libcrux-psq 0.0.8

Libcrux Pre-Shared post-Quantum key establishement protocol
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195

//! This module provides common traits for PSQ implementations.
use libcrux_hkdf::{expand as hkdf_expand, Algorithm as HKDF_Algorithm};
use libcrux_hmac::{hmac, Algorithm as HMAC_Algorithm};
use libcrux_traits::kem::KEM;
use rand::CryptoRng;
use tls_codec::{Deserialize, Serialize, Size, TlsDeserialize, TlsSerialize, TlsSize};

use super::Error;

/// The length in bytes of the generated PSQ component.
pub const PSQ_COMPONENT_LENGTH: usize = 32;
const K0_LENGTH: usize = 32;
const KM_LENGTH: usize = 32;

const CONFIRMATION_CONTEXT: &[u8] = b"Confirmation";
const PSK_CONTEXT: &[u8] = b"PSK";
const MAC_INPUT: &[u8] = b"MAC-Input";

pub(crate) const MAC_LENGTH: usize = 32;
type Mac = [u8; MAC_LENGTH];

/// A post-quantum shared secret component.
pub type PSQComponent = [u8; PSQ_COMPONENT_LENGTH];

pub(crate) mod private {
    pub trait Seal {}
}
/// This trait provides the interface for encapsulating a PSQ
/// component using an underlying KEM.
pub trait PSQ: private::Seal {
    /// The underlying KEM.
    type InnerKEM: KEM<
        Ciphertext: Deserialize + Serialize + Size,
        SharedSecret: Serialize + Size,
        EncapsulationKey: Serialize + Size,
    >;

    /// Encapsulate a fresh PSQ component.
    fn encapsulate_psq(
        pk: &<Self::InnerKEM as KEM>::EncapsulationKey,
        sctx: &[u8],
        rng: &mut impl CryptoRng,
    ) -> Result<(PSQComponent, Ciphertext<Self::InnerKEM>), Error> {
        let (ikm, enc) =
            Self::InnerKEM::encapsulate(pk, rng).map_err(|_| Error::PSQGenerationError)?;

        let mut pk_serialized = vec![0u8; pk.tls_serialized_len()];
        let _ = pk
            .tls_serialize(&mut &mut pk_serialized[..])
            .map_err(|_| Error::Serialization)?;

        let mut ikm_serialized = vec![0u8; ikm.tls_serialized_len()];
        let _ = ikm
            .tls_serialize(&mut &mut ikm_serialized[..])
            .map_err(|_| Error::Serialization)?;

        let mut enc_serialized = vec![0u8; enc.tls_serialized_len()];
        let _ = enc
            .tls_serialize(&mut &mut enc_serialized[..])
            .map_err(|_| Error::Serialization)?;

        let k0 = compute_k0(&pk_serialized, &ikm_serialized, &enc_serialized, sctx)?;
        let mac = compute_mac(&k0)?;
        let psk = compute_psk(&k0)?;

        Ok((
            psk,
            Ciphertext {
                inner_ctxt: enc,
                mac,
            },
        ))
    }

    /// Decapsulate a PSQ component from a PSQ ciphertext.
    ///
    /// Can error, if the given PSQ message is cryptographically invalid.
    fn decapsulate_psq(
        sk: &<Self::InnerKEM as KEM>::DecapsulationKey,
        pk: &<Self::InnerKEM as KEM>::EncapsulationKey,
        enc: &Ciphertext<Self::InnerKEM>,
        sctx: &[u8],
    ) -> Result<PSQComponent, Error> {
        let Ciphertext { inner_ctxt, mac } = enc;

        let ikm =
            Self::InnerKEM::decapsulate(sk, inner_ctxt).map_err(|_| Error::PSQDerivationError)?;

        let mut pk_serialized = vec![0u8; pk.tls_serialized_len()];
        let _ = pk
            .tls_serialize(&mut &mut pk_serialized[..])
            .map_err(|_| Error::Serialization)?;

        let mut ikm_serialized = vec![0u8; ikm.tls_serialized_len()];
        let _ = ikm
            .tls_serialize(&mut &mut ikm_serialized[..])
            .map_err(|_| Error::Serialization)?;

        let mut inner_ctxt_serialized = vec![0u8; inner_ctxt.tls_serialized_len()];
        let _ = inner_ctxt
            .tls_serialize(&mut &mut inner_ctxt_serialized[..])
            .map_err(|_| Error::Serialization)?;

        let k0 = compute_k0(
            &pk_serialized,
            &ikm_serialized,
            &inner_ctxt_serialized,
            sctx,
        )?;

        let recomputed_mac = compute_mac(&k0)?;

        if compare(&recomputed_mac, mac) == 0 {
            compute_psk(&k0)
        } else {
            Err(Error::PSQDerivationError)
        }
    }
}

/// A PSQ ciphertext, including MAC.
#[derive(TlsSerialize, TlsDeserialize, TlsSize)]
pub struct Ciphertext<
    T: KEM<
        Ciphertext: Deserialize + Serialize + Size,
        SharedSecret: Serialize + Size,
        EncapsulationKey: Serialize + Size,
    >,
> {
    pub(crate) inner_ctxt: T::Ciphertext,
    pub(crate) mac: Mac,
}

// TODO: Use functions from `secrets` crate instead once that's merged.
// See:
/// Return 1 if `value` is not zero and 0 otherwise.
fn inz(value: u8) -> u8 {
    let value = value as u16;
    let result = ((value | (!value).wrapping_add(1)) >> 8) & 1;
    result as u8
}

#[inline(never)] // Don't inline this to avoid that the compiler optimizes this out.
fn is_non_zero(value: u8) -> u8 {
    core::hint::black_box(inz(value))
}

/// Best-effort constant time comparison.
fn compare(lhs: &[u8], rhs: &[u8]) -> u8 {
    let mut r: u8 = 0;
    for i in 0..lhs.len() {
        r |= lhs[i] ^ rhs[i];
    }

    is_non_zero(r)
}

// TODO: This will not be `no_std` until we have incremental HKDF.
// See: https://github.com/cryspen/libcrux/issues/767
//      https://github.com/cryspen/libcrux/issues/820
fn compute_psk(k0: &[u8]) -> Result<PSQComponent, Error> {
    let mut psk = [0u8; PSQ_COMPONENT_LENGTH];
    hkdf_expand(HKDF_Algorithm::Sha256, &mut psk, k0, PSK_CONTEXT)
        .map_err(|_| Error::PSQGenerationError)?;

    Ok(psk)
}

// TODO: This will not be `no_std` until we have incremental HKDF.
// See: https://github.com/cryspen/libcrux/issues/816
fn compute_k0(pqpk: &[u8], ikm: &[u8], enc: &[u8], sctx: &[u8]) -> Result<Vec<u8>, Error> {
    let mut info = Vec::from(pqpk);
    info.extend_from_slice(enc);
    info.extend_from_slice(sctx);

    let mut k0 = [0u8; K0_LENGTH];
    hkdf_expand(HKDF_Algorithm::Sha256, &mut k0, ikm, &info)
        .map_err(|_| Error::PSQDerivationError)?;

    Ok(k0.to_vec())
}

// TODO: This will not be `no_std` until we have incremental HKDF.
// See: https://github.com/cryspen/libcrux/issues/816
fn compute_mac(k0: &[u8]) -> Result<Mac, Error> {
    let mut km = [0u8; KM_LENGTH];
    hkdf_expand(HKDF_Algorithm::Sha256, &mut km, k0, CONFIRMATION_CONTEXT)
        .map_err(|_| Error::PSQGenerationError)?;

    let mac: Mac = hmac(HMAC_Algorithm::Sha256, &km, MAC_INPUT, Some(MAC_LENGTH))
        .try_into()
        .expect("should receive the correct number of bytes from HMAC");

    Ok(mac)
}