This derives from the reference implementation: Source: https://github.com/tpoeppelmann/newhope/tree/master/ref at bc06c1ac Paper: https://eprint.iacr.org/2015/1092 However, it does not interoperate, due to the replacement of SHAKE-128 with AES-CTR (for polynomial generation) and the replacement of SHA-3 with SHA-256 (for key whitening). Change-Id: I6a55507aea85331245e2fbd41bae5cc049fdca3c Reviewed-on: https://boringssl-review.googlesource.com/7690 Reviewed-by: Adam Langley <agl@google.com>
Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)