From 17432c2f08ecbcd5fbd95058bfca6936f0d1aaa5 Mon Sep 17 00:00:00 2001 From: Fabian Albert Date: Wed, 14 Feb 2024 15:20:13 +0100 Subject: [PATCH] Classic McEliece Crypto Documentation --- docs/cryptodoc/src/05_00_pubkey.rst | 1 + docs/cryptodoc/src/05_99_cmce.rst | 469 ++++++++++++++++++++++++ docs/cryptodoc/src/90_bibliographie.rst | 17 + 3 files changed, 487 insertions(+) create mode 100644 docs/cryptodoc/src/05_99_cmce.rst diff --git a/docs/cryptodoc/src/05_00_pubkey.rst b/docs/cryptodoc/src/05_00_pubkey.rst index 55a996fe..1234a322 100644 --- a/docs/cryptodoc/src/05_00_pubkey.rst +++ b/docs/cryptodoc/src/05_00_pubkey.rst @@ -21,3 +21,4 @@ encapsulation and decapsulation or the key exchange mechanism. 05_06_spx 05_07_dilithium 05_08_kyber + 05_99_cmce diff --git a/docs/cryptodoc/src/05_99_cmce.rst b/docs/cryptodoc/src/05_99_cmce.rst new file mode 100644 index 00000000..d0249a80 --- /dev/null +++ b/docs/cryptodoc/src/05_99_cmce.rst @@ -0,0 +1,469 @@ +.. _pubkey/cmce: + +Classic McEliece +================ + +Botan implements the Classic McEliece Key Encapsulation Mechanism (KEM) as defined in the +Round 4 NIST submission [CMCE-R4]_ and the ClassicMcEliece ISO Draft [CMCE-ISO]_. It +supports all parameter sets defined in both documents, listed +in Table :ref:`Supported Classic McEliece Parameter Sets `. + +.. _pubkey/cmce/parameter_table: + + +.. table:: Supported Classic McEliece parameter sets (see [CMCE-ISO]_ Section 10 and [CMCE-R4]_ Section 7). ```` and ```` indicate that sets with and without f and pc are supported. + + +----------------------------+-----------+-----------+-----------+----------------------------+---------------------------------+ + | Parameter Set | :math:`m` | :math:`n` | :math:`t` | :math:`f(z)` | :math:`F(y)` | + +============================+===========+===========+===========+============================+=================================+ + | ``mceliece348864`` | 12 | 3488 | 64 | :math:`z^{12}+z^3+1` | :math:`y^{64}+y^3+y+z` | + +----------------------------+-----------+-----------+-----------+----------------------------+---------------------------------+ + | ``mceliece460896`` | 13 | 4608 | 96 | :math:`z^{13}+z^4+z^3+z+1` | :math:`y^{96}+y^{10}+y^9+y^6+1` | + +----------------------------+-----------+-----------+-----------+----------------------------+---------------------------------+ + | ``mceliece6688128`` | 13 | 6688 | 128 | :math:`z^{13}+z^4+z^3+z+1` | :math:`y^{128}+y^7+y^2+y+1` | + +----------------------------+-----------+-----------+-----------+----------------------------+---------------------------------+ + | ``mceliece6960119`` | 13 | 6960 | 119 | :math:`z^{13}+z^4+z^3+z+1` | :math:`y^{119}+y^8+1` | + +----------------------------+-----------+-----------+-----------+----------------------------+---------------------------------+ + | ``mceliece8192128`` | 13 | 8192 | 128 | :math:`z^{13}+z^4+z^3+z+1` | :math:`y^{128}+y^7+y^2+y+1` | + +----------------------------+-----------+-----------+-----------+----------------------------+---------------------------------+ + +.. _pubkey/cmce/key_generation: + +Algorithm Internals +------------------- + +The implementation of Classic McEliece is organized based on the algorithm's +operations and structures. Table :ref:`Classic McEliece components +` shows an overview of the components and +their corresponding file locations. Classic McEliece, like all Key Encapsulation +Mechanisms (KEMs), consists of three main algorithms: Key generation, key +encapsulation, and key decapsulation. In the case of Classic McEliece, the key +generation process involves creating a field ordering and an irreducible +polynomial. These two components define the randomly chosen Goppa code, the +secret information stored in the private key. A parity check matrix in +systematic form is derived from the Goppa code to generate the public key used +for encapsulation. More detailed information about these processes can be found +in the following sections. + +.. _pubkey/cmce/component_table: + +.. table:: Classic McEliece components and file locations. Its files are located at :srcref:`src/lib/pubkey/classic_mceliece/`. + :widths: 21 29 40 + + +--------------------------------------------------------+------------------------------------------------------------------+----------------------------------------------------------------------------+ + | Component | File | Purpose | + +========================================================+==================================================================+============================================================================+ + | :ref:`Types ` | :srcref:`[src/lib/pubkey/classic_mceliece]/cmce_types.h` | Strong types | + +--------------------------------------------------------+------------------------------------------------------------------+----------------------------------------------------------------------------+ + | :ref:`Galois Field Arithmetic ` | :srcref:`[src/lib/pubkey/classic_mceliece]/cmce_gf.h` | Galois field data structure and logic | + +--------------------------------------------------------+------------------------------------------------------------------+----------------------------------------------------------------------------+ + | :ref:`Field Ordering ` | :srcref:`[src/lib/pubkey/classic_mceliece]/cmce_field_ordering.h`| Field ordering creation and Beneš network computation | + +--------------------------------------------------------+------------------------------------------------------------------+----------------------------------------------------------------------------+ + | :ref:`Polynomial Arithmetic ` | :srcref:`[src/lib/pubkey/classic_mceliece]/cmce_poly.h` | Polynomial data structure, logic, and minimal polynomial creation | + +--------------------------------------------------------+------------------------------------------------------------------+----------------------------------------------------------------------------+ + | :ref:`Bit Vector Arithmetic ` | :srcref:`src/lib/utils/bitvector.h` | Representation of bit-vectors and bit-vector arithmetic | + +--------------------------------------------------------+------------------------------------------------------------------+----------------------------------------------------------------------------+ + | :ref:`Matrix Operations ` | :srcref:`[src/lib/pubkey/classic_mceliece]/cmce_matrix.h` | Binary matrix data structure, creation, and systematic form transformation | + +--------------------------------------------------------+------------------------------------------------------------------+----------------------------------------------------------------------------+ + | :ref:`Key Pair ` | :srcref:`[src/lib/pubkey/classic_mceliece]/cmce_keys_internal.h` | Key pair container and key generation | + +--------------------------------------------------------+------------------------------------------------------------------+----------------------------------------------------------------------------+ + | :ref:`Key Encapsulation ` | :srcref:`[src/lib/pubkey/classic_mceliece]/cmce_encaps.h` | Encapsulation logic | + +--------------------------------------------------------+------------------------------------------------------------------+----------------------------------------------------------------------------+ + | :ref:`Key Decapsulation ` | :srcref:`[src/lib/pubkey/classic_mceliece]/cmce_decaps.h` | Decapsulation logic, including Berlekamp's algorithm | + +--------------------------------------------------------+------------------------------------------------------------------+----------------------------------------------------------------------------+ + | :ref:`Parameter Set ` | :srcref:`[src/lib/pubkey/classic_mceliece]/cmce_parameter_set.h` | Parameter set enum, parsing, and serialization | + +--------------------------------------------------------+------------------------------------------------------------------+----------------------------------------------------------------------------+ + | :ref:`Parameters ` | :srcref:`[src/lib/pubkey/classic_mceliece]/cmce_parameters.h` | Classic McEliece parameter container | + +--------------------------------------------------------+------------------------------------------------------------------+----------------------------------------------------------------------------+ + | Classic McEliece | :srcref:`[src/lib/pubkey/classic_mceliece]/cmce.h` | Classic McEliece public and private key interface | + +--------------------------------------------------------+------------------------------------------------------------------+----------------------------------------------------------------------------+ + + +.. _pubkey/cmce/types: + +Types +^^^^^ + +In implementing Botan's Classic McEliece, strong types are utilized to +ensure the correct data usage within the code. These strong types are +fundamental to separate the domain of the various byte sequences involved in +Classic McEliece, such as multiple types of seeds, random byte sequences for different +algorithms, and bit-vectors with different semantic contexts. Specific integers, +like raw Galois Field elements and their modulus, are +also represented as strong types. This reliance on strong types is similar to using them +in :ref:`SPHINCS+ ` for +similar reasons. The Classic McEliece implementation enhances readability, +clarity, and reliability by employing strong types. + + +.. _pubkey/cmce/gf: + +Galois Field Arithmetic +^^^^^^^^^^^^^^^^^^^^^^^ + +The Goppa code is based on the Galois field (GF) :math:`\mathbb{F}_{q}`, where :math:`q=2^m`. +To represent GF elements, we utilize the class ``Classic_McEliece_GF``. Each +element is defined by two polynomials: one defines its value, and the other +defines the modulus of the field. These values are represented as unsigned +integers. For example, the element :math:`z^3+z+1` is represented by the unsigned +integer ``0b1011``. + +The GF elements support various operations such as addition, multiplication, +and inversion. These operations are implemented in constant time for operands +within the same field. Multiplication is performed using a constant-time +schoolbook multiplication algorithm with a consecutive constant-time reduction. +Inversion is achieved using Fermat's little theorem: :math:`a^{-1} = a^{q-2}`. +For that, exponentiation is implemented using a simple square-and-multiply +algorithm. It is worth noting that square-and-multiply has no timing +side-channel vulnerabilities since the exponent remains constant for each field. + +.. _pubkey/cmce/field_ordering: + +Field Ordering +^^^^^^^^^^^^^^ + +Section 8.2 of [CMCE-ISO]_ defines the field ordering as a permutation +of elements in the Galois field :math:`\mathbb{F}_{q}`. This ordering is +required for generating a random sequence :math:`\alpha_0,...,\alpha_{n-1}` of distinct +:math:`\mathbb{F}_{q}` elements, which is necessary for creating the Goppa +code. Botan's ``Classic_McEliece_Field_Ordering`` serves as a container for the +field ordering and includes the algorithm to generate it. To sort the pairs +:math:`(a_i, i)` (as described in Step 3 of Section 8.2 in [CMCE-ISO]_), a +constant-time bitonic sort implementation is utilized. This sorting algorithm is +particularly suitable for sets with a power of two elements. + +Another vital role of the field ordering class is managing the Beneš network. +As Section 9.2.10 of [CMCE-ISO]_ outlines, the Beneš network stores the field +ordering as control bits in a compact form. Botan employs +a constant-time implementation of the ``controlbits`` algorithm presented in +Fig. 7.1 of [CBits]_ to create control bits, and the ``permutation`` algorithm +to reconstruct the field ordering from the control bits. The creation +algorithm also utilizes constant-time bitonic sorting. + + +.. _pubkey/cmce/poly: + +Polynomial Arithmetic +^^^^^^^^^^^^^^^^^^^^^ + +The Classic McEliece algorithm uses elements in the polynomial ring +:math:`\mathbb{F}_q [y]` in multiple places. The monic irreducible +polynomial defines the Goppa code, and performing decapsulation requires an +error locator polynomial. Botan's ``Classic_McEliece_Poly`` class is designed +to represent these polynomials. It consists of a vector of GF elements, which +serve as the polynomial coefficients. Additionally, this class provides +the necessary logic to evaluate the polynomial at a given point in +:math:`\mathbb{F}_q`. + +Polynomial arithmetic is required to obtain the monic irreducible polynomial +:math:`g` from a random element :math:`\beta \in \mathbb{F}_{q} [y]/F(y)`, as +described in Step 3 of Section 8.1 in [CMCE-ISO]_. This arithmetic +is implemented in the ``Classic_McEliece_Polynomial_Ring`` class, representing +the polynomial ring :math:`\mathbb{F}_{q} [y]/F(y)` and supporting the +multiplication of two polynomials. + +Following the recommendation in the implementors' guide Section 6.1 that +accompanies [CMCE-R4]_, the minimal polynomial is computed by finding a unique +solution to the equation :math:`g_0\beta^0 + ... + g_{t-1}\beta^{t-1} = \beta^t`. +A constant-time Gauss elimination algorithm is used to solve this equation. +The algorithm aborts if the solution is non-unique. The minimal polynomial +is then represented as a ``Classic_McEliece_Minimal_Polynomial`` object, which +includes logic for serialization and deserialization as described in +Section 9.2.9 of [CMCE-ISO]_. + + +.. _pubkey/cmce/bitvector: + +Bit Vector Arithmetic +^^^^^^^^^^^^^^^^^^^^^ + +Botan's ``bitvector`` class is a versatile tool for working with bits. +One such application is the Classic McEliece algorithm, where it handles +binary matrices, error vectors, code words, and the column selections in the private +key. The ``bitvector`` class provides a range of useful methods for these tasks. + +A ``bitvector`` can be dynamically initialized with any length. It can be created +from a vector of bytes and serialized back to it, as described in Section 9.2.1 +of [CMCE-ISO]_. The class allows for adding or removing bits, accessing and +manipulating individual bits, and obtaining specific properties of the vector, +such as the Hamming weight or checking if the vector is all-zero. Sub-vectors +can also be extracted from an existing ``bitvector``. + +Furthermore, the ``bitvector`` class supports binary operations between two vectors +of the same length, including AND, OR, and XOR. These operations are optimized +for performance, especially in the context of Classic McEliece. + +The design of the ``bitvector`` class prioritizes constant times, particularly +for Classic McEliece. The time taken for bit accesses and manipulations depends +only on the bit's position, not its value. Operations between two vectors +are also constant-time when the operands have the same length. The timing of +helper functions, such as the Hamming weight, is also implemented with +constant time in mind. + + +.. _pubkey/cmce/matrix: + +Matrix Operations +^^^^^^^^^^^^^^^^^ + +Classic McEliece's key generation algorithm utilizes its Goppa code, defined by a +field ordering and a monic irreducible polynomial, to create a binary parity +check matrix :math:`H` in systematic form. This matrix is represented by the +``Classic_McEliece_Matrix`` class. + +The class follows the process outlined in Section 7.2 of [CMCE-ISO]_ for matrix +creation. Initially, a binary :math:`mt \times n` matrix is created as +described in Steps 1 and 2 of Section 7.2.2. Each row of the matrix is +represented as a ``bitvector`` object. Subsequently, a constant-time Gauss +algorithm is applied to reduce the matrix to the systematic form :math:`H=(I_{mt}|T)`. +The algorithm achieves this by systematically applying XOR operations on pairs +of matrix rows, resulting in the identity matrix on the left. Finally, the +submatrix `T` is stored in the matrix object, mirroring its representation in +the public key specified in Section 9.2.7 of [CMCE-ISO]_. + +Classic McEliece instances with the suffix ``f`` employ a semi-systematic transformation +strategy, utilizing the parameters :math:`(\mu, \nu) = (32, 64)`, as described +in Section 7.2.3 of [CMCE-ISO]_. Following the recommendation in Section 6.1 of +the implementation guide accompanying [CMCE-R4]_, a Gauss algorithm is executed +to create an identity matrix for the first :math:`mt-\mu` rows. Subsequently, a +modified Gauss algorithm achieves a reduced row-echelon form for +the :math:`\mu \times \nu` submatrix at position :math:`(\mu, \mu)`. +This process determines the column selection, i.e., the indices of the non-zero +columns. As Section 7.2.3 Step 5 of [CMCE-ISO]_ outlines, the matrix's +columns and the field ordering are permuted according to the pivots. The main +Gauss algorithm concludes at this point, leaving the matrix in its modified +and systematic form. + +For encapsulation, the matrix :math:`H` is multiplied by an error vector +:math:`e`. This multiplication is performed by computing the parity of the +Hamming weight of :math:`e\ \textrm{XOR}\ r` for each row :math:`r` of :math:`H`. +Matrix creation and multiplication are implemented in constant time for matrices +with fixed dimensions. + + +.. _pubkey/cmce/keys_internal: + +Key Pair +^^^^^^^^ + +Botan's key pair for Classic McEliece consists of two classes: +``Classic_McEliece_PrivateKeyInternal`` and ``Classic_McEliece_PublicKeyInternal``. +As defined in Section 9.2.12, the private key stores the key generation seed, +column selection, monic irreducible polynomial, field ordering control bits, +and the seed for implicit rejection. On the other hand, the public key +contains the sub-matrix :math:`T` of the binary parity check matrix +:math:`H = (I_{mt}|T)`. + +The class ``Classic_McEliece_KeyPair_Internal`` holds both the private and public +keys and contains key generation method. Details are discussed in Section +:ref:`Key Generation `. + + +.. _pubkey/cmce/encaps_internal: + +Encapsulation Internals +^^^^^^^^^^^^^^^^^^^^^^^ + +The class ``Classic_McEliece_Encryptor`` implements Botan's key +encapsulation interface. Performing encapsulation requires two building blocks: +Fixed weight vector creation and error vector encoding. + +The algorithm described in Section 8.4 of [CMCE-ISO]_ is followed to create a +fixed weight error vector. Random elements :math:`d_0,...,d_{\tau-1}` are +generated, where the first :math:`t` elements smaller than :math:`n` are selected as +:math:`a_0,...,a_{t-1}`. It is important to note that selecting +:math:`d_i` elements for :math:`a_j` elements may leak through timing +side-channels. However, the content of these elements remains undisclosed, +preventing attackers from gaining helpful information from this side channel. + +Next, all possible pairs are compared to ensure that all elements of +:math:`a_0,...,a_{t-1}` are distinct. Finally, a binary error vector :math:`e` +is created with set bits at the locations of :math:`a_0,...,a_{t-1}`. This +creation process also considers constant times. + +For encoding, the parity check matrix :math:`H` is multiplied with :math:`e` as +Section :ref:`Matrix Operations ` describes. The +encapsulation algorithm used in Botan is outlined in Section +:ref:`Key Encapsulation `. + + +.. _pubkey/cmce/decaps_internal: + +Decapsulation Internals +^^^^^^^^^^^^^^^^^^^^^^^ + +The class ``Classic_McEliece_Decryptor`` in Botan is responsible for +key decapsulation. One of the crucial steps in the decapsulation algorithm of +Classic McEliece is the decoding subroutine described in Section 7.4 of +[CMCE-ISO]_. This subroutine is implemented based on the recommendations +provided in [McBits]_. The decoding process utilizes Berlekamp's algorithm for +Goppa decoding. + +To begin with, the code word :math:`C` that needs to be decoded is extended by +appending zeros. This results in a binary vector :math:`\nu = (C,0,\dots,0) \in \mathbb{F}_2^{n}`, +as Section 7.2 Step 1 of [CMCE-ISO]_ defines. Subsequently, the syndrome for +Berlekamp's method is computed from :math:`\nu`. The syndrome is a vector given by +:math:`\left( \sum\nolimits_{i} \frac{\nu_i\alpha_i^0}{g(\alpha_i)^2},\dots,\sum\nolimits_{i} \frac{\nu_i\alpha_i^{n-1}}{g(\alpha_i)^2} \right)`, +where :math:`\alpha_i` are the first :math:`n` field ordering elements and +:math:`g` is the Goppa polynomial. + +Next, the error locator polynomial :math:`\sigma` is computed using the +Berlekamp-Massey algorithm on the syndrome. The resulting polynomial has a +particular property concerning the error vector :math:`e` we search for. +Specifically, :math:`\sigma(\alpha_i) = 0` if and only if +:math:`e_i = 1`. By evaluating :math:`\sigma` at :math:`\alpha_0,\dots,\alpha_{n-1}`, +we can reconstruct the error vector :math:`e`. + +To ensure accurate decoding, Botan follows the recommendation in Section 6.3 of +the implementation guide of [CMCE-R4]_. It computes the syndrome for the error +vector :math:`e` and compares it with the syndrome for :math:`\nu`. If the +comparison holds and the weight of :math:`e` is equal to :math:`t`, we consider +the decoding successful. Otherwise, it is flagged as a failure. + +It is worth noting that the syndrome computation, Berlekamp-Massey algorithm, and +locator polynomial evaluation are implemented in constant time. Additionally, +the checks for the weight of :math:`e` and the syndrome comparison are designed +to avoid early abortion if any check fails. + + +.. _pubkey/cmce/params: + +Parameters +^^^^^^^^^^ + +The ``Classic_McEliece_Parameter_Set`` enum contains all instances of the +Classic McEliece algorithm listed in Table :ref:`Supported Classic McEliece +Parameter Sets `. These parameter sets serve as +the basis for deriving all the necessary parameters used within the algorithm. +They are collected in a ``Classic_McElice_Parameters`` object, which includes +all the parameters defined in the specifications [CMCE-ISO]_ and [CMCE-R4]_. +This object is passed to all algorithm components, ensuring consistent +parameter usage. + + +.. _pubkey/cmce/key_gen: + + +Key Generation +-------------- + +Classic McEliece key generation follows Section 8.3 of [CMCE-ISO]_ and is +implemented within the ``Classic_McEliece_KeyPair_Internal`` class. It works as +follows: + +.. admonition:: Classic McEliece Key Generation + + **Input:** + + - ``rng``: random number generator + + **Output:** + + - ``SK``, ``PK``: private and public key + + **Steps:** + + 1. Generate a random value ``seed`` using ``rng`` + 2. ``s, ordering_bits, irreducible_bits, next_seed = PRF(seed)`` + 3. | Create a field ordering ``field_ordering`` using ``ordering_bits`` + | On failure, set ``seed = next_seed`` and go to step 2 + + 4. | Create a monic irreducible polynomial ``g`` using ``irreducible_bits`` + | On failure, set ``seed = next_seed`` and go to step 2 + + 5. | Create a parity check matrix in systematic form ``H = (I_mt | T)`` using ``field_ordering`` and ``g``. Meanwhile, compute the column selection ``c`` + | On failure, set ``seed = next_seed`` and go to step 2 + + 6. ``SK = {seed, c, g, field_ordering, s}, PK = {T}`` + + **Notes:** + + - ``PRG`` is an application of ``SHAKE256`` with an input prefix byte 64. + The output length is ``n/8 + 4q + 2t + 32`` bytes. It is defined + in Section 9.1 of [CMCE-ISO]_. + - Only the first ``n`` elements of the field ordering are used to + create the parity check matrix. + - For instances with the suffix ``f``, the semi-systematic transformation + strategy is employed. In this case, ``field_ordering`` is updated to + reflect the column selection. + - To store the private and public keys as bytes, the respective entries are + serialized following the specifications of Section 9.2 of [CMCE-ISO]_. + + +.. _pubkey/cmce/encapsulation: + +Key Encapsulation +----------------- + +The Classic McEliece encapsulation procedure of Botan follows Section 8.5 of +[CMCE-ISO]_ and works as follows: + +.. admonition:: Classic McEliece Encapsulation + + **Input:** + + - ``PK = {T}``: public key + - ``rng``: random number generator + + **Output:** + + - ``encap_key``: ciphertext of shared key + - ``shared_key``: plaintext shared key + + **Steps:** + + 1. Generate a random error vector ``e`` of weight ``t`` using ``rng`` + 2. ``c0 = (I_mt | T) * e`` to encode ``e`` + 3. Depending on whether the parameter set includes plaintext confirmation (suffix ``pc``): + + a. **Without pc:** ``encap_key = c0`` + b. **With pc:** ``c1 = Hash(2, e)``, ``encap_key = c0 || c1`` + + 4. ``shared_key = Hash(1, e, encap_key)`` + + **Notes:** + + - ``Hash`` is an application of ``SHAKE256`` with 32 output bytes as defined + in Section 9.1 of [CMCE-ISO]_. + + +.. _pubkey/cmce/decapsulation: + +Key Decapsulation +----------------- + +The Classic McEliece decapsulation procedure of Botan follows Section 8.6 of +[CMCE-ISO]_ and works as follows: + +.. admonition:: Classic McEliece Decapsulation + + **Input:** + + - ``SK = {seed, c, g, field_ordering, s}``: secret key + - ``encap_key``: encapsulated key bytes + + **Output:** + + - ``shared_key``: shared key + + **Steps:** + + 1. Depending on whether the parameter set includes plaintext confirmation (suffix ``pc``): + + a. **Without pc:** ``c0 = encap_key`` + b. **With pc:** ``c0, c1 = encap_key``, split after ``ceil(m*t/8)`` bytes + + 2. | Decode ``c0`` to obtain ``e`` using Berlekamp's algorithm and set ``b = 1`` + | On failure set ``e = s`` and ``b = 0`` + + 3. | **Only for pc instances:** ``c1_p = Hash(2, e)`` + | If ``c1_p != c1`` set ``e = s`` and ``b = 0`` + + 4. ``shared_key = Hash(b, e, encap_key)`` + + **Notes:** + + - ``Hash`` is an application of ``SHAKE256`` with 32 output bytes as defined + in Section 9.1 of [CMCE-ISO]_. + - The assignments of ``e`` and ``b`` in steps 2 and 3 are implemented using + Botan's constant-time helper functions to ensure constant-time execution. diff --git a/docs/cryptodoc/src/90_bibliographie.rst b/docs/cryptodoc/src/90_bibliographie.rst index 8c46526c..91922100 100644 --- a/docs/cryptodoc/src/90_bibliographie.rst +++ b/docs/cryptodoc/src/90_bibliographie.rst @@ -17,10 +17,23 @@ "Message verification and transmission error detection by block chaining", US Patent 4074066, 1976 +.. [CBits] Daniel J. Bernstein: + "Verified fast formulas for control bits for permutation networks", + 2020 + .. [CCM] U.S. DEPARTMENT OF COMMERCE/National Institute of Standards and Technology: "Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality", July 2007 +.. [CMCE-ISO] ISO Draft (2023): + Information security — Encryption algorithms — Part 1978: + Classic McEliece + +.. [CMCE-R4] Martin R. Albrecht, Daniel J. Bernstein, Tung Chou, Carlos Cid, Jan Gilcher, Tanja Lange, Varun Maram, Ingo von Maurich, Rafael Misoczki, Ruben Niederhagen, Kenneth G. Paterson, Edoardo Persichetti, Christiane Peters, Peter Schwabe, Nicolas Sendrier, Jakub Szefer, Cen Jung Tjhai, Martin Tomlinson, Wen Wang: + "Classic McEliece: Conservative Code-Based Cryptography: Cryptosystem Specification", + NIST PQC Challenge Round 4 Submission, 2022, + https://classic.mceliece.org/mceliece-spec-20221023.pdf + .. [Dilithium-R3] S. Bai, L. Ducas, E. Kiltz, T. Lepoint, V. Lyubashevsky, P. Schwabe, G. Seiler, D. Stehlé: "CRYSTALS-Dilithium Algorithm Specifications and Supporting Documentation (Version 3.1)", NIST PQC Challenge Round 3 Submission, 2021, @@ -107,6 +120,10 @@ A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS#1 v2.0. Crypto 2001 +.. [McBits] Daniel J. Bernstein, Tung Chou, Peter Schwabe: + "McBits: fast constant-time code-based cryptography", + 2015 + .. [NIST-OMAC] National Institute of Standards and Technology. OMAC: One-Key CBC MAC — Addendum. http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/omac/omac-ad.pdf