *[32]byte, nonces [4]uint16)

For each i, sample ps[i] uniformly from the given seed and nonces[i]. ps[i] may be nil and is ignored in that case.

Can only be called when DeriveX4Available is true.

func PolyDotHat

func PolyDotHat(p *common.Poly, a, b *VecL)

Set p to the inner product of a and b using pointwise multiplication.

Assumes a and b are in Montgomery form and their coefficients are pairwise sufficiently small to multiply, see Poly.MulHat(). Resulting coefficients are bounded by 2Lq.

func PolyMakeHint

func PolyMakeHint(p, p0, p1 *common.Poly) (pop uint32)

Sets p to the hint polynomial for p0 the modified low bits and p1 the unmodified high bits --- see makeHint().

Returns the number of ones in the hint polynomial.

func PolyPackLeGamma1

func PolyPackLeGamma1(p *common.Poly, buf []byte)

Writes p whose coefficients are in (-γ₁,γ₁] into buf which has to be of length PolyLeGamma1Size.

Assumes p is normalized.

func PolyPackLeqEta

func PolyPackLeqEta(p *common.Poly, buf []byte)

Writes p with norm less than or equal η into buf, which must be of size PolyLeqEtaSize.

Assumes coefficients of p are not normalized, but in [q-η,q+η].

func PolyPackW1

func PolyPackW1(p *common.Poly, buf []byte)

Pack w₁ into buf, which must be of length PolyW1Size.

Assumes w₁ is normalized.

func PolyUnpackLeGamma1

func PolyUnpackLeGamma1(p *common.Poly, buf []byte)

Sets p to the polynomial packed into buf by PolyPackLeGamma1.

p will be normalized.

func PolyUnpackLeqEta

func PolyUnpackLeqEta(p *common.Poly, buf []byte)

Sets p to the polynomial of norm less than or equal η encoded in the given buffer of size PolyLeqEtaSize.

Output coefficients of p are not normalized, but in [q-η,q+η] provided buf was created using PackLeqEta.

Beware, for arbitrary buf the coefficients of p might end up in the interval [q-2^b,q+2^b] where b is the least b with η≤2^b.

func PolyUseHint

func PolyUseHint(p, q, hint *common.Poly)

Computes corrections to the high bits of the polynomial q according to the hints in h and sets p to the corrected high bits. Returns p.

func SignTo

func SignTo(sk *PrivateKey, msg []byte, signature []byte)

SignTo signs the given message and writes the signature into signature.

func VecLDeriveUniformLeGamma1

func VecLDeriveUniformLeGamma1(v *VecL, seed *[64]byte, nonce uint16)

Sample v[i] uniformly with coefficients in (-γ₁,…,γ₁] using the given seed and nonce+i

p will be normalized.

func Verify

func Verify(pk *PublicKey, msg []byte, signature []byte) bool

Verify checks whether the given signature by pk on msg is valid.

Types

type Mat

type Mat [K]VecL

A k by l matrix of polynomials.

func (*Mat) Derive

func (m *Mat) Derive(seed *[32]byte)

Expands the given seed to a complete matrix.

This function is called ExpandA in the specification.

type PrivateKey

type PrivateKey struct {

	// Cached values
	A Mat // ExpandA(ρ)
	// contains filtered or unexported fields
}

PrivateKey is the type of Dilithium private keys.

func (*PrivateKey) Equal

func (sk *PrivateKey) Equal(other *PrivateKey) bool

Equal returns whether the two private keys are equal

func (*PrivateKey) Pack

func (sk *PrivateKey) Pack(buf *[PrivateKeySize]byte)

Packs the private key into buf.

func (*PrivateKey) Public

func (sk *PrivateKey) Public() *PublicKey

Computes the public key corresponding to this private key.

func (*PrivateKey) Unpack

func (sk *PrivateKey) Unpack(buf *[PrivateKeySize]byte)

Sets sk to the private key encoded in buf.

type PublicKey

type PublicKey struct {
	A *Mat
	// contains filtered or unexported fields
}

PublicKey is the type of Dilithium public keys.

func (*PublicKey) Equal

func (pk *PublicKey) Equal(other *PublicKey) bool

Equal returns whether the two public keys are equal

func (*PublicKey) Pack

func (pk *PublicKey) Pack(buf *[PublicKeySize]byte)

Packs the public key into buf.

func (*PublicKey) Unpack

func (pk *PublicKey) Unpack(buf *[PublicKeySize]byte)

Sets pk to the public key encoded in buf.

type VecK

type VecK [K]common.Poly

A vector of K polynomials.

func (*VecK) Add

func (v *VecK) Add(w, u *VecK)

Sets v to w + u. Does not normalize.

func (*VecK) Decompose

func (v *VecK) Decompose(v0PlusQ, v1 *VecK)

Applies Poly.Decompose componentwise.

Requires the vector to be normalized.

func (*VecK) Exceeds

func (v *VecK) Exceeds(bound uint32) bool

Checks whether any of the coefficients exceeds the given bound in supnorm

Requires the vector to be normalized.

func (*VecK) InvNTT

func (v *VecK) InvNTT()

Applies InvNTT componentwise. See Poly.InvNTT() for details.

func (*VecK) MakeHint

func (v *VecK) MakeHint(v0, v1 *VecK) (pop uint32)

Sets v to the hint vector for v0 the modified low bits and v1 the unmodified high bits --- see makeHint().

Returns the number of ones in the hint vector.

func (*VecK) MulBy2toD

func (v *VecK) MulBy2toD(w *VecK)

Sets v to 2ᵈ w without reducing.

func (*VecK) NTT

func (v *VecK) NTT()

Applies NTT componentwise. See Poly.NTT() for details.

func (*VecK) Normalize

func (v *VecK) Normalize()

Normalize the polynomials in this vector.

func (*VecK) NormalizeAssumingLe2Q

func (v *VecK) NormalizeAssumingLe2Q()

Normalize the polynomials in this vector assuming their coefficients are already bounded by 2q.

func (*VecK) PackHint

func (v *VecK) PackHint(buf []byte)

Writes v with coefficients in {0, 1} of which at most ω non-zero to buf, which must have length ω+k.

func (*VecK) PackLeqEta

func (v *VecK) PackLeqEta(buf []byte)

Sequentially packs each polynomial using Poly.PackLeqEta().

func (*VecK) PackT0

func (v *VecK) PackT0(buf []byte)

Sequentially packs each polynomial using Poly.PackT0().

func (*VecK) PackT1

func (v *VecK) PackT1(buf []byte)

Sequentially packs each polynomial using Poly.PackT1().

func (*VecK) PackW1

func (v *VecK) PackW1(buf []byte)

Sequentially packs each polynomial using PolyPackW1().

func (*VecK) Power2Round

func (v *VecK) Power2Round(v0PlusQ, v1 *VecK)

Applies Poly.Power2Round componentwise.

Requires the vector to be normalized.

func (*VecK) ReduceLe2Q

func (v *VecK) ReduceLe2Q()

Applies Poly.ReduceLe2Q() componentwise.

func (*VecK) Sub

func (v *VecK) Sub(a, b *VecK)

Sets v to a - b.

Warning: assumes coefficients of the polynomials of b are less than 2q.

func (*VecK) UnpackHint

func (v *VecK) UnpackHint(buf []byte) bool

Sets v to the vector encoded using VecK.PackHint()

Returns whether unpacking was successful.

func (*VecK) UnpackLeqEta

func (v *VecK) UnpackLeqEta(buf []byte)

Sets v to the polynomials packed in buf using VecK.PackLeqEta().

func (*VecK) UnpackT0

func (v *VecK) UnpackT0(buf []byte)

Sets v to the vector packed into buf by PackT0().

func (*VecK) UnpackT1

func (v *VecK) UnpackT1(buf []byte)

Sets v to the vector packed into buf by PackT1().

func (*VecK) UseHint

func (v *VecK) UseHint(q, hint *VecK) *VecK

Computes corrections to the high bits of the polynomials in the vector w using the hints in h and sets v to the corrected high bits. Returns v. See useHint().

type VecL

type VecL [L]common.Poly

A vector of L polynomials.

func (*VecL) Add

func (v *VecL) Add(w, u *VecL)

Sets v to w + u. Does not normalize.

func (*VecL) Decompose

func (v *VecL) Decompose(v0PlusQ, v1 *VecL)

Applies Poly.Decompose componentwise.

Requires the vector to be normalized.

func (*VecL) Exceeds

func (v *VecL) Exceeds(bound uint32) bool

Checks whether any of the coefficients exceeds the given bound in supnorm

Requires the vector to be normalized.

func (*VecL) NTT

func (v *VecL) NTT()

Applies NTT componentwise. See Poly.NTT() for details.

func (*VecL) Normalize

func (v *VecL) Normalize()

Normalize the polynomials in this vector.

func (*VecL) NormalizeAssumingLe2Q

func (v *VecL) NormalizeAssumingLe2Q()

Normalize the polynomials in this vector assuming their coefficients are already bounded by 2q.

func (*VecL) PackLeGamma1

func (v *VecL) PackLeGamma1(buf []byte)

Sequentially packs each polynomial using PolyPackLeGamma1().

func (*VecL) PackLeqEta

func (v *VecL) PackLeqEta(buf []byte)

Sequentially packs each polynomial using Poly.PackLeqEta().

func (*VecL) Power2Round

func (v *VecL) Power2Round(v0PlusQ, v1 *VecL)

Applies Poly.Power2Round componentwise.

Requires the vector to be normalized.

func (*VecL) UnpackLeGamma1

func (v *VecL) UnpackLeGamma1(buf []byte)

Sets v to the polynomials packed in buf using VecL.PackLeGamma1().

func (*VecL) UnpackLeqEta

func (v *VecL) UnpackLeqEta(buf []byte)

Sets v to the polynomials packed in buf using VecL.PackLeqEta().

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL