const (
// Size of a packed polynomial of norm ≤η.
// (Note that the formula is not valid in general.)
PolyLeqEtaSize = (common.N * DoubleEtaBits) / 8
// β = τη, the maximum size of c s₂.
Beta = Tau * Eta
// γ₁ range of y
Gamma1 = 1 << Gamma1Bits
// Size of packed polynomial of norm <γ₁ such as z
PolyLeGamma1Size = (Gamma1Bits + 1) * common.N / 8
// α = 2γ₂ parameter for decompose
Alpha = 2 * Gamma2
// Size of a packed private key
PrivateKeySize = 32 + 32 + 32 + PolyLeqEtaSize*(L+K) + common.PolyT0Size*K
// Size of a packed public key
PublicKeySize = 32 + common.PolyT1Size*K
// Size of a packed signature
SignatureSize = L*PolyLeGamma1Size + Omega + K + 32
// Size of packed w₁
PolyW1Size = (common.N * (common.QBits - Gamma1Bits)) / 8
)
const (
Name = "Dilithium2-AES"
UseAES = true
K = 4
L = 4
Eta = 2
DoubleEtaBits = 3
Omega = 80
Tau = 39
Gamma1Bits = 17
Gamma2 = 95232
)
DeriveX4Available indicates whether the system supports the quick fourway sampling variants like PolyDeriveUniformX4.
var DeriveX4Available = keccakf1600.IsEnabledX4() && !UseAES
func GenerateKey(rand io.Reader) (*PublicKey, *PrivateKey, error)
GenerateKey generates a public/private key pair using entropy from rand. If rand is nil, crypto/rand.Reader will be used.
func NewKeyFromSeed(seed *[common.SeedSize]byte) (*PublicKey, *PrivateKey)
NewKeyFromSeed derives a public/private key pair using the given seed.
func PolyDecompose(p, p0PlusQ, p1 *common.Poly)
Splits each of the coefficients of p using decompose.
func PolyDeriveUniform(p *common.Poly, seed *[32]byte, nonce uint16)
Sample p uniformly from the given seed and nonce.
p will be normalized.
func PolyDeriveUniformBall(p *common.Poly, seed *[32]byte)
Samples p uniformly with τ non-zero coefficients in {q-1,1}.
The polynomial p will be normalized.
func PolyDeriveUniformBallX4(ps [4]*common.Poly, seed *[32]byte)
For each i, sample ps[i] uniformly with τ non-zero coefficients in {q-1,1} using the given seed and w1[i]. ps[i] may be nil and is ignored in that case. ps[i] will be normalized.
Can only be called when DeriveX4Available is true.
This function is currently not used (yet).
func PolyDeriveUniformLeGamma1(p *common.Poly, seed *[64]byte, nonce uint16)
Sample p uniformly with coefficients in (-γ₁,…,γK1s] using the given seed and nonce.
p will be normalized.
func PolyDeriveUniformLeqEta(p *common.Poly, seed *[64]byte, nonce uint16)
Sample p uniformly with coefficients of norm less than or equal η, using the given seed and nonce.
p will not be normalized, but will have coefficients in [q-η,q+η].
func PolyDeriveUniformX4(ps [4]*common.Poly, seed *[32]byte, nonces [4]uint16)
For each i, sample ps[i] uniformly from the given seed and nonces[i]. ps[i] may be nil and is ignored in that case.
Can only be called when DeriveX4Available is true.
func PolyDotHat(p *common.Poly, a, b *VecL)
Set p to the inner product of a and b using pointwise multiplication.
Assumes a and b are in Montgomery form and their coefficients are pairwise sufficiently small to multiply, see Poly.MulHat(). Resulting coefficients are bounded by 2Lq.
func PolyMakeHint(p, p0, p1 *common.Poly) (pop uint32)
Sets p to the hint polynomial for p0 the modified low bits and p1 the unmodified high bits --- see makeHint().
Returns the number of ones in the hint polynomial.
func PolyPackLeGamma1(p *common.Poly, buf []byte)
Writes p whose coefficients are in (-γ₁,γ₁] into buf which has to be of length PolyLeGamma1Size.
Assumes p is normalized.
func PolyPackLeqEta(p *common.Poly, buf []byte)
Writes p with norm less than or equal η into buf, which must be of size PolyLeqEtaSize.
Assumes coefficients of p are not normalized, but in [q-η,q+η].
func PolyPackW1(p *common.Poly, buf []byte)
Pack w₁ into buf, which must be of length PolyW1Size.
Assumes w₁ is normalized.
func PolyUnpackLeGamma1(p *common.Poly, buf []byte)
Sets p to the polynomial packed into buf by PolyPackLeGamma1.
p will be normalized.
func PolyUnpackLeqEta(p *common.Poly, buf []byte)
Sets p to the polynomial of norm less than or equal η encoded in the given buffer of size PolyLeqEtaSize.
Output coefficients of p are not normalized, but in [q-η,q+η] provided buf was created using PackLeqEta.
Beware, for arbitrary buf the coefficients of p might end up in the interval [q-2^b,q+2^b] where b is the least b with η≤2^b.
func PolyUseHint(p, q, hint *common.Poly)
Computes corrections to the high bits of the polynomial q according to the hints in h and sets p to the corrected high bits. Returns p.
func SignTo(sk *PrivateKey, msg []byte, signature []byte)
SignTo signs the given message and writes the signature into signature.
func VecLDeriveUniformLeGamma1(v *VecL, seed *[64]byte, nonce uint16)
Sample v[i] uniformly with coefficients in (-γ₁,…,γ₁] using the given seed and nonce+i
p will be normalized.
func Verify(pk *PublicKey, msg []byte, signature []byte) bool
Verify checks whether the given signature by pk on msg is valid.
A k by l matrix of polynomials.
type Mat [K]VecL
func (m *Mat) Derive(seed *[32]byte)
Expands the given seed to a complete matrix.
This function is called ExpandA in the specification.
PrivateKey is the type of Dilithium private keys.
type PrivateKey struct {
// Cached values
A Mat // ExpandA(ρ)
// contains filtered or unexported fields
}
func (sk *PrivateKey) Equal(other *PrivateKey) bool
Equal returns whether the two private keys are equal
func (sk *PrivateKey) Pack(buf *[PrivateKeySize]byte)
Packs the private key into buf.
func (sk *PrivateKey) Public() *PublicKey
Computes the public key corresponding to this private key.
func (sk *PrivateKey) Unpack(buf *[PrivateKeySize]byte)
Sets sk to the private key encoded in buf.
PublicKey is the type of Dilithium public keys.
type PublicKey struct {
A *Mat
// contains filtered or unexported fields
}
func (pk *PublicKey) Equal(other *PublicKey) bool
Equal returns whether the two public keys are equal
func (pk *PublicKey) Pack(buf *[PublicKeySize]byte)
Packs the public key into buf.
func (pk *PublicKey) Unpack(buf *[PublicKeySize]byte)
Sets pk to the public key encoded in buf.
A vector of K polynomials.
type VecK [K]common.Poly
func (v *VecK) Add(w, u *VecK)
Sets v to w + u. Does not normalize.
func (v *VecK) Decompose(v0PlusQ, v1 *VecK)
Applies Poly.Decompose componentwise.
Requires the vector to be normalized.
func (v *VecK) Exceeds(bound uint32) bool
Checks whether any of the coefficients exceeds the given bound in supnorm
Requires the vector to be normalized.
func (v *VecK) InvNTT()
Applies InvNTT componentwise. See Poly.InvNTT() for details.
func (v *VecK) MakeHint(v0, v1 *VecK) (pop uint32)
Sets v to the hint vector for v0 the modified low bits and v1 the unmodified high bits --- see makeHint().
Returns the number of ones in the hint vector.
func (v *VecK) MulBy2toD(w *VecK)
Sets v to 2ᵈ w without reducing.
func (v *VecK) NTT()
Applies NTT componentwise. See Poly.NTT() for details.
func (v *VecK) Normalize()
Normalize the polynomials in this vector.
func (v *VecK) NormalizeAssumingLe2Q()
Normalize the polynomials in this vector assuming their coefficients are already bounded by 2q.
func (v *VecK) PackHint(buf []byte)
Writes v with coefficients in {0, 1} of which at most ω non-zero to buf, which must have length ω+k.
func (v *VecK) PackLeqEta(buf []byte)
Sequentially packs each polynomial using Poly.PackLeqEta().
func (v *VecK) PackT0(buf []byte)
Sequentially packs each polynomial using Poly.PackT0().
func (v *VecK) PackT1(buf []byte)
Sequentially packs each polynomial using Poly.PackT1().
func (v *VecK) PackW1(buf []byte)
Sequentially packs each polynomial using PolyPackW1().
func (v *VecK) Power2Round(v0PlusQ, v1 *VecK)
Applies Poly.Power2Round componentwise.
Requires the vector to be normalized.
func (v *VecK) ReduceLe2Q()
Applies Poly.ReduceLe2Q() componentwise.
func (v *VecK) Sub(a, b *VecK)
Sets v to a - b.
Warning: assumes coefficients of the polynomials of b are less than 2q.
func (v *VecK) UnpackHint(buf []byte) bool
Sets v to the vector encoded using VecK.PackHint()
Returns whether unpacking was successful.
func (v *VecK) UnpackLeqEta(buf []byte)
Sets v to the polynomials packed in buf using VecK.PackLeqEta().
func (v *VecK) UnpackT0(buf []byte)
Sets v to the vector packed into buf by PackT0().
func (v *VecK) UnpackT1(buf []byte)
Sets v to the vector packed into buf by PackT1().
func (v *VecK) UseHint(q, hint *VecK) *VecK
Computes corrections to the high bits of the polynomials in the vector w using the hints in h and sets v to the corrected high bits. Returns v. See useHint().
A vector of L polynomials.
type VecL [L]common.Poly
func (v *VecL) Add(w, u *VecL)
Sets v to w + u. Does not normalize.
func (v *VecL) Decompose(v0PlusQ, v1 *VecL)
Applies Poly.Decompose componentwise.
Requires the vector to be normalized.
func (v *VecL) Exceeds(bound uint32) bool
Checks whether any of the coefficients exceeds the given bound in supnorm
Requires the vector to be normalized.
func (v *VecL) NTT()
Applies NTT componentwise. See Poly.NTT() for details.
func (v *VecL) Normalize()
Normalize the polynomials in this vector.
func (v *VecL) NormalizeAssumingLe2Q()
Normalize the polynomials in this vector assuming their coefficients are already bounded by 2q.
func (v *VecL) PackLeGamma1(buf []byte)
Sequentially packs each polynomial using PolyPackLeGamma1().
func (v *VecL) PackLeqEta(buf []byte)
Sequentially packs each polynomial using Poly.PackLeqEta().
func (v *VecL) Power2Round(v0PlusQ, v1 *VecL)
Applies Poly.Power2Round componentwise.
Requires the vector to be normalized.
func (v *VecL) UnpackLeGamma1(buf []byte)
Sets v to the polynomials packed in buf using VecL.PackLeGamma1().
func (v *VecL) UnpackLeqEta(buf []byte)
Sets v to the polynomials packed in buf using VecL.PackLeqEta().