honest majority

Author: zhdllwyc

.github/workflows/ci-actions.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-20.04
     strategy:
       matrix:
-        GOVER: ['1.18', '1.17', '1.16']
+        GOVER: ['1.19', '1.18', '1.17']
     steps:
       - name: Setup Go-${{ matrix.GOVER }}
         uses: actions/setup-go@v3
@@ -23,16 +23,19 @@ jobs:
       - name: Linting
         uses: golangci/golangci-lint-action@v3
         with:
-          version: v1.46
+          version: v1.48
           args: --config=./.etc/golangci.yml ./...
       - name: Check shadowing
         run: |
          go install golang.org/x/tools/go/analysis/passes/shadow/cmd/shadow@latest
          go vet -vettool=$(which shadow) ./... 2>&1 | awk -f .etc/action.awk
+        shell: bash
       - name: Verifying Code
         run: |
-         go generate -v ./... && test -z "$(git status --porcelain)"
+         go generate -v ./...
+         test -z "$(git status --porcelain)"
          go vet ./...
+        shell: bash
       - name: Building
         run: go build -v ./...
       - name: Testing
@@ -43,7 +46,7 @@ jobs:
     runs-on: ubuntu-20.04
     strategy:
       matrix:
-        CFG: [ [arm64,arm64v8,1.18] ]
+        CFG: [ [arm64,arm64v8,1.19] ]
     steps:
       - uses: actions/checkout@v3
       - name: Enabling Docker Experimental
@@ -69,7 +72,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v3
         with:
-          go-version: '1.18'
+          go-version: '1.19'
       - name: Produce Coverage
         run: go test -coverprofile=./coverage.txt ./...
       - name: Upload Codecov
@@ -89,7 +92,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v3
         with:
-          go-version: '1.18'
+          go-version: '1.19'
       - name: Building
         run: go build -v ./...
       - name: Testing

README.md

@@ -47,10 +47,10 @@ go get -u github.com/cloudflare/circl
  - [VOPRF](https://datatracker.ietf.org/doc/draft-irtf-cfrg-voprf/): Verifiable Oblivious Pseudorandom function.
 
 #### Post-Quantum Key Encapsulation Methods
- - [SIDH/SIKE](https://sike.org/): Supersingular Key Encapsulation with primes p434, p503, p751
  - [CSIDH](https://csidh.isogeny.org/): Post-Quantum Commutative Group Action
  - [Kyber](https://pq-crystals.org/kyber/) KEM: modes 512, 768, 1024
  - [FrodoKEM](https://frodokem.org/) KEM: modes 640-SHAKE
+ - (**insecure, deprecated**) [SIDH/SIKE](https://sike.org/): Supersingular Key Encapsulation with primes p434, p503, p751
 
 #### Post-Quantum Public-Key Encryption
  - [Kyber](https://pq-crystals.org/kyber/) PKE: modes 512, 768, 1024

blindsign/blindrsa/blindrsa_test.go

@@ -12,8 +12,8 @@ import (
 	"encoding/pem"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"math/big"
+	"os"
 	"testing"
 )
 
@@ -361,7 +361,7 @@ func verifyTestVector(t *testing.T, vector testVector) {
 }
 
 func TestVectors(t *testing.T) {
-	data, err := ioutil.ReadFile("testdata/test_vectors.json")
+	data, err := os.ReadFile("testdata/test_vectors.json")
 	if err != nil {
 		t.Fatal("Failed reading test vectors:", err)
 	}

dh/csidh/csidh.go

@@ -283,7 +283,9 @@ func GeneratePublicKey(pub *PublicKey, prv *PrivateKey, rng io.Reader) {
 // Validate returns true if 'pub' is a valid cSIDH public key,
 // otherwise false.
 // More precisely, the function verifies that curve
-//            y^2 = x^3 + pub.a * x^2 + x
+//
+//	y^2 = x^3 + pub.a * x^2 + x
+//
 // is supersingular.
 func Validate(pub *PublicKey, rng io.Reader) bool {
 	// Check if in range

dh/csidh/curve.go

@@ -2,7 +2,9 @@ package csidh
 
 // xAdd implements differential arithmetic in P^1 for Montgomery
 // curves E(x): x^3 + A*x^2 + x by using x-coordinate only arithmetic.
-//    x(PaQ) = x(P) + x(Q) by using x(P-Q)
+//
+//	x(PaQ) = x(P) + x(Q) by using x(P-Q)
+//
 // This algorithms is correctly defined only for cases when
 // P!=inf, Q!=inf, P!=Q and P!=-Q.
 func xAdd(PaQ, P, Q, PdQ *point) {
@@ -23,7 +25,9 @@ func xAdd(PaQ, P, Q, PdQ *point) {
 
 // xDbl implements point doubling on a Montgomery curve
 // E(x): x^3 + A*x^2 + x by using x-coordinate onlyh arithmetic.
-//   x(Q) = [2]*x(P)
+//
+//	x(Q) = [2]*x(P)
+//
 // It is correctly defined for all P != inf.
 func xDbl(Q, P, A *point) {
 	var t0, t1, t2 fp
@@ -45,8 +49,9 @@ func xDbl(Q, P, A *point) {
 // xDblAdd implements combined doubling of point P
 // and addition of points P and Q on a Montgomery curve
 // E(x): x^3 + A*x^2 + x by using x-coordinate onlyh arithmetic.
-//   x(PaP) = x(2*P)
-//   x(PaQ) = x(P+Q)
+//
+//	x(PaP) = x(2*P)
+//	x(PaQ) = x(P+Q)
 func xDblAdd(PaP, PaQ, P, Q, PdQ *point, A24 *coeff) {
 	var t0, t1, t2 fp
 

dh/csidh/doc.go

@@ -5,7 +5,6 @@
 // for securing systems.
 //
 // References:
-//  - cSIDH:        ia.cr/2018/383
-//  - Faster cSIDH: ia.cr/2018/782
-//
+//   - cSIDH:        ia.cr/2018/383
+//   - Faster cSIDH: ia.cr/2018/782
 package csidh

dh/csidh/fp511.go

@@ -178,8 +178,10 @@ func modExpRdc64(r, b *fp, e uint64) {
 // isNonQuadRes checks whether value v is quadratic residue.
 // Implementation uses Fermat's little theorem (or
 // Euler's criterion)
-//      a^(p-1) == 1, hence
-//      (a^2) ((p-1)/2) == 1
+//
+//	a^(p-1) == 1, hence
+//	(a^2) ((p-1)/2) == 1
+//
 // Which means v is a quadratic residue iff v^((p-1)/2) == 1.
 // Caller provided v must be in montgomery domain.
 // Returns 0 in case v is quadratic residue or 1 in case

dh/curve4q/doc.go

@@ -2,7 +2,6 @@
 // at the 128-bit security level.
 //
 // References:
-//  - https://eprint.iacr.org/2015/565
-//  - https://tools.ietf.org/html/draft-ladd-cfrg-4q-01
-//
+//   - https://eprint.iacr.org/2015/565
+//   - https://tools.ietf.org/html/draft-ladd-cfrg-4q-01
 package curve4q

dh/sidh/doc.go

@@ -1,30 +1,43 @@
-// Package sidh provides implementation of experimental post-quantum
+// Package sidh is deprecated, it provides SIDH and SIKE key encapsulation
+// mechanisms.
+//
+// # DEPRECATION NOTICE
+//
+// SIDH and SIKE are deprecated as were shown vulnerable to a key recovery
+// attack by Castryck-Decru's paper (https://eprint.iacr.org/2022/975). New
+// systems should not rely on this package. This package is frozen.
+//
+// # SIDH and SIKE
+//
+// This package provides implementation of experimental post-quantum
 // Supersingular Isogeny Diffie-Hellman (SIDH) as well as Supersingular
 // Isogeny Key Encapsulation (SIKE).
 //
-// It comes with implementations of 2 different field arithmetic
-// implementations sidh.Fp503 and sidh.Fp751.
+// It comes with implementations of three different field arithmetic
+// implementations sidh.Fp434, sidh.Fp503, and sidh.Fp751.
 //
 //	| Algorithm | Public Key Size | Shared Secret Size | Ciphertext Size |
 //	|-----------|-----------------|--------------------|-----------------|
-//	| SIDH/p503 |          376    |        126         | N/A             |
-//	| SIDH/p751 |          564    |        188         | N/A             |
-//	| SIKE/p503 |          376    |         16         | 402             |
-//	| SIKE/p751 |          564    |         24         | 596             |
+//	| SIDH/p434 |          330    |        110         |       N/A       |
+//	| SIDH/p503 |          378    |        126         |       N/A       |
+//	| SIDH/p751 |          564    |        188         |       N/A       |
+//	| SIKE/p434 |          330    |         16         |       346       |
+//	| SIKE/p503 |          378    |         24         |       402       |
+//	| SIKE/p751 |          564    |         32         |       596       |
 //
 // In order to instantiate SIKE/p751 KEM one needs to create a KEM object
 // and allocate internal structures. This can be done with NewSike751 helper.
-// After that kem can be used multiple times.
+// After that, the kem variable can be used multiple times.
 //
 //	var kem = sike.NewSike751(rand.Reader)
 //	kem.Encapsulate(ciphertext, sharedSecret, publicBob)
-//	kem.Decapsulate(sharedSecret, privateBob, PublicBob, ciphertext)
+//	kem.Decapsulate(sharedSecret, privateBob, publicBob, ciphertext)
 //
 // Code is optimized for AMD64 and aarch64. Generic implementation
 // is provided for other architectures.
 //
 // References:
-// - [SIDH] https://eprint.iacr.org/2011/506
-// - [SIKE] http://www.sike.org/files/SIDH-spec.pdf
 //
+//   - [SIDH] https://eprint.iacr.org/2011/506
+//   - [SIKE] http://www.sike.org/files/SIDH-spec.pdf
 package sidh