From 2d6fa6da8fa8e7b801342c5b40cd12ed5233fd50 Mon Sep 17 00:00:00 2001
From: phochard <pauline.hochard@cosmian.com>
Date: Wed, 20 Nov 2024 17:26:59 +0100
Subject: [PATCH] pr review

---
 src/api.rs             | 17 +++++----
 src/core/primitives.rs | 81 +++++++++++++++---------------------------
 src/core/tests.rs      |  3 +-
 src/traits.rs          |  5 +--
 4 files changed, 45 insertions(+), 61 deletions(-)

diff --git a/src/api.rs b/src/api.rs
index dd90c597..8b218fb3 100644
--- a/src/api.rs
+++ b/src/api.rs
@@ -9,9 +9,13 @@ use super::{
     traits::AE,
 };
 use crate::{
-    abe_policy::{AccessPolicy, Right}, core::{
-        primitives::{decaps, encaps, full_decaps, refresh, rekey, setup}, MasterPublicKey, MasterSecretKey, UserSecretKey, XEnc, SHARED_SECRET_LENGTH
-    }, traits::{KemAc, PkeAc}, Error
+    abe_policy::{AccessPolicy, Right},
+    core::{
+        primitives::{decaps, encaps, full_decaps, refresh, rekey, setup},
+        MasterPublicKey, MasterSecretKey, UserSecretKey, XEnc, SHARED_SECRET_LENGTH,
+    },
+    traits::{KemAc, PkeAc},
+    Error,
 };
 
 #[derive(Debug)]
@@ -142,6 +146,7 @@ impl KemAc<SHARED_SECRET_LENGTH> for Covercrypt {
     type EncapsulationKey = MasterPublicKey;
     type DecapsulationKey = UserSecretKey;
     type Encapsulation = XEnc;
+    type FullDecapsulationKey = MasterSecretKey;
     type Error = Error;
 
     fn encaps(
@@ -166,10 +171,10 @@ impl KemAc<SHARED_SECRET_LENGTH> for Covercrypt {
 
     fn full_decaps(
         &self,
-        usk: &UserSecretKey,
+        msk: &MasterSecretKey,
         enc: &XEnc,
-    ) -> Result<Option<Vec<(Right, Secret<SHARED_SECRET_LENGTH>)>>, Error>{
-        full_decaps(usk, enc)
+    ) -> Result<Vec<(Right, Secret<SHARED_SECRET_LENGTH>)>, Error> {
+        full_decaps( enc, msk)
     }
 }
 
diff --git a/src/core/primitives.rs b/src/core/primitives.rs
index e9fa3921..27c25435 100644
--- a/src/core/primitives.rs
+++ b/src/core/primitives.rs
@@ -7,7 +7,7 @@ use std::{
 use cosmian_crypto_core::{
     bytes_ser_de::Serializable,
     reexport::rand_core::{CryptoRngCore, RngCore},
-    RandomFixedSizeCBytes, Secret, SymmetricKey,
+    R25519CurvePoint, RandomFixedSizeCBytes, Secret, SymmetricKey,
 };
 
 use tiny_keccak::{Hasher, IntoXof, Kmac, Shake, Xof};
@@ -268,24 +268,7 @@ pub fn decaps(
     for enc in &encapsulation.encapsulations {
         // The breadth-first search tries all coordinate subkeys in a chronological order.
         for key in usk.secrets.bfs() {
-            let S = match (key, enc) {
-                (RightSecretKey::Hybridized { sk, dk }, Encapsulation::Hybridized { E, F }) => {
-                    let mut K1 = h_hash(R25519::session_key(sk, &A)?);
-                    let K2 = MlKem512::dec(dk, E)?;
-                    let S = xor_3(F, &K1, &K2);
-                    K1.zeroize();
-                    S
-                }
-                (RightSecretKey::Classic { sk }, Encapsulation::Classic { F }) => {
-                    let K1 = h_hash(R25519::session_key(sk, &A)?);
-                    xor_2(F, &K1)
-                }
-                (RightSecretKey::Hybridized { .. }, Encapsulation::Classic { .. })
-                | (RightSecretKey::Classic { .. }, Encapsulation::Hybridized { .. }) => {
-                    continue;
-                }
-            };
-
+            let S = S(key, enc, A.clone());
             let (tag, ss) = j_hash(&S, &encapsulation.c, &encapsulation.encapsulations)?;
 
             if tag == encapsulation.tag {
@@ -455,48 +438,42 @@ fn refresh_coordinate_keys(
 /// Attempts opening the Covercrypt encapsulation using the given USK. Returns
 /// the encapsulated key and associated rights upon success, otherwise returns `None`.
 pub fn full_decaps(
-    usk: &UserSecretKey,
     encapsulation: &XEnc,
-) -> Result<Option<Vec<(Right, Secret<SHARED_SECRET_LENGTH>)>>, Error> {
+    msk: &MasterSecretKey,
+) -> Result<Vec<(Right, Secret<SHARED_SECRET_LENGTH>)>, Error> {
     // A = ⊙ _i (α_i. c_i)
-    let A = usk
-        .id
-        .iter()
-        .zip(encapsulation.c.iter())
-        .map(|(marker, trap)| trap * marker)
-        .fold(EcPoint::identity(), |mut acc, elt| {
-            acc = &acc + &elt;
-            acc
-        });
+    let A = msk.tsk.binding_point();
+
+    let mut rights_list: Vec<(Right, Secret<SHARED_SECRET_LENGTH>)> = Vec::new();
 
     for enc in &encapsulation.encapsulations {
-        let mut rights_list: Vec<(Right, Secret<SHARED_SECRET_LENGTH>)> = Vec::new();
-        for secret in usk.secrets.flat_iter() {
-            let S = match (secret.1, enc) {
-                (RightSecretKey::Hybridized { sk, dk }, Encapsulation::Hybridized { E, F }) => {
-                    let mut K1 = h_hash(R25519::session_key(&sk, &A)?);
-                    let K2 = MlKem512::dec(&dk, E)?;
-                    let S = xor_3(F, &K1, &K2);
-                    K1.zeroize();
-                    S
-                }
-                (RightSecretKey::Classic { sk }, Encapsulation::Classic { F }) => {
-                    let K1 = h_hash(R25519::session_key(&sk, &A)?);
-                    xor_2(F, &K1)
-                }
-                (RightSecretKey::Hybridized { .. }, Encapsulation::Classic { .. })
-                | (RightSecretKey::Classic { .. }, Encapsulation::Hybridized { .. }) => {
-                    continue;
-                }
-            };
+        for (right,mut key) in msk.secrets.iter() {
 
+            let S = S(key, enc, A.clone());
             let (tag, ss) = j_hash(&S, &encapsulation.c, &encapsulation.encapsulations)?;
 
             if tag == encapsulation.tag {
-                rights_list.push((secret.0.clone(), ss));
+                rights_list.push((right.clone(), ss));
             }
         }
-        return Ok(Some(rights_list));
     }
-    Ok(None)
+    Ok(rights_list)
+}
+
+fn S(key: &RightSecretKey, enc: &Encapsulation, A: R25519CurvePoint) -> [u8; 32] {
+    return match (key, enc) {
+        (RightSecretKey::Hybridized { sk, dk }, Encapsulation::Hybridized { E, F }) => {
+            let mut K1 = h_hash(R25519::session_key(&sk, &A).unwrap());
+            let K2 = MlKem512::dec(&dk, &E).unwrap();
+            let S = xor_3(&F, &K1, &K2);
+            K1.zeroize();
+            S
+        }
+        (RightSecretKey::Classic { sk }, Encapsulation::Classic { F }) => {
+            let K1 = h_hash(R25519::session_key(&sk, &A).unwrap());
+            xor_2(&F, &K1)
+        }
+        (RightSecretKey::Hybridized { .. }, Encapsulation::Classic { .. })
+        | (RightSecretKey::Classic { .. }, Encapsulation::Hybridized { .. }) => todo! {},
+    };
 }
diff --git a/src/core/tests.rs b/src/core/tests.rs
index d9ed1f42..932be6a5 100644
--- a/src/core/tests.rs
+++ b/src/core/tests.rs
@@ -261,7 +261,8 @@ fn test_covercrypt_kem() {
     let (secret, enc) = cc.encaps(&mpk, &ap).unwrap();
     let res = cc.decaps(&usk, &enc).unwrap();
     assert_eq!(secret, res.unwrap());
-    let full = cc.full_decaps(&usk, &enc).unwrap().unwrap();
+    let full = cc.full_decaps(&msk, &enc).unwrap();
+    println!("{:?}", full);
     assert_eq!(full[0].1, secret);
 }
 
diff --git a/src/traits.rs b/src/traits.rs
index 31db7379..0a7a715d 100644
--- a/src/traits.rs
+++ b/src/traits.rs
@@ -10,6 +10,7 @@ pub trait KemAc<const LENGTH: usize> {
     type EncapsulationKey;
     type DecapsulationKey;
     type Encapsulation;
+    type FullDecapsulationKey;
     type Error: std::error::Error;
 
     /// Generates a new encapsulation for the given access policy.
@@ -33,9 +34,9 @@ pub trait KemAc<const LENGTH: usize> {
 
     fn full_decaps(
         &self,
-        dk: &Self::DecapsulationKey,
+        fdk: &Self::FullDecapsulationKey,
         enc: &Self::Encapsulation,
-    ) -> Result<Option<Vec<(Right, Secret<LENGTH>)>>, Self::Error>;
+    ) -> Result<Vec<(Right, Secret<LENGTH>)>, Self::Error>;
 }
 
 pub trait AE<const KEY_LENGTH: usize> {