Remove the Overbeck conversion at Dr. Strenzke's request.

While a CCA2 proof of this scheme exists, it is written in German and for various reasons publishing a translation would be a complicated affair. Without a (well studied) English proof it is harder to understand the security of the overall scheme. Thus only KEM, which seems much easier to prove, will be offered.
author: lloyd <[email protected]> 2014-12-06 15:50:39 +0000
committer: lloyd <[email protected]> 2014-12-06 15:50:39 +0000
commit: 42a34f672bfd4737e66d8813d024b6f73fdfcad4 (patch)
tree: 8a987aff561304015edf4198e433b7e1433dbb2c /src/lib/pubkey
parent: 6082d3937f842ecebf0cb208b27a366917af0876 (diff)
3 files changed, 0 insertions, 229 deletions
diff --git a/src/lib/pubkey/mce/info.txt b/src/lib/pubkey/mce/info.txt
index bc4249422..c06e23b8e 100644
--- a/src/lib/pubkey/mce/info.txt
+++ b/src/lib/pubkey/mce/info.txt
@@ -5,7 +5,6 @@ code_based_util.h
 gf2m_rootfind_dcmp.h
 gf2m_small_m.h
 goppa_code.h
-mce_overbeck_cca2.h
 mce_kem.h
 mceliece.h
 mceliece_key.h
diff --git a/src/lib/pubkey/mce/mce_overbeck_cca2.cpp b/src/lib/pubkey/mce/mce_overbeck_cca2.cpp
deleted file mode 100644
index 7edd2e2a3..000000000
--- a/src/lib/pubkey/mce/mce_overbeck_cca2.cpp
+++ /dev/null
@@ -1,182 +0,0 @@
-/**
- * (C) 2014 cryptosource GmbH
- * (C) 2014 Falko Strenzke [email protected]
- *
- * Distributed under the terms of the Botan license
- *
- */
-
-#include <botan/mce_overbeck_cca2.h>
-#include <botan/sha2_64.h>
-#include <botan/mceliece.h>
-#include <botan/internal/xor_buf.h>
-
-namespace Botan
-{
-
-  McEliece_Overbeck_CCA2_Public_Operation::McEliece_Overbeck_CCA2_Public_Operation(const McEliece_PublicKey& public_key)
-    :m_raw_pub_op(public_key, public_key.get_code_length())
-  {
-    if(public_key.get_message_word_bit_length() < 1024)
-    {
-      // k is smaller than the minimum required length for Overbeck conversion
-      // using SHA-512
-      throw Invalid_Argument("McEliece parameters are too small to support the Overbeck conversion with SHA-512, the dimension of the code must be at least 1024");
-    }
-  }
-
-
-  secure_vector<byte> McEliece_Overbeck_CCA2_Public_Operation::encrypt(const byte msg[], size_t msg_len, RandomNumberGenerator& rng)
-  {
-    const u32bit k = m_raw_pub_op.max_input_bits();
-    const u32bit l = 512; // output length of SHA-512
-    const u32bit l_bytes = l/8;
-    const u32bit u1_bit_length = k - l;
-    const u32bit u1_length_ceil = (u1_bit_length + 7)/8; // valid lengths ensured already during construction
-    const McEliece_PublicKey & key = m_raw_pub_op.get_key();
-    const u32bit n = key.get_code_length();
-    const u32bit n_bytes_ceil = (n+7)/8;
-    const u32bit k_bytes_ceil = (k+7)/8;
-
-    if(msg_len != l_bytes)
-    {
-      throw Invalid_Argument("McEliece/Overbeck message lengtth must be 64 bytes");
-    }
-     secure_vector<byte> u1(u1_length_ceil);
-    rng.randomize(&u1[0], u1.size());
-   // unused bits of final byte of u1 must be set to zero
-    u32bit used = u1_bit_length % 8;
-   if(used)
-   {
-      byte mask = (1 << used) - 1;
-
-      u1[u1.size() - 1] &= mask;
-   }
-
-    secure_vector<byte> u2(l_bytes);
-    rng.randomize(&u2[0], u2.size());
-
-    // compute the hash of m||u1:
-    SHA_512 hash;
-
-    hash.update(msg, msg_len);
-    hash.update(u2);
-    secure_vector<byte> hash_m_u2 = hash.final();
-
-    //std::cout << "enc hash_m_u2 " << hex_encode(hash_m_u2) << "\n";
-
-    secure_vector<byte> mce_msg(k_bytes_ceil);
-    std::memcpy(&mce_msg[0], &hash_m_u2[0], hash_m_u2.size());
-    std::memcpy(&mce_msg[hash_m_u2.size()], &u1[0], u1.size());
-
-// create the error vector
-    secure_vector<gf2m> err_pos = create_random_error_positions(n, key.get_t(), rng);
-
-    secure_vector<byte> err_vec = mceliece_message_parts::error_vector_from_error_positions(&err_pos[0], err_pos.size(), n);
-
-    mceliece_message_parts parts(err_pos, mce_msg, n);
-
-    secure_vector<byte> message_and_error_input = parts.get_concat();
-
-    //std::cout << "enc msg_and_error " << hex_encode(message_and_error_input) << "\n";
-    //std::cout << "enc h(msg_and_error) " << hex_encode(hash.process(message_and_error_input)) << "\n";
-
-    secure_vector<byte> mce_ct = m_raw_pub_op.encrypt(&message_and_error_input[0], message_and_error_input.size(), rng);
-
-    secure_vector<byte> result(n_bytes_ceil + 2*l_bytes);
-
-    BOTAN_ASSERT(mce_ct.size() == (key.get_code_length()+7)/8, "Expected size");
-
-    std::memcpy(&result[0], &mce_ct[0], mce_ct.size());
-
-
-    // z2 part of the ciphertext
-    SHA_512 hash2;
-    secure_vector<byte> hash_u1 = hash2.process(u1);
-
-    //std::cout << "enc hash_u1 " << hex_encode(hash_u1) << "\n";
-
-    xor_buf(&result[mce_ct.size()], &hash_u1[0], &msg[0], l_bytes);
-
-    // 3rd part of the overbeck ct
-    SHA_512 hash3;
-    secure_vector<byte> err_hash = hash3.process(err_vec);
-
-    //std::cout << "enc err_hash " << hex_encode(err_hash) << "\n";
-
-    const u32bit z3_offs = n_bytes_ceil + l_bytes;
-    xor_buf(&result[z3_offs], &u2[0], &err_hash[0], l_bytes);
-
-    return result;
-  }
-
-  McEliece_Overbeck_CCA2_Private_Operation::McEliece_Overbeck_CCA2_Private_Operation(const McEliece_PrivateKey& mce_key)
-    :m_raw_priv_op(mce_key)
-  {
-    if(mce_key.get_dimension() < 1024)
-    {
-      // k is smaller than the minimum required length for Overbeck conversion
-      // using SHA-512
-      throw Invalid_Argument("McEliece parameters are too small to support the Overbeck conversion with SHA-512, the dimension of the code must be at least 1024");
-    }
-  }
-
-  secure_vector<byte> McEliece_Overbeck_CCA2_Private_Operation::decrypt(const byte msg[], size_t msg_len)
-  {
-
-    const McEliece_PrivateKey& key = m_raw_priv_op.get_key();
-    const u32bit k = key.get_dimension();
-    const u32bit l = 512; // output length of SHA-512
-    const u32bit l_bytes = l/8;
-    const u32bit r_length_ceil = (k - l + 7)/8; // valid lengths ensured already during construction
-    const u32bit n = key.get_code_length();
-    const u32bit n_bytes_ceil = (n+7)/8;
-
-    const u32bit z2_offs = n_bytes_ceil;
-    const u32bit z3_offs = n_bytes_ceil + l_bytes;
-
-    if(msg_len != (max_input_bits()+7)/8)
-    {
-      throw Invalid_Argument("wrong length of McEliece/Overbeck ciphertext");
-    }
-    secure_vector<byte> mce_pt_and_err  = m_raw_priv_op.decrypt(msg, n_bytes_ceil);
-
-    SHA_512 hash;
-    //std::cout << "dec msg_and_error " << hex_encode(mce_pt_and_err) << "\n";
-    //std::cout << "dec h(msg_and_error) " << hex_encode(hash.process(mce_pt_and_err)) << "\n";
-
-    mceliece_message_parts parts(&mce_pt_and_err[0], mce_pt_and_err.size(), n);
-
-    secure_vector<byte> mce_pt = parts.get_message_word();
-    secure_vector<byte> err_vec = parts.get_error_vector();
-
-    secure_vector<byte> h(l_bytes);
-    std::memcpy(&h[0], &mce_pt[0], l_bytes);
-    secure_vector<byte> r(r_length_ceil);
-    std::memcpy(&r[0], &mce_pt[l_bytes], r.size());
-
-    secure_vector<byte> hash_r = hash.process(r);
-    //std::cout << "dec hash_r " << hex_encode(hash_r) << "\n";
-
-    secure_vector<byte> m(l_bytes);
-    xor_buf(&m[0], &msg[z2_offs], &hash_r[0], l_bytes);
-
-    SHA_512 hash2;
-    secure_vector<byte> hash_e = hash2.process(err_vec);
-    //std::cout << "dec hash_e " << hex_encode(hash_e) << "\n";
-    xor_buf(&hash_e[0], &msg[z3_offs], l_bytes);
-    // hash_e now is H(e) ^ z3 = u2
-
-    SHA_512 hash3;
-    hash3.update(m);
-    hash3.update(hash_e);
-    secure_vector<byte> h_cmp = hash3.final();
-
-    //std::cout << "dec hash_cmp " << hex_encode(h_cmp) << "\n";
-    if(h_cmp != h)
-       throw Integrity_Failure("McEliece/Overbeck CCA2 check failed");
-    return m;
-
-  }
-
-}
diff --git a/src/lib/pubkey/mce/mce_overbeck_cca2.h b/src/lib/pubkey/mce/mce_overbeck_cca2.h
deleted file mode 100644
index 1b9439753..000000000
--- a/src/lib/pubkey/mce/mce_overbeck_cca2.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/**
- * (C) 2014 cryptosource GmbH
- * (C) 2014 Falko Strenzke [email protected]
- *
- * Distributed under the terms of the Botan license
- *
- */
-
-#ifndef __mce_overbeck_cca2__H_
-#define __mce_overbeck_cca2__H_
-
-#include <botan/pk_ops.h>
-#include <botan/mceliece_key.h>
-#include <botan/mceliece.h>
-#include <botan/types.h>
-#include <botan/secmem.h>
-
-namespace Botan
-{
-class BOTAN_DLL McEliece_Overbeck_CCA2_Public_Operation : public PK_Ops::Encryption
-{
-  public:
-  McEliece_Overbeck_CCA2_Public_Operation(const McEliece_PublicKey& public_key);
-
-  size_t max_input_bits() const { return 512; };
-  secure_vector<byte> encrypt(const byte msg[], size_t msg_len, RandomNumberGenerator&);
-
-  private:
-  McEliece_Public_Operation m_raw_pub_op;
-};
-
-class BOTAN_DLL McEliece_Overbeck_CCA2_Private_Operation : public PK_Ops::Decryption
-  {
-    public:
-      McEliece_Overbeck_CCA2_Private_Operation(const McEliece_PrivateKey& mce_key);
-
-      size_t max_input_bits() const { return (m_raw_priv_op.max_input_bits()+7)/8*8 + 2*512; };
-
-
-secure_vector<byte> decrypt(const byte msg[], size_t msg_len);
-    private:
-      McEliece_Private_Operation m_raw_priv_op;
-  };
-}
-
-#endif /* h-guard */
author	lloyd <[email protected]>	2014-12-06 15:50:39 +0000
committer	lloyd <[email protected]>	2014-12-06 15:50:39 +0000
commit	42a34f672bfd4737e66d8813d024b6f73fdfcad4 (patch)
tree	8a987aff561304015edf4198e433b7e1433dbb2c /src/lib/pubkey
parent	6082d3937f842ecebf0cb208b27a366917af0876 (diff)